New Offensive Toolkit Generates Payloads to Evade AV, EDR, and XDR

A newly released offensive cybersecurity toolkit, Zig Strike, is making waves in the security community for its advanced ability to generate payloads that evade traditional and next-generation security defenses, including antivirus (AV), Endpoint Detection and Response (EDR), and Extended Detection and Response (XDR) solutions.

According to the report, Zig Strike emerges as a response to the escalating sophistication of cyber threats and the ongoing arms race between attackers and defenders.

Developed over six months, the toolkit leverages the modern Zig programming language—known for its low-level control and advanced compile-time features—to create highly customizable and evasive payloads.

Earlier versions were built in C and Pascal, but the transition to Zig has enabled the incorporation of innovative techniques for memory management and detection avoidance.

Key Features and Capabilities

• Web-Based Payload Builder: Zig Strike offers a Python-powered web portal that streamlines the creation and customization of payloads. Users can upload raw or C-based shellcode, select from multiple injection techniques, and fine-tune evasion options. The backend Zig compiler processes these inputs, generating ready-to-test payloads with visual feedback throughout the process.

• Multiple Injection Techniques: The toolkit supports four primary injection methods:
  • Local Thread Injection: Hijacks a thread within the current process, redirecting execution to the payload via function stomping.
  • Remote Thread Hijacking: Alters the execution flow of threads in remote processes using Windows APIs.
  • Local Mapping: Utilizes Windows file mapping APIs to allocate executable memory, reducing suspicious patterns that EDRs typically detect.
  • Remote Mapping: Maps shellcode into the address space of remote processes, further obfuscating malicious activity.
• Entropy and Detection Reduction: Zig Strike fragments shellcode into multiple wide-string (UTF16) variables, encoding them in Base64 and embedding them in the PE file’s .rdata section. This strategy makes static analysis and signature-based detection much more difficult for security solutions.

• Anti-Sandbox Mechanisms: The toolkit includes checks for the presence of a Trusted Platform Module (TPM) and verifies if the machine is joined to a corporate domain. These measures help evade dynamic analysis in virtualized sandbox environments commonly used by AV products.
• Versatile Output Formats: Payloads can be exported as DLLs (Dynamic Link Libraries) or XLLs (Excel Add-ins), supporting both 32- and 64-bit architectures. The XLL format, in particular, allows seamless integration with Microsoft Excel, leveraging trusted Office functionality for stealthy delivery.

Zig Strike has demonstrated the ability to bypass Microsoft Defender for Endpoint (MDE), even with Attack Surface Reduction (ASR) rules enabled.

In controlled tests, payloads delivered via Excel add-ins successfully triggered Cobalt Strike beacons without detection, highlighting the toolkit’s effectiveness against modern enterprise defenses.

While Zig Strike is intended for red teaming and ethical hacking—to help organizations identify and remediate weaknesses—it also underscores the urgent need for continuous innovation in defensive technologies.

Its open-source nature means defenders must remain vigilant, regularly update detection rules, and avoid reliance on any single security solution.

Zig Strike’s release is a stark reminder: as offensive capabilities evolve, so too must the strategies and tools of defenders in the ever-changing cybersecurity landscape.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates