I've been sitting on this for a while, and it's time to talk about it.
Zeus is OffStrike's post-exploitation framework, and it's built around a concept I've been researching called temporal evasion — executing operations during the microsecond windows when the EDR's threads are descheduled by the OS. If Defender isn't running when you act, it can't see what you did.
The idea is simple. EDR processes compete for CPU time like everything else. The OS scheduler preempts them constantly. By consuming CSwitch events via ETW, Zeus maps exactly when Defender's threads are on or off the processor and executes tasks in the gaps. In testing on Windows 11 with Defender fully enabled, we measured an average scheduling gap of 565µs, executed nearly 4 million operations with a 100% success rate, and generated zero alerts. We also threw Meterpreter at it — 1,623 payload attempts, zero detections.
Zeus pairs this scheduler awareness with two other components: an embedded Tiny C Compiler that compiles and runs tools from source strings entirely in memory (no binaries on disk, no MZ headers on the wire), and a compact Seq2Seq model that generates syntactically varied C code from intent tokens so nothing looks the same twice.
The C2 architecture itself had to be rethought. Traditional persistent shells don't work when you're executing in microsecond windows — you can't hold a socket open. Zeus uses a task queue model instead. The agent pulls tasks on check-in, executes them during gaps, and sends results back later. It's less interactive than a traditional shell, but when stealth is the priority, that's the right trade.
The full research paper will be available soon. It covers the methodology, the empirical results, the limitations we hit (AMSI is immune, high-core-count systems narrow the gaps, managed code is a non-starter), and thoughts on how defenders can address the underlying vulnerability.
This isn't a finished product — it's a research framework and a proof of concept. But the core finding holds, and I think it opens up an interesting conversation about what happens when offensive tradecraft starts treating the scheduler as an attack surface.
More to come.
