{
	"id": "37baa5d3-4dde-46c2-a392-9ae2c3e06a74",
	"created_at": "2026-04-06T00:13:27.730328Z",
	"updated_at": "2026-04-10T03:21:14.756635Z",
	"deleted_at": null,
	"sha1_hash": "22d92abf6f9ec0e320789a53a1e9be04984e790f",
	"title": "GitHub - 0xTriboulet/Revenant: Revenant - A 3rd party agent for Havoc that demonstrates evasion techniques in the context of a C2 framework",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 820868,
	"plain_text": "GitHub - 0xTriboulet/Revenant: Revenant - A 3rd party agent for\r\nHavoc that demonstrates evasion techniques in the context of a C2\r\nframework\r\nBy 0xTriboulet\r\nArchived: 2026-04-05 16:30:27 UTC\r\nRevenant is a 3rd party agent for Havoc written in C, and based on Talon. This implant is meant to expand on the\r\nTalon implant by implementing covert methods of execution, robust capabilities, and more customization.\r\nhttps://github.com/0xTriboulet/Revenant\r\nPage 1 of 3\n\nSetup\r\nThis project aims to be a self-contained Havoc C2 implant. The goal end-user functionality is as follows:\r\n***NOTE*** As of August 2023, Havoc 0.6 broke support for 3rd party agents. @C5pider intends to bring\r\nthe functionality back in a future release, but for the time being use Havoc 0.5 available here:\r\nhttps://github.com/0xTriboulet/Havoc_0.5\r\nHAVOC (DEV) HAS BEEN PATCHED TO SUPPORT 3RD PARTY AGENTS:\r\nhttps://github.com/HavocFramework/Havoc/tree/dev\r\n1. Download repo\r\n2. Unzip Revenant.zip\r\n3. pip install black\r\n4. startup Havoc (./havoc server --profile ./profiles/havoc.yaotl -v --debug \u0026 ./havoc client )\r\n5. Go to root folder\r\n6. python Revenant.py\r\n7. ???\r\n8. PROFIT\r\nx86 and Win 7 Compatability:\r\nDisable NativeAPI\r\nNote: Revenant uses NtCreateUserProcess to deliver NativeAPI functionality.\r\nNtCreateUserProcess is not supported by x86 or Win 7\r\nCommands\r\npwsh - executes commands through powershell.exe -\u003e pwsh ls\r\nshell - executes commands through cmd.exe -\u003e shell dir\r\ndownload - downloads file to loot folder -\u003e download C:\\test.txt\r\nupload - uploads file to desired folder -\u003e upload /home/test.txt C:\\temp\\test.txt\r\nexit - kills current implant -\u003e exit\r\nOptions\r\nSleep - Set sleep in seconds\r\nPolymorphic - Enable/Disable polymorphism at build and run time\r\nObfuscation - Obfuscate strings with XOR\r\nArch - x86/x64\r\nNative - Use NativeAPI where implemented\r\nAntiDbg - Leverage antidebug checks at initialization\r\nRandCmdIDs - Randomize command IDs\r\nUnhooking - GhostFart/Perun's Fart method to unhook, exec command, then rehook\r\nhttps://github.com/0xTriboulet/Revenant\r\nPage 2 of 3\n\nNote: RandCmdIDs randomizes the CmdIDs in the output executable. Revenant does NOT\r\nstore these random CmdIDs; these will only work with the active session. If you want a\r\nreusable executable, do NOT enable this option.\r\nTODO:\r\nAdd exec-assembly\r\nAdd cd, ls, whoami commands\r\nDecrease entropy\r\nSource: https://github.com/0xTriboulet/Revenant\r\nhttps://github.com/0xTriboulet/Revenant\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/0xTriboulet/Revenant"
	],
	"report_names": [
		"Revenant"
	],
	"threat_actors": [],
	"ts_created_at": 1775434407,
	"ts_updated_at": 1775791274,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/22d92abf6f9ec0e320789a53a1e9be04984e790f.pdf",
		"text": "https://archive.orkl.eu/22d92abf6f9ec0e320789a53a1e9be04984e790f.txt",
		"img": "https://archive.orkl.eu/22d92abf6f9ec0e320789a53a1e9be04984e790f.jpg"
	}
}