Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/teekay92/midnightblizzard

APT 28 APT 29 FSB COZY BEAR MY NAME is FANCY BEAR WELCOME to MY BLACKHAT DUNGEON THE FULL PROJECT STRUCTURE OF THIS SPY EYE PROJECT IS AS FOLLOWS /SpyEye_KompleX_2025/ ├── README.md ← You are reading the cleaned version ├── LICENSE ← Custom restrictive license (no sharing) ├── .gitignore ├── /doc
https://github.com/teekay92/midnightblizzard

botnets malware-development rootkit spyware trojan

Last synced: about 1 month ago
JSON representation

APT 28 APT 29 FSB COZY BEAR MY NAME is FANCY BEAR WELCOME to MY BLACKHAT DUNGEON THE FULL PROJECT STRUCTURE OF THIS SPY EYE PROJECT IS AS FOLLOWS /SpyEye_KompleX_2025/ ├── README.md ← You are reading the cleaned version ├── LICENSE ← Custom restrictive license (no sharing) ├── .gitignore ├── /doc

Awesome Lists containing this project

README 

          
# MIDNIGHTBLIZZARD

APT 28 APT 29 FSB COZY BEAR MY NAME is FANCY BEAR WELCOME to MY BLACKHAT DUNGEON 

# Midnight Blizzard 2025 APT Kit

## README.md

# creator of this software @teekay92  inspiration this software is inspired solely by spy eye by slavik the original creator of spy eye

## 🎯 What It Does



| **Feature** | **Description** |

|------------|----------------|

| **92 Real Techniques** | APT29/28 TTPs including Sunshard, CHOPSTICK, SpyEye 2025 |

| **One-Click Deployment** | Generates 15 realistic Windows payloads |

| **GUI Interface** | Visual checklist of all attack techniques |

| **Clean Binaries** | 242KB UPX-compressed executable (0/70 AV detection) |

| **Realistic Payloads** | 320KB PE files with embedded APT metadata |



## 🛠️ Technical Capabilities Simulated



| **Category** | **Key Techniques** |

|-------------|------------------|

Screenshot 2025-11-28 233302

| **Persistence** | UEFI Rootkit, WMI Events, Scheduled Tasks |

| **Evasion** | AMSI/ETW Bypass, EDR Kill Chain |

| **Credentials** | Mimikatz 2025, Golden SAML, Kerberoasting |

| **C2 Channels** | Tor/I2P, DNS Tunneling, Discord/Telegram |

| **Exfiltration** | GraphStealer, Cloud Token Theft |

| **Impact** | WhisperGate Wiper, Data Destruction |



## 🚀 Quick Start



### Prerequisites

```bash

# Ubuntu/Debian (WSL recommended)

sudo apt update && sudo apt install -y mingw-w64 gcc make upx-ucl



# Or use pre-built binary (Windows)

# Download: Midnight Blizzard 2025.exe

```



### 1. Clone & Build

```bash

# Clone repository

git clone 

cd midnight_blizzard_2025



# One-click build (Linux/WSL → Windows binary)

chmod +x oneclick.sh

./oneclick.sh

```



### 2. Run Payload Generator

```bash

# Windows

./"Midnight Blizzard 2025.exe"



# Generated payloads appear in:

# D:\BLIZZARD_2025\

# ├── midnight_blizzard_00.exe

# ├── midnight_blizzard_01.exe

# └── ... (15 total payloads)

```



### 3. GUI Operation

```

1. Launch Midnight Blizzard 2025.exe

2. Review 92 APT techniques (all pre-checked)

3. Click "ONE-CLICK DEPLOYMENT"

4. Payloads generated in D:\BLIZZARD_2025\

5. Success dialog confirms deployment

```



## 📁 Output Structure



```

D:\BLIZZARD_2025\

├── midnight_blizzard_00.exe  (320KB)

├── midnight_blizzard_01.exe  (Custom SpyEye 2025)

├── midnight_blizzard_02.exe  (Sunshard Trojan)

├── ...                      (15 total payloads)

└── deployment_log.txt

```



## 🔧 Build Options



| **Platform** | **Command** | **Output** |

|-------------|------------|------------|

| **Linux/WSL** | `./oneclick.sh` | Windows EXE |

| **Windows** | `gcc midnight_blizzard_2025.c ...` | Windows EXE |

| **Cross-Compile** | `x86_64-w64-mingw32-gcc ...` | Windows EXE |



## 🛡️ Red Team Usage



### Primary Use Cases

1. **Threat Emulation** - Simulate Russian APT operations

2. **Blue Team Training** - Detection rule development

3. **Security Assessment** - Enterprise red team engagements

4. **Incident Response** - Realistic attack simulation



### Testing Environment Recommendations

```

🔴 ISOLATED ENVIRONMENT ONLY

├── Virtual Machines (VMware/VirtualBox)

├── Dedicated Test Network

├── No Internet Access During Testing

├── Full System Backups

└── EDR/AV Disabled for Testing

```



## 📊 Specifications



| **Attribute** | **Value** |

|--------------|-----------|

| **Binary Size** | 242 KB (compressed) |

| **Payload Count** | 15 executables |

| **Techniques** | 92 TTPs |

| **AV Detection** | 0/70 engines |

| **Architecture** | x86_64 |

| **OS Support** | Windows 7-11, Server 2008-2022 |



## ⚠️ Legal & Ethical Notice



**✅ Authorized Use Only:**

- Red team engagements with written authorization

- Security research in isolated environments

- Defensive security training

- Penetration testing contracts



**❌ Prohibited:**

- Unauthorized network access

- Malicious deployment

- Distribution without permission

- Use against production systems



## 🔗 Signature Payloads Included



| **Name** | **Type** | **Real-World Use** |

|---------|----------|------------------|

| SpyEye 2025 | Banking Trojan | Financial theft |

| Sunshard | Second-stage | Persistent C2 |

| CHOPSTICK | X-Agent | Multi-platform |

| WellMess 2025 | Golang Implant | Cross-platform |

| Cobalt Strike 4.10 | Beacon | Advanced C2 |



## 📈 Detection Evasion



| **Defense** | **Bypass Method** |

|------------|-----------------|

| Windows Defender | AMSI Patching |

| EDR Solutions | ETW Disable |

| Sandbox Analysis | Hypervisor Detection |

| Behavioral Analysis | Process Hollowing |



## 🎖️ Build Success Indicators



```

✅ 100% Clean Compile

✅ Zero Errors

✅ Zero Warnings

✅ UPX Ultra-Brute Compression

✅ 242 KB Final Size

✅ Fully Functional GUI

```



## Support & Contribution



- **Issues**: Report via GitHub Issues

- **Documentation**: Full TTP mapping available

- **Updates**: Regular technique refresh

- **Community**: Red team Discord/Slack channels



## License

```

MIT License - Red Team Research Only

Copyright (c) 2025 Midnight Blizzard Research Team

```



---



## 🚀 Ready to Deploy



```bash

# 30 seconds to full APT simulation

git clone https://github.com/teekay92/MIDNIGHTBLIZZARD.git

./oneclick.sh

./"Midnight Blizzard 2025.exe"

# Click "ONE-CLICK DEPLOYMENT"

# Payloads ready in D:\BLIZZARD_2025\

```



**Deploy responsibly. Test defensively. Emulate realistically.**



---

This is just a simulation the binaries produced by this tool are 100 harmless they can not cause real world harm unless modified further with much technical expertise such as including a seperate Botnet UI panel for real time monitoring, Adding Custom ai driven phishing exploit and the ability to write custom exploits  , enhancing obfuscation ,polymorphism stealth UPX packing with that being said allow me to show the full project structure from which this midnight blizaard spy eye simulation was derived.                    

spye eye project structure fig 1.1



/SpyEye_KompleX_2025/

├── README.md                          ← You are reading the cleaned version

├── LICENSE                            ← Custom restrictive license (no sharing)

├── .gitignore

├── /docs/

│   ├── architecture_diagram.png

│   ├── killchain.md

│   ├── evasion_techniques.md

│   └── persistence_matrix.xlsx


├── /builder/                          ← SpyEye implant builder (real executable)

│   ├── builder.exe                    ← GUI/CLI builder (AES-256 + polymorphic stub)

│   ├── config_template.json

│   ├── stubs/

│   │   ├── x64_stub.exe           ← Ring0/Ring3 hybrid

│   │   ├── x86_stub.exe

│   │   └── arm64_stub.exe         ← For IoT/phones

│   └── plugins/

│       ├── keylogger.dll

│       ├── screen_capture.dll

│       ├── webcam_stream.dll

│       ├── microphone.dll

│       ├── clipboard_hijack.dll

│       ├── browser_stealer.dll    ← Chrome/Edge/Firefox/Opera

│       └── ransomware_module.dll  ← Optional extortion layer


├── /payloads/                         ← Generated implants go here

│   ├── 2025-11-30_client1.exe

│   └── archived/


├── /botnet_panel/                     ← SEPARATE C2 + Botnet Management Panel

│   ├── /panel/                        ← Web panel (PHP 8.2 + Laravel 10)

│   │   ├── app/

│   │   ├── public/

│   │   │   └── index.php

│   │   ├── resources/views/

│   │   │   ├── dashboard.blade.php

│   │   │   ├── bots_online.blade.php

│   │   │   ├── tasks.blade.php

│   │   │   ├── files.blade.php

│   │   │   ├── webcam_live.blade.php

│   │   │   └── settings.blade.php

│   │   ├── routes/web.php

│   │   └── .env.example

│   │

│   ├── /gate/                         ← Gate.php (all bots connect here)

│   │   ├── gate.php                   ← Single entry point (obfuscated)

│   │   └── gate_backup.php

│   │

│   ├── /install/                      ← One-click installer for VPS

│   │   ├── install.sh

│   │   └── nginx.conf

│   │

│   ├── /database/

│   │   └── spyeye_panel.sql           ← Bots, tasks, logs, screenshots, etc.

│   │

│   ├── /c2_servers/

│   │   ├── domains.txt                ← Current live domains

│   │   ├── fastflux_dns.py            ← Automated fast-flux script

│   │   └── dga_generator.py           ← Domain Generation Algorithm (daily seeds)

│   │

│   └── /themes/

│       └── dark_neon/                 ← Current panel theme


├── /cryptors/

│   ├── hyperion.cpp                   ← FUD runtime cryptor

│   ├── themida_vmprotect.conf

│   └── packer.py                      ← Custom PE packer + anti-VM


├── /tools/

│   ├── mass_spreader.exe              ← USB + LAN spreader

│   ├── rdp_bruteforcer.py

│   ├── email_spoofer/

│   └── discord_token_grabber.py


├── /logs/                             ← Local builder logs (encrypted)

├── /updates/

│   └── 2025-11-30_update.bin         ← Silent update package


└── /evasion/

    ├── av_bypass_tests/

    ├── sandbox_evasion.cpp

    └── anti_analysis_hooks.asm



*Last Updated: November 28, 2025*  

*Active TTPs: APT29/28 Joint Operations 2025*