We're thrilled to announce the release of JAVELIN, our fully undetectable Windows shellcode loader, now available in IRIS C2. JAVELIN enables operators to deliver MANTIS stage zero shellcode into memory on target devices without ever triggering AV, EDR, or XDR solutions—a game-changer for initial access and payload delivery.

Polymorphic Compilation for Every Build

JAVELIN leverages advanced polymorphic compilation techniques to ensure every build generates a completely unique binary with a different hash. Each payload features XOR encryption with randomized keys, RW→RX memory allocation (no RWX), and randomized function and variable names with over 30 identifiers per build. The result is zero static signatures across all builds.

The loader supports both EXE (standalone) and DLL (injection/side-loading) formats, giving operators flexibility based on their delivery method and target environment constraints.

JAVELIN Payload Configuration Interface: Configure output format, shellcode path, decoy files, icon disguises, and self-delete options

EXE Delivery: Standalone Execution

When operators save the loader as an EXE, they can deliver it as a standalone executable. Upon execution, the Stage 0 MANTIS shellcode loads directly into memory, then pulls down the full agent (also position-independent code shellcode) from the listener and loads it into memory without ever touching the disk.

The EXE option becomes even more powerful with JAVELIN's advanced file masquerading capabilities. Operators can configure the payload to impersonate other file types including Word documents, Excel spreadsheets, PDFs, MP3 audio files, MP4 videos, ZIP archives, or JPG images. The payload receives the appropriate icon for the chosen file type and utilizes a double file extension technique.

File Masquerading in Action

In most Windows environments where file extensions are hidden by default, the payload appears as a completely legitimate file of the target type. For example, a payload configured as "NoticeOfTermination.pdf" displays with a PDF icon and no visible .exe extension, making it highly convincing to unsuspecting users.

Payload Generation Success: JAVELIN confirms the payload is ready with double extension and PDF icon disguise

DLL Delivery: ESTER Integration and DLL Proxying

Operators can also generate JAVELIN as a DLL and use it in conjunction with IRIS C2's ESTER (Enhanced Software Trojanization and Embedding Runtime) to trojanize legitimate application installers. This technique is particularly effective for social engineering scenarios where users expect to install software.

ESTER Interface: Configure trojanized installers with JAVELIN DLL payloads, legitimate app details, and DLL proxying options

ESTER modifies a legitimate installer to load the malicious JAVELIN DLL instead of a required legitimate DLL. However, JAVELIN doesn't break the installation—it implements sophisticated DLL proxying that forwards all necessary functions from the JAVELIN DLL to the legitimate DLL it's impersonating. This means the legitimate installer runs properly and completes successfully while the shellcode loads into memory in parallel.

Once the JAVELIN DLL successfully loads the Stage 0 shellcode into memory, it performs a critical anti-forensics step: it self-deletes from disk. This eliminates the primary artifact that forensic investigators or EDR solutions might later discover, leaving minimal traces of the initial compromise.

Operator-Controlled Features

All of JAVELIN's features can be optionally invoked by the operator directly within IRIS C2's intuitive payload generation interface. Operators can:

• Select between EXE and DLL output formats based on delivery method
• Choose icon disguises (PDF, Word, Excel, MP3, MP4, ZIP, JPG) for EXE payloads
• Configure decoy files to open after execution for increased legitimacy
• Enable self-delete functionality to minimize forensic artifacts
• Activate double extension techniques for file masquerading
• Specify custom output names and save locations

The configuration interface provides real-time validation, ensuring all required fields are filled before payload generation. This streamlined workflow allows operators to generate sophisticated, fully undetectable payloads in seconds.

Comprehensive EDR Evasion

JAVELIN has been extensively tested in our lab environment against a wide array of enterprise security solutions. All functionality remains fully undetected by the following platforms:

This comprehensive evasion coverage spans Western, Russian, and Chinese security vendors, demonstrating JAVELIN's effectiveness across diverse detection technologies and geographic markets. Our testing methodology involves live execution in controlled lab environments with full telemetry enabled, ensuring real-world validation.

Technical Architecture

JAVELIN's technical implementation prioritizes stealth and reliability. The loader employs several key techniques:

• XOR Encryption: Stage 0 shellcode is encrypted with randomized XOR keys unique to each build
• RW→RX Memory Allocation: Memory pages transition from Read-Write to Read-Execute, never using suspicious RWX permissions
• No RWX Permissions: Avoids the telltale signature of allocating memory with Read-Write-Execute permissions simultaneously
• Polymorphic Identifiers: Over 30 function and variable names are randomized per build, defeating YARA rules and static analysis

When used in DLL mode with ESTER, JAVELIN implements complete function forwarding tables that proxy all exports from the impersonated DLL to the legitimate version. This ensures the host application receives correct function pointers and behaves normally, preventing crashes or suspicious behavior that might alert users or monitoring systems.

Operational Use Cases

JAVELIN excels in multiple operational scenarios:

Spear Phishing Campaigns

Generate payloads disguised as legitimate business documents (contracts, invoices, termination notices) with appropriate PDF or Word icons. When targets open what they believe to be a document, they see the actual decoy content while JAVELIN establishes persistence in memory.

Software Supply Chain Attacks

Use ESTER to trojanize popular software installers with JAVELIN DLL payloads. The software installs and functions normally, giving no indication of compromise, while your agent establishes command and control.

Physical Access Operations

Deploy JAVELIN payloads via USB drops disguised as media files (MP3, MP4) or documents. The self-delete and decoy features ensure that even if the device is later forensically examined, minimal artifacts remain.

Watering Hole Attacks

Host JAVELIN payloads on compromised websites disguised as software updates, plugins, or content downloads. The polymorphic compilation ensures each download has a unique hash, complicating reputation-based blocking.

Integration with MANTIS Implant

JAVELIN serves as the initial delivery mechanism for the MANTIS implant framework. The multi-stage architecture provides defense in depth:

• Stage 0 (3KB): Minimal shellcode that establishes initial callback and downloads the full agent
• Stage 1 (Full Agent, 75KB): Complete MANTIS implant with all capabilities, delivered over encrypted HTTPS

This staged approach minimizes the initial payload size, making JAVELIN faster to execute and harder to analyze. The full agent only transfers after successful Stage 0 execution, and the encrypted channel prevents network-based detection of the payload.

Conclusion

JAVELIN represents a significant advancement in initial access tradecraft. By combining polymorphic compilation, sophisticated file masquerading, DLL proxying, and anti-forensics techniques, JAVELIN provides operators with a reliable, undetectable method for delivering payloads across diverse environments.

The seamless integration with IRIS C2 means operators can generate, customize, and deploy JAVELIN payloads without leaving the platform. All configuration options are exposed through an intuitive interface with real-time validation, enabling rapid payload generation during time-sensitive operations.

With comprehensive evasion coverage spanning Western, Russian, and Chinese EDR/XDR solutions, JAVELIN provides red teams and penetration testers with the confidence they need for global engagements. Every build is unique, every execution is stealthy, and every artifact is minimized.