We’re back! We went AFK last month to dive into the chaos of Hacker Summer Camp in Las Vegas. Now we’ve returned recharged, inspired, and packed with fresh ideas for future projects. Between DEF CON, presenting at BSides LV, and those late-night conversations at the Circle Bar, it was a massive knowledge dump and a hacker family reunion.
Now that we’re back at the keyboard, we’re excited to present GonkWare v0.49. First time hearing about it? No worries—here’s a quick rundown.
GonkWare TL;DR
GonkWare started as a simple GUI that generated AES-encrypted C# shellcode runners, added some obfuscation, and let hackers experiment with delivery options. Fast-forward to today, and it’s evolved into a modular toolkit with automated setup, built-in AppLocker bypass logic, stealthy ping-based delays, and support for both classic shellcode runners and full-blown process injection
Now that’s out of the way… let’s get to the updates, shall we?
From Code Chaos to Controlled Code Chaos
As excited as we are to focus strictly on the malware development / automation portions of GonkWare, we recognized that the new engine we started developing last release needed some love.🥰
GonkWare v0.49 comes with a more streamlined structure, enhancing the core in a logical way—like cleanly separating UI logic from core functionality. Previously, we had too many scattered files driving the engine; now it’s been condensed down to just four core files powering GonkWare.
We applied the same approach to the template files. Admittedly, the old setup was a bit of a hot mess—but that’s the beauty of development: iterating and improving as we go. The new structure is simple and flexible, organized into Components.json, Core.json, Features.json, and Specialized.json. This makes the code , more reusable and far easier to expand compared to our last release.
We’re starting to roll out new ways to use GonkWare, including template builds for MSBuild, VBA macros, and an HTA runner. The early results look promising, but there’s still plenty of testing ahead before we can call it a fully polished experience.
Another notable change is the flood of print statements currently spewing into the terminal. While adding and testing new features, we needed print statements—okay, we needed a lot of print statements. For now, they’re still in there, but we’ll likely refactor them into a proper logging utility in a future update.
Breaking Down the Build
This release is all about tightening the core, cleaning up the chaos, and giving users a smoother ride. We’ve refactored major parts of the engine, expanded the template system, and introduced quality-of-life improvements that make building and testing payloads far less painful. Here’s the breakdown:
- Builder Enhancements & Debugging
- Added detailed debug logging to the shellcode generation process (
[DEBUG] Executing msfvenom command, output length, byte extraction, formatting) for easier troubleshooting. - Improved error handling with explicit checks (like port validation) and clearer error messages.
- Added detailed debug logging to the shellcode generation process (
- UI Logic Refactoring
- Introduced
ui_helpers.pyto separate UI functions (random variable generation, clipboard copy, status blinking, MSF command updates) from the main app logic. - Clipboard integration with
pyperclipnow copies commands directly, paired with visual feedback via a blinking status label.
- Introduced
- Template System Expansion
- Added advanced templates (
Features.json,Specialized.json, etc.) that support more payloads and techniques, making scripts more flexible and powerful.
- Added advanced templates (
- Threading & Performance
- Shellcode generation can now run in threads, improving responsiveness when building complex or large payloads.
- Dependency Management
- New
requirements.txtlists all dependencies—including fresh additions likepyperclipandpsutil—to make setup easier.
- New
- Obfuscation & Payload Customization
- Expanded obfuscation routines, including VBA macro name randomization and payload customization to make generated scripts harder to detect.
Looking Ahead
Funny enough, we’ve recently started playing around with GOAD (Game of Active Directory – https://orange-cyberdefense.github.io/GOAD/), and it feels like the perfect environment to push GonkWare further toward its goal: simplifying AD attacks with automation. We’ve got plenty of ideas cooking, and this lab gives us the playground to bring them to life.
With the core cleaned up and streamlined, the next focus is expanding offensive techniques. On the horizon: deeper research into cradle/code runners to support fileless execution, alongside continued development and testing.
Until Next Time – Hexxed Bitheadz Out! 🎤
