Imagine you're John. Forty-six years old. Senior IT lead at a Fortune 500 you've probably heard of. Twelve thousand employees spread across three continents, and somehow you're responsible for making sure none of them click on anything stupid.

It's Monday morning, December 1st. Third cup of coffee. Half-listening to a Teams call about infrastructure budgets when an email slides into view.

Sara Parker. That young woman from systems design. Works from home mostly. You've exchanged maybe ten words with her at the last holiday party. Seems nice. Eager.

How thoughtful. A real over-achiever.

You double-click.

A window appears. Clean, professional. The Coca-Cola logo sitting next to the Microsoft Teams icon. A subtle Christmas tree in the corner. Color swatches showing festive reds and deep greens.

"Apply Holiday Theme."

You click.

Progress bar. Downloading theme assets. Applying theme. Done.

"Love the new look? Share it with your team!"

Three buttons underneath. Slack. Teams. Email.

And a modest Done at the bottom.

You smile. Click Done. The window closes. Teams looks a little different now. Darker. Festive. Nice touch.

Back to the budget call.

What is SLAYBELL?

SLAYBELL is a holiday-themed social engineering delivery system built into IRIS C2. It packages your payload inside a convincing corporate theme installer for Slack or Microsoft Teams, complete with branded UI, progress animations, and functional theme application.

SLAYBELL supports both Slack and Microsoft Teams theme pretexts

The system supports multiple delivery methods depending on your operational requirements.

The dropper variant weighs in at 52 kilobytes for macOS or 48 kilobytes for Windows. It's a native stub with the payload server URL XOR-encrypted inside the application icon—no plaintext strings, no obvious delimiters, just bytes that look like image data. Small enough to email as an attachment without triggering size-based scanning or raising suspicion.

For Windows targets, there's also a 2-kilobyte LNK shortcut option. It downloads and executes the full payload on click, then deletes itself. Some email gateways strip LNK files, so the native dropper is generally more reliable, but when it works, it's the smallest possible initial stage.

The full Electron application runs about 91 megabytes for macOS and 85 megabytes for Windows. Too large to email, but useful when you're hosting the payload directly and sending a download link, or for USB delivery scenarios where size doesn't matter.

There's also a universal build that packages both platforms. When the target executes it, the application detects whether it's running on macOS or Windows and downloads the appropriate payload—DRIFTWOOD for Mac, JAVELIN for Windows. One package, both platforms, automatic selection.

Payload Delivery: Hiding in Plain Sight

Once the full Electron application is running—whether launched directly or pulled down by a dropper—it requests holiday images from what appears to be a CDN. Festive PNGs. The network traffic looks like any web application fetching assets because that's exactly what it is. The images are valid. They render correctly.

But PNG files end with an IEND chunk, and anything appended after that is ignored by image parsers. We append our payload there—HMAC signature followed by encrypted shellcode or executable. The Electron app finds it, verifies integrity, decrypts, and executes based on platform.

On macOS, it extracts a Mach-O binary and spawns it detached. The DRIFTWOOD implant beacons back to your infrastructure.

On Windows, it extracts a DLL and loads it using our DOPPEL technique. Rather than dropping a DLL and calling LoadLibrary like an amateur, we proxy through a legitimate system DLL. The extracted JAVELIN DLL masquerades as version.dll, forwarding all legitimate API calls to the real version.dll while executing our payload in a separate thread. The application that loaded it continues working normally. No crashes, no errors, no suspicious behavior. EDR sees a trusted process loading version.dll and making version API calls—completely expected behavior.

The JAVELIN DLL decrypts MANTIS stage-zero shellcode and executes it in memory. Stage zero pulls down the full implant. Everything runs in memory. Nothing on disk except the DLL itself, and that deletes itself after execution. By the time anyone thinks to look, the only artifact is an implant running under a trusted process.

The Theme Actually Works

The theme actually gets applied. This matters. If John clicks "Apply Theme" and nothing visible happens, he might get suspicious. Instead, the application modifies Slack's configuration or adjusts Teams settings, and John sees his workspace change colors. Confirmation that everything worked. Nothing to investigate.

After the theme applies and the payload executes, the user sees share buttons. One click opens Slack, Teams, or their email client with a pre-filled message about the theme and the file ready to attach. We added this because internal sharing is more effective than external phishing. When John sends the theme to Mike, Mike isn't receiving a suspicious attachment from outside—he's receiving a file from John, someone he trusts, through a channel they use daily.

The application self-destructs after completion. The dropper, the Electron app, any temporary files—gone. The only thing that remains is the in-memory implant.

Evasion Results

We've tested SLAYBELL against enterprise security stacks extensively. Email gateways from the major vendors. EDR products. Network detection systems. The results have been favorable.

The dropper passes email scanning because there's nothing to flag. It's a valid application bundle with a valid icon. The script inside does byte manipulation on a file, which isn't inherently suspicious. The URL isn't visible because it's encrypted with a key derived from the icon's own content.

On the endpoint, the Electron app downloading images over HTTPS generates no alerts. The images are valid PNGs. The appended data doesn't trigger image validation because parsers don't read past IEND.

The DOPPEL technique on Windows presents as expected system behavior. A trusted application loading version.dll and calling GetFileVersionInfo is normal. The DLL proxy forwards those calls correctly, so the application works as expected. The payload runs in a thread inside a trusted process. The self-deletion is timed to avoid heuristics we've encountered that flag DLLs removing themselves too quickly after load.

The self-destruct removes forensic artifacts before anyone thinks to look. The in-memory implant leaves no file to scan, no hash to check, no signature to match.

Detection Opportunities

For defenders, detection opportunities exist at several points.

Icon files with data appended beyond their defined structure are anomalous. PNG files with content after the IEND chunk are a known polyglot technique. DLL loads from application directories instead of System32 warrant investigation. The behavioral chain on macOS—script execution, curl, hdiutil mount, application launch in sequence—is less common than each step individually.

User verification through out-of-band communication remains effective. If Sara from design sends John a theme file, a quick message through a different channel to confirm she actually sent it defeats the pretext entirely.

None of these are silver bullets. SLAYBELL is designed to look boring at every step, and boring doesn't trigger alerts without generating false positives on legitimate activity. But defense in depth means making each layer harder to pass.

Availability

SLAYBELL ships with IRIS C2 version 4.2 and later. The builder interface lets you select target platform, delivery method, messaging application, company branding, payload configuration, and optional features including credential harvesting and viral sharing.

The SLAYBELL builder interface in IRIS C2 - configure target platform, delivery method, branding, and payload options

The technique isn't novel in its components. Polyglot files, DLL proxying, Electron wrappers, social engineering pretexts—all documented extensively. What SLAYBELL represents is assembly into a cohesive package that fits how people actually work. It's December. Holiday themes are expected. A helpful colleague sending a small attachment is normal. The file is small enough to email. The UI is polished. The theme actually gets applied.

This tool is intended for authorized security testing and research. Unauthorized access to computer systems is illegal regardless of the techniques employed. The personas, company names, and branding described in this post are fictional and used for illustration only.