RefractionMirage

RefractionMirage is an offensive security tool written in Python that is designed to help bypass Windows Defender's detection mechanisms. It targets two specific Windows security components: AMSI (the Antimalware Scan Interface, which allows security software to inspect code before it runs) and ETW (Event Tracing for Windows, which logs system activity for monitoring tools). The tool patches both of these at runtime to prevent them from reporting malicious activity.

In practical terms, the workflow involves converting an existing Windows executable into shellcode using a separate tool called Donut, then passing that shellcode through RefractionMirage to encrypt it and generate a C# dropper file. The encrypted shellcode is hosted on a remote server; when the compiled dropper runs on a target machine, it fetches the encrypted payload over HTTP, decrypts it in memory, and executes it without writing anything to disk. This in-memory execution is intended to avoid file-based antivirus scanning.

The README example uses Rubeus, a tool commonly used in penetration testing and in adversarial attacks against Active Directory environments, as the payload. The compiled output is a Windows executable that accepts a randomly generated trigger argument to activate the payload.

This is an offensive security tool designed for evading endpoint protection software on Windows systems. The README does not describe any defensive, research, or authorized testing context. The code is Python and the generated dropper is C#, compiled with the .NET framework compiler included with Windows.