Red Macros Factory is an Initial Access Framework designed by a Red Teamer for Red Teamers.

Battle-tested solution for Red Teams having little time for internal R & D or looking for alternative weaponization ideas and high-quality tooling to extend their arsenal.

With extensibility in mind, the Framework offers multiple tools letting you & your Team generate fully weaponized, obfuscated payloads helping you and your Team become successful!

» Looking for ways to help your Team advance their Initial Access capabilities?

» Spending too much time manually devising shellcode loaders, payloads, scripts, macros?

» Looking for ways to bypass MOTW, utilize containers, backdoor documents - all of that conveniently with automated tooling?

» Eager to try out Multi-Language (C#, C++, soon even more!), flexible, evasive Shellcode Loader implementing variety of code injection techniques?
» Curious in emulating over 17+ ready-made advanced complex infection scenarios?
» Looking to expand your Team's initial access payloads repertoire?

With Red Macros Factory you can generate 76+ obfuscated, fully weaponized vectors in a glimpse of an eye

Shellcode Loaders:
- » Built in various languages: C++, C#, ...
- » Support variety of compilers: MinGW, MSVC, LLVM clang, MSbuild, csc, ...
- » Variety of shellcode injection techniques: CreateThread, DirtyCLR, ...
- » Multiple output formats supported: exe, dll, cpl, xll, wll, ...
- » Various shellcode retrieval strategies: hardcoded, file, URL, environment variables, ...
- » Shellcode encryption & compression support out-of-the-box
- » A range of evasions: Anti-Sandbox, execution guardrails, time-delays, ...
Office documents (29+):
- » Word: .doc, .docm, .dotm, .dot, .rtf, .mht
- » Excel: .xls, .xlsm, .xltm, .xlt, .xlsb, .xla, .xlam
- » PowerPoint: .pptm, .ppsm, .potm
- » Access: .mdb, .accde
- » Visio: .vdw, .vsd, .vsdm, .vss, .vssm, .vstm, .vst
- » Project: .mpp, .mpt
- » Publisher: .pub
- » Outlook: .otm (used in Outlook persistence scenarios)
Scripts (11):
- » .vba
- » .vbs: VBscript
- » .vbe: VBScript encoded
- » .js: JScript / JXA
- » .jse: Jscript encoded
- » .msc: Microsoft Management Console Snap-in
- » .hta: HTML Application containing VBscript/JScript
- » .xsl: XML containing VBScript/JScript
- » .wsf: XML containing VBScript/JScript
- » .wsc: COM Scriptlet containing VBScript/JScript
Containers (20+):
- » .zip: can contain hidden files
- » .7zip
- » .rar
- » .iso: can contain hidden files
- » .img: ISO-renamed, can contain hidden files
- » .gz, .tar.gz, .tar.bz2, .tar, .tar.xz, .tar.zst, .tzst, .tbz2, .tgz, .txz : various tarballs, bzip2 and other linux archives
- » .sz / .szdd / .kwaj - MSCOMPRESS legacy archive format
- » .cab
- » .wim
- » .vhd
- » .vhdx
- » .cpio: archive format supported by Apple's Archiver Utility, dubbed as Regular Archive
- » .cpgz: archive format supported by Apple's Archiver Utility, dubbed as Compressed Archive
- » .pdf: files embedded into PDF
- » .lnk: LNK with appended file/ZIP, uses Powershell to unpack itself
- » .rdp: idea to conceal payloads within RDP files, as described here
Other vectors (16):
- » .application, .manifest, .appref-ms: ClickOnce deployment files
- » .bat, .cmd: Classic cmd.exe batch files
- » .ps1: Powershell scripts
- » .html, .svg: HTML Smuggling, SVG Smuggling
- » .lnk: Windows shortcut
- » .url: a shortcut that can launch direct victim onto URL in default browser or launch locally available file through file:///path/to/file.exe URI-handler
- » .chm: can run system commands, useful in complex infection scenarios
- » .msi: malicious MSI installer or backdoored MSI
- » .mst: Installation transform file
- » .msp: Installation patch file, backdoors legitimate MSI
- » .msg: BadAppointment attack, implements malicious appointment to coerce NetNTLM authentication
- » .diagcab: path-traversal enabled CAB file exploiting Dogwalk exploit, generated with exploiter.exe
- » .inf: INF installation file invoking SCT, in an INF-SCT weaponization scenario

» Sounds like an excellent fit for your Team's arsenal? Request a Demo today!

» Download product brochure

Anytime we start a new engagement, there's always a weaponization part involved. We dive deep into devising custom shellcode loaders, scripts, containers, HTML landing pages, malicious VBA macros, to then link them all up into a consecutive infection chain. Lots of manual steps involved and an equally wide margin for the operator's error.

Instead of spending way too much time on weaponization activities, how about using a ready-made framework that automates everything for you? A framework that comes with many different attack strategies, tactics, and file format vectors. Here comes Red Macros Factory - a framework just to fill these needs.

» Capabilities overview
» Quality of Life Improvements
» Formats supported
» Batteries included
1. 1. shellcoder.exe - Multi-Language Shellcode Loader builder - produces source code, obfuscates it, compiles. Quickly build flexible evasive shellcode loaders
2. 2. generate.exe - Generates all sort of scripts, macros, Office documents. One stop shop for generating all the things
3. 3. cli.exe - Official RMF Command Line interface with auto-completion, history & other features
4. 4. msir.exe - Produces & backdoors .MSI, .MST, .WXS Microsoft installation files and .MSP patches
5. 5. lnker.exe - Produces & backdoors .LNK, .URL shortcut files
6. 6. clicker.exe - Weaponizes & backdoors ClickOnce deployments
7. 7. signer.exe - Takes any supported file on input (over 40+ different files can be signed), generates (or uses existing) code signing certificates and produces output signed file
8. 8. smuggler.exe - Takes file on input, produces output HTML smuggling landing page that will deliver that file
9. 9. pager.exe - Helps generate malicious landing pages by either generating one from the scratch, cloning existing pages or obfuscating input HTMLs
10. 10. obfuscator.exe - Takes script on input (js, vbs, vba, hta, msc, bat, ps1, ...) and produces its heavily obfuscated form on output
11. 11. packager.exe - Takes file(s)/directory on input and produces (or backdoors existing) container file on output (iso, zip, ...)
12. 12. converter.exe - Converts one script format to another, for instance VBA to HTA, VBS to WSC, JScript to MSC, etc
13. 13. chmer.exe - Produces & backdoors .CHM payloads
14. 14. exploiter.exe - Generates unusual initial access vectors, like MSC GUI, BadAppointment, DiagCab
15. 15. embedder.exe - Inserts file or VBA macro or COM OLE object into Office document
16. 16. injector.exe - Injects Remote Template URL, CustomUI, variables, CustomXMLParts, properties into existing Office document
17. 17. tamperer.exe - Anonymizes, VBA Stomps, VBA Purges, encrypts input Office document in attempt to decrease detection rate
18. 18. lolbaser.exe - Displays how to work with LOLBINs, tests them, analyses
19. 19. macroless.exe - Produces & backdoors Office documents with macroless weaponization primitives
20. 20. file2script.exe - Takes file on input, produces enormous output VBA/VBS/JS code containing that file embedded
21. 21. encoder.exe - Encodes input file with custom-Base64 encoder, XOR encoder etc
22. 22. batcher.exe - Produces malicious obfuscated .BAT/.CMD payloads
23. 23. updater.exe - Used to update the framework, review changelog, see available versions
24. 24. And more
» 106,000+ lines of code: Python + VBA/VBS/JS + Powershell + C# + C++ + Batch + lots more...
» 4 years of active Research & Development

» Framework subscription is charged annually. Prices may change soon.
» I'm running a registered legal entity, so VAT invoices are available.

Type	Price
1 year New license for 5 seats	3500 EUR
1 year License renewal	2200 EUR
Premium package - including RMF, custom shellcode loader with source code and bunch of additional tooling	Request a quote

Want to see that Framework in action?

binary-offensive.com

Red Macros Factory

With Red Macros Factory you can generate 76+ obfuscated, fully weaponized vectors in a glimpse of an eye

» Sounds like an excellent fit for your Team's arsenal? Request a Demo today!

» Download product brochure

Initial Access Framework

Capabilities overview

Capabilities overview

Capabilities overview

Quality of Life Improvements

Need more convincing? Meet the tools included!

shellcoder.exe

generate.exe

cli.exe

msir.exe

lnker.exe

clicker.exe

signer.exe

smuggler.exe

obfuscator.exe

packager.exe

converter.exe

chmer.exe

exploiter.exe

embedder.exe

injector.exe

tamperer.exe

lolbaser.exe

macroless.exe

file2script.exe

batcher.exe

encoder.exe

updater.exe

Pricing

Want to see that Framework in action?

binary-offensive.com

Red Macros Factory

With Red Macros Factory you can generate 76+ obfuscated, fully weaponized vectors in a glimpse of an eye

» Sounds like an excellent fit for your Team's arsenal? Request a Demo today!

» Download product brochure

Initial Access Framework

Capabilities overview

Capabilities overview

Capabilities overview

Quality of Life Improvements

Need more convincing? Meet the tools included!

shellcoder.exe

generate.exe

cli.exe

msir.exe

lnker.exe

clicker.exe

signer.exe

smuggler.exe

pager.exe

obfuscator.exe

packager.exe

converter.exe

chmer.exe

exploiter.exe

embedder.exe

injector.exe

tamperer.exe

lolbaser.exe

macroless.exe

file2script.exe

batcher.exe

encoder.exe

updater.exe

Pricing

Want to see that Framework in action?