c2-evasion-methodology

This fragment contains no executable malware logic, but it is explicitly an instruction set for “C2 evasion/免杀,” including workflow guidance to defeat YARA/Sigma detections and to handle hex/shellcode/binary-related assets. In a supply-chain review, this is a strong red-flag indicator that the broader project may be malicious or intends to support C2 tradecraft; additional analysis of the actual agent/payload code and referenced assets is necessary to confirm runtime behavior.

This document is an operational playbook whose explicit purpose is to modify C2/implant source to evade detection. It prescribes well-known malicious/evasive techniques (string XORing, stack strings, function renaming, HTTP header and URL obfuscation, API hashing and PEB walking, and removing compiler/linker protections). Because the content is explicit instructions to hide malicious behavior rather than benign maintenance guidance, it should be treated as high-risk malicious guidance. Do not apply these changes to legitimate projects and consider removing/disallowing distribution of this content in developer repositories or package registries.

该技能的实际能力与“C2 免杀/检测绕过”目的高度一致，但该目的本身就是为恶意载荷提供规避检测支持。它不依赖可疑安装源，也未见凭证窃取或第三方转发；主要风险来自将 AI 代理用于系统化攻击性规避、源码改造和二进制混淆，整体应判为高风险恶意/进攻性技能。