FalconZero - A stealthy, targeted Windows Loader for delivering second-stage payloads(shellcode) to the host machine undetected


Introducing FalconZero v1.0 - a stealthy, targeted Windows Loader for delivering second-stage payloads(shellcode) to the host machine undetected - first public release version Loader/Dropper of the FALCONSTRIKE project


  • Dynamic shellcode execution
  • Usage of Github as the payload storage area - the payload is fetched from Github
  • Targeted implant Loader - only execute on targeted assets - thwart automated malware analysis and hinder reverse engineering on non-targeted assets
  • Killdates - implant expires after a specific date
  • Stealthy shellcode injection technique without allocating RWX memory pages in victim process to evade AV/EDRs - currently injects to explorer.exe
  • Sensitive strings encrypted using XOR

Payload Compatibility

And support for many more...

The ones mentioned in the list are the ones verified by the testing team.


There are many hard things in life but generating an implant shouldn't be one. This is the reason the generate_implant.pyscript has been created to make your life a breeze. The process is as simple as:

First generate your shellcode as a hex string
Upload it on Github and copy the Github raw URL
For testing(MessageBox shellcode): https://raw.githubusercontent.com/slaeryan/DigitalOceanTest/master/messagebox_shellcode_hex_32.txt
git clone https://github.com/slaeryan/FALCONSTRIKE.git
pip3 install -r requirements.txt
python3 generate_implant.py

Follow the on-screen instructions and you'll find the output in bin the directory if everything goes well.

AV Scan of FalconZero implant


This is an alpha release version and depending on the response many more upgrades to existing functionalities are coming soon.

Some of them are:

  • Integrate various Sandbox detection algorithms
  • Integrate support for more stealthy shellcode injection techniques
  • Integrate function obfuscation to make it stealthier
  • Include a network component to callback to a C2 when a Stage-2 payload is released or to change targets/payloads and configure other options on-the-fly
  • Inject to a remote process from where network activity is not unusual for fetching the shellcode - better OPSEC
  • Include active hours functionality - Loader becomes active during a specified period of day, etc.

Feel free to communicate any further features that you want to see in the next release. Suggestions for improving existing features are also warmly welcome :)


Upayan (@slaeryan) [slaeryan.github.io]

More: https://github.com/slaeryan/FALCONSTRIKE

May 11, 2020


Hakin9 TEAM
Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023