In this post, we will cover how to make a undetectable malware or loader for our Red team operation or penetration testing. To establish a unified control and command (C2) framework for post exploitation, we often need a loader, beacon or stager generated by that same C2 framework to be executed on the target system. The issue stands where the shellcode generated by most open-source C2 framework happens to have well known bad characters, hence making them highly detectable, triggering even the most basic Anti-Virus. The fact that, we can only use the C2’s shellcode leads us to dig into Malware Development Evasion Techniques, so that the same highly evasive shellcode from our C2, does not get detect, terminated, and halting our engagement… leaving us very frustrated at the end.