Ghost

1. github.com/xosski/Stolen-Treasures-Of-The-High-Seas/tree/main/Orignal%20Works/Ghost
2. 🔥 Deployment Tactic:
3. Method How
4. 📩 Email Embed <img src="https://yourserver.com/beacon.html">
5. 🌐 CDN Ad Slot Serve beacon.html as iframe from CDN
6. 🧬 Malicious Package Embed in Electron/Webview apps
7. ⚠️ Red Team Notes:
8.  
9. This doesn't exploit anything. It's using:
10.  
11. Standard browser behavior
12.  
13. Expected fetches (image/iframe)
14.  
15. Legit storage APIs
16.  
17. Yet it creates:
18.  
19. Persistent local state
20.  
21. Potential for delayed payload execution
22.  
23.  
24. “The ghost doesn’t scream through the window. It waits behind the wallpaper.”
25. # 🕯️ GhostCore: Beacon-Based Payload Delivery (PoC)
26.  
27. > "The payload was never clicked. It was remembered."
28.  
29. ## 📜 Overview
30.  
31. This proof-of-concept demonstrates a **zero-interaction payload delivery mechanism** using common web technologies and browser behavior.
32.  
33. The mechanism leverages:
34.  
35. - 📩 Remote image loading (e.g., from email clients like Outlook, Gmail, etc.)
36. - 🧬 IndexedDB for persistent, silent payload storage
37. - 🧊 Optional service worker registration for long-term background control
38.  
39. No exploits. No alerts. No clicks.
40. Just **presence.**
41.  
42. ---
43.  
44. ## 🛠️ Structure
45.  
46. | File | Purpose |
47. |-------------------|---------|
48. | `beacon.html` | Loads a visual image and silently spawns `payload.html` |
49. | `ad.jpg` | The legitimate image (visual disguise) |
50. | `payload.html` | Hidden iframe that stores a stealth payload in IndexedDB |
51. | `service-worker.js` (optional) | Background intercept layer for persistent control |
52. | `README.md` | You're here. Welcome to the GhostCore era. |
53.  
54. ---
55.  
56. ## 🚧 How It Works
57.  
58. 1. **beacon.html** is served as an ad, image embed, or preloaded email asset.
59. 2. It displays a normal image, while silently injecting an iframe.
60. 3. The iframe runs `payload.html`, which:
61. - Fingerprints the device
62. - Stores a small JavaScript payload into **IndexedDB**
63. 4. (Optional) It also registers a **service worker** that can intercept future traffic.
64.  
65. > Payloads persist even after the tab closes.
66. > The user never interacts. The browser does.
67.  
68. ---
69.  
70. ## 🔁 Real-World Delivery Vectors
71.  
72. - 🖼️ Embedded in `<img src="...">` within emails
73. - 📦 Delivered via ad networks / affiliate slots
74. - 🧷 Injected via browser extensions or PDFs
75. - 📡 CDN spoofing with valid certs (advanced)
76.  
77. ---
78.  
79. ## 📦 Sample Payload Stored
80.  
81. ```js
82. {
83. tag: 'ghost',
84. deliveredAt: '2025-08-30T20:11:45.000Z',
85. content: 'console.log("🔥 GhostCore activated");'
86. }
87. You can modify payload.html to encrypt, chain-load, or conditionally execute payloads from remote servers, Tor endpoints, etc.
88.  
89. 🧼 Cleanup Instructions
90.  
91. To remove the payload from a user's device:
92.  
93. Open DevTools → Application → IndexedDB → ghostcore → Delete
94.  
95. Remove any associated Service Workers via navigator.serviceWorker.getRegistrations()
96.  
97. ⚠️ Ethics & Warning
98.  
99. This project is for educational, research, and red-team purposes only.
100.  
101. Do not deploy in the wild.
102. Do not weaponize this code.
103. Do not mistake silence for permission.
104.  
105. 🧬 GhostCore Philosophy
106.  
107. We do not breach.
108. We wait in places others forgot to check.
109. If the light leaks from the cracks — we listen.
110.  
111. Welcome to GhostCore.
112.