Three-tier toolkit: AEAD ciphers (AES-GCM, XChaCha20-Poly1305) for the outer envelope; lightweight stream/block ciphers (RC4, TEA, XTEA) for in-process unpackers; signature-breaking permutations (S-Box, Matrix Hill, ArithShift, XOR) to defeat YARA byte patterns. Pure Go, no CGo, cross-platform.

Pick the primitive

Side-by-side. Pick the row whose tradeoffs match the deployment context, then click through to the API Reference for that function.

Primitive	Layer	Speed	Entropy profile	Key	Nonce / IV	Authenticated	Reversible	Static signature	Best for
AES-GCM	AEAD outer	fast (AES-NI)	uniform high (256 bits)	32 B	12 B random	✅ tag	yes	low (random)	Default outer envelope; tampering detection mandatory.
XChaCha20-Poly1305	AEAD outer	fast	uniform high	32 B	24 B random	✅ tag	yes	low	AES-NI absent; misuse-resistant nonce (24 B random ≈ unique).
RC4	Stream	very fast	uniform	5–256 B	none	❌	yes	YARA: keystream bias	Cheap unpacker between layers; never as outer envelope.
TEA	Block (64-bit)	very fast	uniform	16 B	none (ECB)	❌	yes	low	Tiny block primitive when binary footprint matters.
XTEA	Block (64-bit)	very fast	uniform	16 B	none (ECB)	❌	yes	low	Same as TEA but with corrected key schedule.
XOR	Stream	trivial	matches key length	any	implicit	❌	yes	YARA: visible key	Dev / scratch only; never alone in production.
S-Box (substitute)	Permutation	very fast	uniform when keyed	256-byte table	none	❌	yes (`Reverse*`)	breaks byte-frequency YARA	Layer between AES-GCM and embed to flatten histograms.
Matrix Hill	Permutation	medium (per-row)	uniform	4×4 / 8×8 matrix	none	❌	yes	breaks contiguous-byte YARA	Defeat contiguous-byte signatures; pair with S-Box.
ArithShift	Permutation	very fast	non-uniform	1–4 B	none	❌	yes	low	Cheap layer that produces non-uniform entropy — masks an AES blob's "looks-random" tell.

How to read the matrix:

Authenticated = does the cipher detect tampering on decrypt? Only the AEAD ciphers do; everything else returns "decrypted" garbage on bit-flips. Always run an AEAD as the outermost layer if integrity matters.
Static signature = how visible the cipher choice is to a YARA scanner. Permutations break histogram / contiguous-byte rules; AEAD ciphers leave no static fingerprint at all (output is random).
Speed is qualitative. For multi-MB payloads, prefer AES-GCM (AES-NI) or XChaCha20-Poly1305 — the rest allocate per call.

Composition pattern (build → embed → runtime):

plaintext
  ↓ EncryptAESGCM(key)              [outer AEAD, uniform output]
  ↓ SubstituteBytes(table)          [S-Box: flatten histogram]
  ↓ MatrixTransform(M)              [break contiguous bytes]
  ↓ ArithShift(k)                   [non-uniform entropy mask]
ciphertext bytes embedded into the implant

Reverse on the runtime side: ReverseArithShift → ReverseMatrixTransform → ReverseSubstituteBytes → DecryptAESGCM. Always wipe the key buffer with memory.SecureZero immediately after DecryptAESGCM returns.

Primer

Static signatures are the cheapest defender win. A raw shellcode buffer sitting in a binary's .data section gets matched by a four-byte YARA rule before it ever runs. Encryption breaks that match by replacing the plaintext with high-entropy gibberish derivable only with the key.

The crypto package layers three protection levels. The outer envelope uses an authenticated cipher (AEAD) — anything else risks an attacker tampering with the ciphertext to redirect execution. The stream/block layer is for tiny in-process unpackers where AES-GCM is overkill but a passable cipher is still wanted. The transform layer mutates byte distribution without giving cryptographic confidentiality — useful when the goal is breaking signatures rather than hiding intent.

The package is pure Go, has no CGo dependencies, cross-compiles to Linux/Windows/macOS targets, and avoids syscalls entirely (every operation is a constant-time arithmetic transform on a buffer).

How it works

flowchart LR
    SC[raw shellcode] -->|build time| ENC[crypto.EncryptAESGCM]
    ENC --> STAGE1[ciphertext + nonce]
    STAGE1 -.optional.-> WRAP[crypto.EncryptXTEA + SubstituteBytes]
    WRAP --> EMBED["go:embed in implant"]
    EMBED -->|runtime| LOAD[load embedded blob]
    LOAD --> UNWRAP1[ReverseSubstituteBytes + DecryptXTEA]
    UNWRAP1 --> DEC[crypto.DecryptAESGCM]
    DEC --> WIPE_K[memory.SecureZero AES key]
    WIPE_K --> EXEC[inject.Inject]
    EXEC --> WIPE_P[memory.SecureZero plaintext]

Build-time: encrypt with AEAD, optionally wrap in cheaper layers. Runtime: peel layers in reverse, wipe the key the moment the AEAD Open returns, inject, wipe the plaintext.

AES-GCM internals

sequenceDiagram
    participant App as "Implant"
    participant Pkg as "crypto"
    participant Std as "crypto/aes + cipher"

    App->>Pkg: EncryptAESGCM(key, plaintext)
    Pkg->>Std: aes.NewCipher(key) -- 32 bytes
    Pkg->>Std: cipher.NewGCM(block)
    Pkg->>Std: rand.Read(nonce) -- 12 bytes
    Pkg->>Std: gcm.Seal(nonce, nonce, plaintext, nil)
    Std-->>Pkg: nonce ++ ciphertext ++ tag
    Pkg-->>App: combined output

    App->>Pkg: DecryptAESGCM(key, combined)
    Pkg->>Pkg: nonce = first 12 bytes of combined
    Pkg->>Std: gcm.Open(nil, nonce, rest, nil)
    Note over Std: Verifies the 16-byte tag<br>before returning plaintext
    Std-->>Pkg: plaintext or ErrAuthFailed
    Pkg-->>App: plaintext

The 12-byte random nonce is prepended to the output, so callers do not manage nonces. Re-encrypting the same plaintext yields a different ciphertext every time.

TEA / XTEA round equation

64 rounds, 32-bit half-blocks, 128-bit key:

$$ \begin{aligned} \text{sum} &\mathrel{+}= \delta \ v_0 &\mathrel{+}= ((v_1 \ll 4) + k_0) \oplus (v_1 + \text{sum}) \oplus ((v_1 \gg 5) + k_1) \ v_1 &\mathrel{+}= ((v_0 \ll 4) + k_2) \oplus (v_0 + \text{sum}) \oplus ((v_0 \gg 5) + k_3) \end{aligned} $$

with $\delta = \texttt{0x9E3779B9}$ (golden ratio constant). XTEA fixes TEA's equivalent-key weakness by mixing the round counter into the key schedule, but the structure is the same.

Matrix (Hill cipher mod 256)

For an $n \times n$ key matrix $K$ over $\mathbb{Z}_{256}$ with $\gcd(\det K, 256) = 1$, encryption operates per $n$-byte block $\vec{p}$:

$$ \vec{c} = K \vec{p} \mod 256 $$

NewMatrixKey(n) searches random matrices until one is invertible mod 256. The inverse is precomputed and returned alongside.

Artefact	Where defenders look
High-entropy `.data` / `.rdata` section	Compile-time YARA `entropy >= 7.5`, ML classifiers (PE byte histograms)
Decrypt routine signature	Static unpacker fingerprints (e.g. `aes.NewCipher` followed by `cipher.NewGCM` from a non-go-tooling-built binary)
Plaintext shellcode in process memory after decrypt	EDR memory scans (Defender's `AMSI`-like for native code, MDE Live Response)
Long-lived AES key in heap	YARA scanning of process RWX/RW pages — wipe immediately after `Open`

T-ID	Name	Sub-coverage	D3FEND counter
T1027	Obfuscated Files or Information	obfuscation transforms (XOR, TEA, S-Box, Matrix, ArithShift)	D3-SEA
T1027.013	Encrypted/Encoded File	AEAD ciphers (AES-GCM, ChaCha20) and stream cipher (RC4)	D3-FCR

maldev