{"id":28003675,"url":"https://github.com/d3ext/nimbus","last_synced_at":"2025-08-24T22:11:06.056Z","repository":{"id":274234150,"uuid":"866592861","full_name":"D3Ext/Nimbus","owner":"D3Ext","description":"Shellcode loader with evasion capabilities written in Nim","archived":false,"fork":false,"pushed_at":"2025-01-25T21:19:46.000Z","size":579,"stargazers_count":10,"open_issues_count":2,"forks_count":2,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-05-09T02:17:57.676Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Nim","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/D3Ext.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-10-02T14:36:19.000Z","updated_at":"2025-02-26T23:32:43.000Z","dependencies_parsed_at":"2025-01-25T22:50:42.517Z","dependency_job_id":null,"html_url":"https://github.com/D3Ext/Nimbus","commit_stats":null,"previous_names":["d3ext/nimbus"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/D3Ext/Nimbus","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/D3Ext%2FNimbus","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/D3Ext%2FNimbus/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/D3Ext%2FNimbus/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/D3Ext%2FNimbus/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/D3Ext","download_url":"https://codeload.github.com/D3Ext/Nimbus/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/D3Ext%2FNimbus/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":262869394,"owners_count":23377280,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-05-09T02:17:55.072Z","updated_at":"2025-06-30T23:41:46.356Z","avatar_url":"https://github.com/D3Ext.png","language":"Nim","readme":"\u003cimg src=\"https://raw.githubusercontent.com/D3Ext/Nimbus/main/images/logo.webp\" alt=\"logo\"\u003e\n\n# Nimbus\n\nShellcode loader with evasion capabilities written in Nim\n\n## Features\n\n- Inject AES encrypted shellcode\n- Direct syscalls by retrieving STUBS during runtime\n- ntdll.dll unhooking\n- Basic anti-sandbox checks\n- AMSI and ETW patching\n- Custom sleep function\n\n## Usage\n\nThis loader makes use of the AES encryption algorithm so in order to make it work, you need to encrypt your own shellcode. To do so you may use either `aes_encrypt.py` or `aes_encrypt.nim`. Both scripts will generate a random PSK and IV and it will take care of encrypting your shellcode so that you only have to modify the variables at the very top of the file.\n\nEncrypt your raw shellcode:\n\n```sh\n$ nim r aes_encrypt.nim calc.bin\n```\n\nor \n\n```sh\n$ python3 aes_encrypt.py calc.bin\n```\n\nOnce you have modified `nimbus.nim` to suit your needs, you just have to compile it like this:\n\n```sh\n$ nim c -d=mingw -d:release --cpu=amd64 nimbus.nim\n```\n\nOr simply using `make`:\n\n```sh\n$ make\n```\n\n## Installation\n\nYou need to have installed `nim` and some specific packages:\n\n```\n$ nimble install winim nimcrypto psutil ptr_math\n```\n\n## Demo\n\nFor testing purposes I have used a simple `calc.exe` shellcode. You can generate it using `msfvenom` like this:\n\n```sh\n$ msfvenom -p windows/x64/exec CMD=\"calc.exe\" -f raw -o calc.bin\n```\n\nTested on x64\n\n\u003cimg src=\"https://raw.githubusercontent.com/D3Ext/Nimbus/main/images/compile.png\" alt=\"compile\"\u003e\n\n\u003cimg src=\"https://raw.githubusercontent.com/D3Ext/Nimbus/main/images/demo.png\" alt=\"demo\"\u003e\n\nAs can be seen, the shellcode gets decrypted and injected successfully\n\nIf I upload the EXE to [KleenScan](https://www.kleenscan.com/index) (an alternative to VirusTotal that promises not to distribute the malware) we see that it seems legit with 0 detections\n\n\u003cimg src=\"https://raw.githubusercontent.com/D3Ext/Nimbus/main/images/scan.png\" alt=\"scan\"\u003e\n\n## References\n\n```\nhttps://github.com/byt3bl33d3r/OffensiveNim\nhttps://github.com/S3cur3Th1sSh1t/NimGetSyscallStub\nhttps://github.com/itaymigdal/PartyLoader\nhttps://github.com/RistBS/Awesome-RedTeam-Cheatsheet\nhttps://github.com/S3cur3Th1sSh1t/Nim-RunPE\nhttps://github.com/icyguider/Nimcrypt2\nhttps://github.com/chvancooten/maldev-for-dummies\nhttps://redops.at/en/blog/syscalls-via-vectored-exception-handling\n```\n\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fd3ext%2Fnimbus","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fd3ext%2Fnimbus","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fd3ext%2Fnimbus/lists"}