{ "id": "4b09fb4c-eaea-4431-8ac3-485149903beb", "created_at": "2026-04-06T00:20:55.127482Z", "updated_at": "2026-04-10T03:24:23.896028Z", "deleted_at": null, "sha1_hash": "722af4246b12fc3ffe9fe577e2f4fa0c0ee68f6c", "title": "GitHub - mdsecactivebreach/CACTUSTORCH: CACTUSTORCH: Payload Generation for Adversary Simulations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49736, "plain_text": "GitHub - mdsecactivebreach/CACTUSTORCH:\r\nCACTUSTORCH: Payload Generation for Adversary Simulations\r\nBy vysec\r\nArchived: 2026-04-05 14:17:52 UTC\r\n ( ) ( )\r\n ( ( ( * ) )\\ ) * ) ( /( )\\ ) ( ( /(\r\n )\\ )\\ )\\ ` ) /( ( (()/(` ) /( )\\())(()/( )\\ )\\())\r\n (((_|(((_)( (((_) ( )(_)) )\\ /(_))( )(_)|(_)\\ /(_)|((_)((_)\\\r\n )\\___)\\ _ )\\ )\\___(_(_())_ ((_|_)) (_(_()) ((_)(_)) )\\___ _((_)\r\n((/ __(_)_\\(_|(/ __|_ _| | | / __||_ _| / _ \\| _ ((/ __| || |\r\n | (__ / _ \\ | (__ | | | |_| \\__ \\ | | | (_) | /| (__| __ |\r\n \\___/_/ \\_\\ \\___| |_| \\___/|___/ |_| \\___/|_|_\\ \\___|_||_|\r\nAuthor and Credits\r\nAuthor: Vincent Yiu (@vysecurity)\r\nCredits:\r\n@cn33liz: Inspiration with StarFighters\r\n@tiraniddo: James Forshaw for DotNet2JScript\r\n@armitagehacker: Raphael Mudge for idea of selecting 32 bit version on 64 bit architecture machines for\r\ninjection into\r\n@_RastaMouse: Testing and giving recommendations around README\r\n@bspence7337: Testing\r\nDescription\r\nA JavaScript and VBScript shellcode launcher. This will spawn a 32 bit version of the binary specified and inject\r\nshellcode into it.\r\nDotNetToJScript can be found here: https://github.com/tyranid/DotNetToJScript\r\nUsage:\r\nChoose a binary you want to inject into, default \"rundll32.exe\", you can use notepad.exe, calc.exe for\r\nexample...\r\nhttps://github.com/mdsecactivebreach/CACTUSTORCH\r\nPage 1 of 2\n\nGenerate a 32 bit raw shellcode in whatever framework you want. Tested: Cobalt Strike, Metasploit\r\nFramework\r\nRun: cat payload.bin | base64 -w 0\r\nFor JavaScript: Copy the base64 encoded payload into the code variable below\r\nvar code = \"\u003cbase64 encoded 32 bit raw shellcode\u003e\";\r\nFor VBScript: Copy the base64 encoded payload into the code variable below\r\nDim code: code = \"\u003cbase64 encoded 32 bit raw shellcode\u003e\"\r\nThen run:\r\nwscript.exe CACTUSTORCH.js or wscript.exe CACTUSTORCH.vbs via command line on the target, or double\r\nclick on the files within Explorer.\r\nFor VBA: Copy the base64 encoded payload into a file such as code.txt\r\nRun python splitvba.py code.txt output.txt\r\nCopy output.txt under the following bit so it looks like:\r\ncode = \"\"\r\ncode = code \u0026 \"\u003cbase64 code in 100 byte chunk\"\r\ncode = code \u0026 \"\u003cbase64 code in 100 byte chunk\"\r\nCopy and paste the whole payload into Word Macro\r\nSave Word Doc and send off or run it.\r\nCobaltStrike\r\nLoad CACTUSTORCH.cna\r\nGo to Attack -\u003e Host CACTUSTORCH Payload\r\nFill in fields\r\nFile hosted and ready to go!\r\nSource: https://github.com/mdsecactivebreach/CACTUSTORCH\r\nhttps://github.com/mdsecactivebreach/CACTUSTORCH\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://github.com/mdsecactivebreach/CACTUSTORCH" ], "report_names": [ "CACTUSTORCH" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434855, "ts_updated_at": 1775791463, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/722af4246b12fc3ffe9fe577e2f4fa0c0ee68f6c.pdf", "text": "https://archive.orkl.eu/722af4246b12fc3ffe9fe577e2f4fa0c0ee68f6c.txt", "img": "https://archive.orkl.eu/722af4246b12fc3ffe9fe577e2f4fa0c0ee68f6c.jpg" } }