// OCCUPATION FORCE CALLSIGN GSW PTY LTD

CHOOSE YOUR
ACCESS TIER

22nd Survey Division — offensive security research course. 22 modules. Live tools. Original CVE research. Two ways to get in.

ABN 50 692 429 397  ·  ACN 692 429 397  ·  SYDNEY AU
↓ SCROLL TO COMPARE ↓
// SELECT ACCESS LEVEL

TWO TIERS. ZERO FILLER.

// MONTHLY ACCESS
A$21.99/mo
Course access with live updates. Cancel anytime. Best for learning on a budget or testing the content before committing.
COURSE CONTENT
22 full modules — read access, all sections
Module updates — new content as it drops
Windows internals & kernel dev
C2 architecture, lateral movement, AV evasion concepts
HWBP AMSI/ETW bypass — written by the researcher (VULN-195458)
TOOLS
GeoDefend scanner — hosted tool, web accessINCLUDED
IRON-DOME demo — results walkthrough (no source)
IRON-DOME v4 source repository
CHEYANNE C2 source repository
STARKILLER, WinRecon, Ghost-Encoder source
SUPPORT & UPDATES
Email support — gwu0738@gmail.com
Cancel anytime — no lock-in
BEST VALUE
// FULL BUNDLE — ONE-TIME
A$247.50 once
Everything. Forever. All 5 private tool repos. Full source code. No subscription. One payment, lifetime access including all future updates.
EVERYTHING IN MONTHLY, PLUS:
Lifetime access — no recurring fees, ever
All future module updates included automatically
PRIVATE TOOL REPOSITORIES (SOURCE CODE)
IRON-DOME v4 — AV evasion loader. C/PowerShell. 26 binaries, 0 detections.SOURCE
CHEYANNE C2 — full command & control framework, full kill chain.SOURCE
STARKILLER — Android RAT (Kotlin), Phase 1 complete.SOURCE
WinRecon / SKYWALKER — Windows recon & enumeration suite.SOURCE
Ghost-Encoder — zero-width Unicode steganography engine.SOURCE
RESEARCH & TOOLS
GeoDefend — web tool access + full source codeINCLUDED
MSRC VULN-195458 writeup — HWBP AMSI/ETW bypass, full technical doc + PoC
Priority email support + direct contact
// SIDE BY SIDE
FEATURE MONTHLY
A$21.99/mo		 FULL BUNDLE
A$247.50 once
22 Course modules
Module updates✓ forever
GeoDefend scanner (hosted)✓ + source
HWBP bypass research✓ + PoC code
IRON-DOME v4 source
CHEYANNE C2 source
STARKILLER Android RAT source
WinRecon / SKYWALKER source
Ghost-Encoder source
MSRC writeup + PoC
Recurring paymentA$21.99/monone
Lifetime access
// FULL BUNDLE — WHAT YOU'RE BUYING

THE TOOLS — HOW THEY WORK

Five private repositories. Not demos. Not tutorials. Operational tools — built, tested against live AV, and documented. Here's exactly what each one does, how it works under the hood, and why it evades detection.

// TOOL 01 — FULL BUNDLE
IRON-DOME v4
C  /  POWERSHELL  /  x64
26 BINARIES  ·  0 DETECTIONS

An AV evasion loader. You give it shellcode (Meterpreter, Cobalt Strike beacon, custom payload — anything). It encrypts it, wraps it in a clean-looking binary, and executes it on the target machine without triggering Windows Defender, ESET, or Kaspersky. 26 compiled binaries tested. All 0 detections.

HOW IT WORKS — STEP BY STEP
① ENCRYPTION

Shellcode is XOR/RC4 encrypted at compile time. The binary on disk contains only ciphertext — no recognisable malware bytes. Static AV scanners match signatures against raw bytes. No matching bytes, no detection.

② MEMORY STAGING

Allocates memory as RW (read/write only — not executable). Decrypts shellcode into it. Then changes permissions to RX (read/execute — no longer writable). AV behavioural engines specifically flag RWX allocations. We avoid that entirely.

③ API UNHOOKING

EDR products hook ntdll.dll functions (NtAllocateVirtualMemory, NtWriteVirtualMemory etc.) to intercept calls. IRON-DOME maps a fresh copy of ntdll from disk and calls through it directly, bypassing EDR's hooks entirely.

④ PROCESS HOLLOWING

Spawns a legitimate Windows process (svchost.exe, explorer.exe) in suspended state. Unmaps its memory. Writes the payload into the hollowed address space. Resumes the thread. Payload now runs inside a trusted process — task manager shows svchost.exe, not malware.exe.

⑤ IMPORT OBFUSCATION

The binary's Import Address Table (IAT) contains no suspicious entries. Functions like VirtualAlloc and WriteProcessMemory are resolved at runtime via GetProcAddress with hashed names — not listed statically where AV can read them.

⑥ SLEEP & SANDBOX CHECKS

AV sandboxes run samples for a fixed time window (usually 30–90 seconds). IRON-DOME checks for sandbox artefacts (low RAM, no user activity, virtualisation registry keys) and sleeps beyond the analysis window before executing.

WHY IT WORKS — THE THEORY

Modern AV has three detection layers: static (bytes on disk), behavioural (API call chains at runtime), and cloud-submitted sandbox. IRON-DOME destroys static signatures with encryption, avoids the suspicious RWX→execute behavioural chain, removes the API hooks behavioural engines rely on, and defeats sandbox timing. Targeting all three layers simultaneously is what gets 0 detections — beating just one layer isn't enough.

WHAT'S IN THE REPO
loader.c — main evasion engine encryptor.py — payload prep tool unhook.c — ntdll refresh module hollow.c — process hollowing 26× prebuilt binaries (tested, 0 det.) build.bat — one-command compile PENTEST_LOG.md — test methodology
// TOOL 02 — FULL BUNDLE
CHEYANNE C2
C  /  PYTHON  /  FULL KILL CHAIN
BEACON  ·  HANDLER  ·  CONSOLE

A complete command-and-control framework. You deploy a beacon implant on a target machine. It calls back to your handler server on a configurable interval. You interact with it through an operator console — run commands, exfiltrate files, pivot to other machines, establish persistence. The full offensive kill chain in one codebase, documented with a real PENTEST_LOG.md.

THREE COMPONENTS — HOW EACH WORKS
BEACON IMPLANT

Runs on the compromised machine. Sleeps for a configurable interval (default 30s with ±10s jitter), then sends an HTTPS callback to the handler. Jitter prevents detection by timing-pattern analysis — a beacon that checks in every exactly 30 seconds is trivial to spot in network logs. The jitter makes the pattern statistical noise. On callback the beacon receives a queued job (run command, upload file, spawn process etc.), executes it, and sends output back encrypted. If no job, it sleeps again. Minimal network footprint.

HANDLER (C2 SERVER)

Receives beacon callbacks over HTTPS. Maintains a job queue per implant. Stores output. Serves a listener on configurable port. Traffic profile mimics a legitimate web server — responds to non-beacon requests with normal HTTP responses so port scans don't flag an open C2 port. Malleable comms profile lets you shape the HTTPS request headers to look like browser traffic (User-Agent, Accept headers etc.).

OPERATOR CONSOLE

CLI interface for the pentester. List active beacons, select a session, run commands. Built-in modules: screenshot, keylogger, credential dump path, file upload/download, lateral movement (pass-the-hash via NTLM), persistence (registry run key, scheduled task, WMI subscription). Output is logged per-session for report generation.

WHY IT EVADES DETECTION

C2 traffic is flagged by network defenders when it's periodic, encrypted in non-standard ways, or communicates with known-bad IPs. CHEYANNE uses HTTPS (standard encrypted channel), jitter (defeats periodicity detection), mimicked browser headers (passes application-layer inspection), and operator-controlled listener domains (fresh infrastructure = no threat-intel hits). Compare this to off-the-shelf tools like Metasploit — whose callback signatures are in every SIEM rule. This is custom, undocumented, and not in any threat intelligence database.

WHAT'S IN THE REPO
implant/ — beacon source (C) handler/ — C2 server (Python) console/ — operator CLI modules/ — keylogger, screenshot, creds malleable/ — traffic profiles PENTEST_LOG.md — full kill chain run
// TOOL 03 — FULL BUNDLE
STARKILLER
KOTLIN  /  ANDROID 10+
PHASE 1 COMPLETE  ·  COMMIT 67aa4fd

An Android Remote Access Trojan written in Kotlin. Packaged as a legitimate-looking Android application, it operates silently in the background once installed — exfiltrating device data, intercepting SMS messages, streaming GPS coordinates, and providing a remote shell. Phase 1 complete and operational on Android 10, 11, 12, 13.

CAPABILITIES — HOW EACH WORKS
SMS INTERCEPT

Registers a BroadcastReceiver for SMS_RECEIVED intents. Every incoming SMS is intercepted before it reaches the user's messaging app, forwarded to the C2, and optionally suppressed from notification tray. Requires RECEIVE_SMS permission declared in manifest.

GPS TRACKING

Uses Android's LocationManager with both GPS and network providers. Location updates stream continuously to the C2 at configurable intervals. On Android 10+ background location requires ACCESS_BACKGROUND_LOCATION — included and declared.

REMOTE SHELL

Opens a socket connection to the C2 handler. Commands sent from operator are executed via Runtime.exec(). Output piped back over the same socket. Provides interactive shell access to the device — list files, exfiltrate data, run apps.

PERSISTENCE

Runs as a Foreground Service — Android's mechanism for long-running background operations. Foreground Services survive Doze mode and app backgrounding. Shows a minimal notification (disguised as a system notice). RECEIVE_BOOT_COMPLETED restarts it after reboot.

WHY IT WORKS — THE PERMISSION MODEL

Android's security model is permission-based, not code-based. The OS doesn't analyse what your app does with a permission — it only checks if you have it. Once the user grants SMS, location, and contacts access (which apps legitimately request all the time), STARKILLER has the same access as a banking app. The APK build pipeline applies string obfuscation and class renaming — Google Play Protect scans by signature and behaviour; obfuscation defeats signature, and the behaviour (background service, network calls) looks identical to any live-data app.

WHAT'S IN THE REPO
Android Studio project (Kotlin) C2 handler (Python) APK build + obfuscation config AndroidManifest.xml (all perms) Operator guide + deployment notes
// TOOL 04 — FULL BUNDLE
WINRECON / SKYWALKER
POWERSHELL  /  C#
POST-EXPLOITATION RECON

A post-exploitation reconnaissance suite for Windows environments. The first 15 minutes after gaining access are the most critical — you need to understand the environment before you move. WinRecon automates that map: who's here, what can I reach, what security controls are running, where are the credentials. Structured output for rapid situational awareness and report generation.

WHAT IT ENUMERATES
IDENTITY

Current user, group memberships, privilege tokens (SeDebugPrivilege, SeImpersonatePrivilege — both escalation paths), domain membership, local administrator status.

NETWORK

All network adapters and IPs, listening ports, established connections, ARP cache (reveals other live hosts), DNS server addresses, routing table.

SECURITY

Running AV/EDR processes (Defender, CrowdStrike, SentinelOne, Carbon Black — pattern matched), firewall state, UAC level, AMSI status, Windows Defender exclusion paths.

CREDENTIALS

Cached credential entries (cmdkey), browser credential stores (Chrome/Edge path locations), Wi-Fi stored PSKs (via netsh), RDP saved connections.

PERSISTENCE VECTORS

All non-Microsoft scheduled tasks, registry Run/RunOnce keys, startup folder entries, WMI subscriptions, service binaries with writable paths (privesc via service hijacking).

DOMAIN (IF JOINED)

Domain controllers, domain admins, all domain computers (potential pivot targets), GPO names, trust relationships, Kerberoastable service accounts (SPNs).

WHY IT'S LOW-NOISE

Pure PowerShell and .NET — no external executables dropped to disk. Uses built-in Windows APIs and WMI rather than spawning child processes that trigger parent-child chain detection (e.g. powershell.exe → net.exe is flagged; WMI queries from powershell.exe are not). Output is structured JSON for direct import into pentest report templates. No external network calls — everything runs locally against the Windows API.

WHAT'S IN THE REPO
WinRecon.ps1 — main script WinRecon.cs — C# compiled version modules/ — domain, creds, security report-gen.py — JSON → DOCX USAGE.md — engagement guide
// TOOL 05 — FULL BUNDLE
GHOST-ENCODER
JAVASCRIPT  /  PYTHON
ZERO-WIDTH UNICODE STEGANOGRAPHY

A steganography engine that hides arbitrary data inside plain text using zero-width Unicode characters. The output looks completely empty to a human reader — no unusual characters, no visible difference. The data is there, encoded in invisible bytes. Use case: covert C2 channel inside Slack, email, or any text field that passes through DLP inspection.

HOW THE ENCODING WORKS
// Zero-width character map
U+200B = ZERO WIDTH SPACE        → binary 0
U+200C = ZERO WIDTH NON-JOINER  → binary 1

// Encoding "A" (ASCII 0x41 = 01000001)
Binary:   0 1 0 0 0 0 0 1
Encoded:  ​‌​​​​​‌
// ↑ That line contains 8 invisible characters. Try selecting it.

// Practical use: embed in a Slack message
msg = "Hey, meeting at 3pm" + encode(c2_command) + "."
// Recipient sees:  "Hey, meeting at 3pm."
// C2 decoder sees: "Hey, meeting at 3pm[EXEC:whoami]."
WHY DLP TOOLS DON'T CATCH IT

Data Loss Prevention tools scan for patterns: credit card numbers, keywords, binary file signatures, large base64 blobs. Zero-width characters are valid Unicode — they appear in legitimate documents (right-to-left markers, no-break joins in Arabic/Thai text). DLP tools see plain text, not binary exfiltration. The channel looks like a Slack message, not a data exfil event. Standard regex and keyword matching is completely blind to this. Only a tool explicitly checking for anomalous zero-width character density would flag it — and almost nothing does this by default.

WHAT'S IN THE REPO
encoder.js — browser-side engine decoder.js — extraction engine ghost.py — Python CLI tool demo.html — live browser demo c2-channel.md — integration guide RESEARCH.md — DLP bypass analysis
// TOOL 06 — MONTHLY: HOSTED  |  BUNDLE: + SOURCE
GEODEFEND SCANNER
WEB APP  /  DEFENSIVE
BLUE TEAM COUNTERPART

The defensive counterpart to the offensive tools above. GeoDefend runs the same reconnaissance and enumeration logic a red teamer runs — but points it at your own infrastructure. It tells you what an attacker sees when they look at you: exposed services, misconfigured headers, weak TLS, open ports, information disclosure, known CVE signatures on detected service versions.

ATTACK SURFACE MAPPING

Port scan, service fingerprinting, TLS version check, HTTP header analysis (missing security headers: CSP, HSTS, X-Frame-Options). Outputs what an nmap + nikto + testssl run would find — in one automated pass.

MISCONFIGURATION CHECKS

Default credentials on common services, directory listing enabled, DEBUG mode exposed, admin panels accessible, S3/cloud storage buckets open, CORS wildcard policy, info disclosure in error pages.

IOC CORRELATION

Matches detected artefacts against IOC patterns used by the IRON-DOME / CHEYANNE tools. Tells you: if these tools were deployed against you, here's what would trip detection and here's what wouldn't.

REPORT OUTPUT

Generates a structured JSON + HTML report. Severity-rated findings (Critical / High / Medium / Low). Remediation recommendations per finding. Built for inclusion in pentest reports or internal security audit documentation.

TIER DIFFERENCE

Monthly: Web-hosted access — run scans through the hosted interface, download reports. No setup required.
Full Bundle: Full source code + deployment guide. Host it yourself, modify detection rules, integrate into your own toolchain, extend with custom checks.

// CHECKOUT

SELECT YOUR TIER & PAY

// OPTION 1 — ONE-TIME
FULL BUNDLE — ALL TOOLS + LIFETIME ACCESS
A$247.50  ·  one-time  ·  no recurring fees
— OR PAY INTERNATIONALLY —
BANK TRANSFER VIA WISE — A$247.50 PRESET →
Stripe: credit/debit card, Apple Pay, Google Pay  ·  AUD pricing
Wise: international bank transfer (SWIFT/local) for overseas buyers  ·  amount pre-filled
Access delivered within 24h of confirmed payment  ·  Contact: gwu0738@gmail.com
// OPTION 2 — MONTHLY SUBSCRIPTION
MONTHLY ACCESS — COURSE + GEODEFEND
A$21.99/month  ·  cancel anytime
Subscription billed monthly via Stripe  ·  Cancel via Stripe customer portal anytime
No source code repos on monthly tier  ·  Upgrade to bundle anytime, price adjusted
BUY ME A COFFEE  /  DONATE
Not buying the course but want to support the research? Anything helps — keeps the lab running, pays for CVE filings and Burp Pro renewals. No account needed, just send via Wise.
SEND VIA WISE →
// COMMON QUESTIONS

FAQ

How do I receive access after payment?
Within 24 hours of confirmed payment you'll receive an email at the address you used at checkout. Source code repos are delivered as encrypted 7z packages. Email gwu0738@gmail.com if you haven't heard back within 24h.
What is GeoDefend?
GeoDefend is the defensive counterpart to the offensive material in the course — an automated scanner that maps attack surface and identifies misconfigurations. Monthly subscribers get web-hosted access. Full bundle buyers also receive the complete source code.
Can I upgrade from Monthly to the Full Bundle?
Yes. Cancel your subscription, purchase the bundle, and the prorated difference will be refunded manually on request. Email gwu0738@gmail.com to arrange.
Are the tools operational or just demos?
Operational. IRON-DOME, CHEYANNE, STARKILLER, WinRecon are live research tools built and tested on real hardware. These are research artifacts — you are responsible for legal authorised use only.
Is there a refund policy?
If you haven't received any course materials or tool repos within 48h of payment, full refund guaranteed. Source code repos once delivered are non-refundable — contact before purchasing if you have specific questions about content.
Who is behind this course?
Occupation Force Callsign GSW Pty Ltd (ABN 50 692 429 397, ACN 692 429 397), registered NSW Australia. Researcher: George Wu. GitHub: rainfantry. MSRC VULN-195458 on record. The course is built from original research, not repackaged certifications.
OCCUPATION FORCE CALLSIGN GSW PTY LTD
ABN 50 692 429 397  ·  ACN 692 429 397  ·  Sydney, NSW, Australia  ·  Registered 1 Nov 2025
gwu0738@gmail.com  ·  22nd-survey-division  ·  portfolio
Secure checkout via Stripe  ·  International payments via Wise  ·  AUD pricing  ·  All prices inclusive of applicable taxes