https://rexmax.dev/categories/malware-development/ Recent content in Malware Development on rexmax.dev https://rexmax.dev/favicon.png https://rexmax.dev/favicon.png Hugo en Sun, 14 Jun 2026 11:23:50 +0200 https://rexmax.dev/posts/phantomctx-new-approach-to-activation-context-hijacking-for-edr-evasion/ Sun, 14 Jun 2026 11:23:50 +0200 https://rexmax.dev/posts/phantomctx-new-approach-to-activation-context-hijacking-for-edr-evasion/ <h2 id="introduction">Introduction</h2> <p>In this post, we’ll take an in-depth look at the new tool I’ve developed to facilitate DLL hijacking in Red Team operations: <a href="https://github.com/r3xmax/PhantomCtx">PhantomCtx</a>.</p> <img src="phantomctx5.png"> <h2 id="what-is-phantomctx">What is PhantomCtx?</h2> <p>PhantomCtx is a tool that automates <a href="https://learn.microsoft.com/en-us/windows/win32/sbscs/activation-contexts">Activation Context</a> hijacking with the objective of loading an arbitrary DLL into the vast majority of signed executables (e.g. Microsoft, Adobe, Mozilla).</p> <p>The loader is presented as a modern alternative to traditional <a href="https://unit42.paloaltonetworks.com/dll-hijacking-techniques/">DLL Hijacking and Sideloading</a> techniques: unlike conventional approaches where you need to find a signed vulnerable binary on the target system or rely on known vulnerable Microsoft binaries listed on pages such as <a href="https://hijacklibs.net/">HijackLibs</a> (that are usually monitored), the tool does not require a specific binary vulnerable to DLL hijacking.</p>