c2-evasion-methodology

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content is a deliberate, detailed playbook for evading detection of command-and-control implants (C2), including shellcode encryption and remote loading, API hashing and PEB-walking, function/URL/header obfuscation, and compiler/linker flag changes to remove forensic/artifact traces—actions explicitly intended to enable stealthy backdoors and bypass YARA/Sigma/IDS detections.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly instructs the agent to search and fetch detection rules from public repositories and services (e.g., references/detection-search.md shows gh search commands for GitHub and SKILL/Agent.md lists "http_request — 搜索在线 YARA/Sigma 规则库"/VirusTotal/Elastic/ESET), and those untrusted, user-generated rules are read and used to drive analysis and evasion decisions, so third‑party content can materially influence tool use.