Skip to main content

Payloads and Listeners

Adversary campaigns that reach the execution or persistence tactics need payloads: self-contained binaries, scripts, or shellcode that run on a compromised target and phone home to a Cybrium-managed listener. Cybrium ships both a curated catalog of pre-built payloads and a profile builder for custom ones.

Screenshot: Payload catalog with filters and a selected profile

Payload Catalog

The catalog lists pre-built payloads grouped by target platform, delivery method, and intended tactic. Each entry carries a short description, the minimum privilege required, the size of the resulting artifact, and the ATT&CK techniques it implements. Pre-built payloads are vetted, signed by Cybrium, and deterministically rebuilt on each use so operators can compare hashes against the evidence bundle.

Custom Profiles

When a campaign needs something the catalog does not cover, operators can build a custom profile. The profile builder exposes the knobs of the underlying shellcode generator: target architecture, stage count, transport (TCP, HTTP, HTTPS, DNS), encoder chain, bad-char list, and sleep/jitter for the callback loop. Every profile is validated against the tenant's authorization categories — a profile that implements persistence cannot be built for a campaign that did not authorize persistence.

Profiles are versioned. When you save a profile, Cybrium snapshots every parameter and assigns a content-addressed ID; referencing that ID in a future campaign reproduces the exact same artifact.

Listener Host

Every payload needs somewhere to call back to. Cybrium manages listener hosts per tenant — short-lived, dedicated cloud instances that terminate TLS, demultiplex incoming sessions, and forward them to the campaign's engine. Listeners are provisioned on campaign launch and destroyed when the campaign completes; their IPs and DNS names are baked into the payload at build time.

Operators can optionally bring their own listener host by registering its FQDN and a shared secret. This is useful when exercising egress controls that only allow specific destinations.

Encryption and Isolation

Payload artifacts, profile definitions, and listener private keys are encrypted at rest with a per-tenant key derived from the tenant's Vault namespace. Artifacts never leave the tenant's storage prefix, and cross-tenant access is structurally impossible — the key material does not exist outside the tenant boundary.