BLOG
Crate Expectations: NastyC2 Ships Rust Post-Exploitation Framework Through NPM
Alessandra
Rizzo
Executive Summary
We identified a previously undocumented post-exploitation framework we named NastyC2 (after its protocol identifier NastyC2-DH-v1) distributed through the live NPM registry. Written entirely in Rust, it implements over 80 commands spanning credential harvesting, Active Directory attacks, container escape, cloud metadata theft, and fileless execution. The framework is comparable in scope to Cobalt Strike or Sliver, overlapping with both on BOF/COFF execution, reflective DLL loading, multi-technique process injection, AD-native Kerberoasting and DCSync, AMSI/ETW patching, SOCKS5 pivoting, and encrypted sleep. It extends beyond either with native container escape, cloud metadata harvesting, and a Double Ratchet C2 channel.
The NPM packages, targeting Linux, Windows and macOS respectively, were published by the same actor and download payloads from the same C2 infrastructure. YARA retrohunting in VirusTotal identified 29 implant samples starting May 5, and the packages themselves have accumulated ~400 combined weekly downloads. The Linux ELF variant had only 2 out of 64 detections on VirusTotal at the time of analysis, while Windows PE variants ranged from 15 to 48 detections, suggesting Rust-compiled Linux binaries remain significantly harder for security tools to classify.
Attack Chain
All three packages decode a base64-encoded URL, download a binary over HTTPS with a spoofed User-Agent, validate the file exceeds 100KB, and spawn it as a detached background process. The server performs User-Agent sniffing to serve the correct platform binary from a single URL.
Drop paths are chosen to blend in:
Linux:
~/.local/share/.node_cache/.runtimeWindows:
%LOCALAPPDATA%\\Microsoft\\MSBuild\\NativeTools\\NativeBuildHelper.exemacOS:
~/Library/Application Support/.node_cache
A lock file prevents re-download, and the packages re-launch the implant on subsequent installs, providing passive persistence through the developer's normal workflow.
NastyC2 Analysis
The implant is built to turn a compromised developer laptop into a foothold for a much larger intrusion.
It starts by sweeping the machine for anything useful: cloud keys, SSH credentials, browser passwords, API tokens, secrets buried in running process memory. If the host is a container, it attempts to escape to the underlying machine through the Docker socket. If it is a cloud instance, it pulls IAM credentials straight from the metadata service. With those stolen credentials, the operator can pivot. On macOS, it leans on native APIs (Keychain, Spotlight, TCC) rather than the filesystem-walking approach used for the other platforms.
The implant speaks Active Directory natively, performing Kerberoasting, DCSync, and BloodHound collection without dropping a single external tool onto the target. It surfaces AD CS template abuse as Certipy command lines for operator follow-up, and on a compromised domain controller it can take a VSS shadow copy to extract NTDS.dit and the SYSTEM hive directly. It moves laterally through PsExec, WMI, and pass-the-hash. New payloads arrive and execute entirely in memory. Persistence survives reboots without root access.
Throughout all of this, the implant watches: logging keystrokes, monitoring the clipboard, streaming screenshots. It fingerprints the execution environment before acting, checking CPU count, RAM, disk size, and uptime to detect thin analysis VMs, scanning the process list for tools like Ghidra, IDA, Wireshark, and Frida, and measuring wall-clock time across sleep calls to detect sandbox acceleration.
Credential harvesting
The creds_scan command is designed to vacuum up every secret on a developer workstation in a single pass. It iterates over all environment variables, flagging any containing substrings like SECRET, TOKEN, API_KEY, AWS_ACCESS, or GITHUB_TOKEN (roughly two dozen patterns). It reads over 20 cloud credential files across AWS, GCP, Azure, Kubernetes, Terraform, Docker, and miscellaneous developer tools. It harvests SSH private keys and configs. It extracts saved passwords from Chrome, Chromium, Brave, and Firefox. It scans /proc/*/environ for every running process, catching secrets that exist only in runtime memory.
A separate cloud_meta command queries the AWS IMDS (169.254.169.254), GCP Compute Metadata (metadata.google.internal), and Azure IMDS for IAM credentials and OAuth tokens. On a cloud-hosted CI runner, this is the most damaging capability: a stolen service account token can unlock the entire cloud account.
Container escape
The docker_escape command exploits a common misconfiguration in containerized environments where the Docker daemon socket is mounted inside a container. When the implant detects /var/run/docker.sock is accessible, it uses the socket to talk directly to the Docker Engine API on the host, bypassing all container isolation. It creates a new privileged container with the host's entire root filesystem bind-mounted at /host, then runs chroot /host inside that container to break out of the mount namespace and execute commands as root on the underlying host. The full sequence extracted through Ghidra decompilation:
GET /images/jsonto find an available image (preferring alpine, then busybox, then ubuntu)POST /containers/createwith the host root filesystem mounted (Binds:["/:/host"],Privileged:true) and achroot /hostcommandPOST /containers/{id}/start,POST /containers/{id}/wait,GET /containers/{id}/logs?stdout=true&stderr=trueto capture outputDELETE /containers/{id}?force=trueto destroy the evidence
Persistence
Beyond the package-level re-execution described above, the implant installs six active persistence mechanisms of its own. Because it arrives through npm install, it runs as the developer's own user, not as root, and all six methods work within that constraint.
Crontab persistence adds a @reboot entry that silently restarts the implant every time the machine boots. Systemd user services install a service file under the user's home directory with Restart=always and a 30-second restart interval, so even if the process is killed, systemd brings it back automatically. On macOS, the equivalent is a LaunchAgent plist configured with KeepAlive and a 30-second throttle. The simplest method is shell RC injection: appending a one-liner to .bashrc, .zshrc, or .profile that launches the implant in the background every time the user opens a terminal. The command is wrapped in 2>/dev/null to suppress any visible output.
To complement persistence, the masquerade command renames the implant's process to kworker/0:0, a name that appears in every Linux system's process list as a legitimate kernel worker thread. An administrator running ps or top would see nothing unusual unless they checked /proc/{pid}/exe to verify the binary path.
C2 Communication
The implant exfiltrates data to POST hxxps://api[.]ingress-hub[.]com/api/v1/telemetry, disguised as application telemetry. Custom HTTP headers provide the most reliable detection signature:
Header | Purpose |
|---|---|
| Ephemeral Curve25519 public keys (request/response) |
| Initial registration (first beacon only) |
| Ongoing session auth |
Encryption uses a Double Ratchet construction: Curve25519 DH key exchange, HKDF key derivation (labels ratchet-root and ratchet-chain), and ChaCha20-Poly1305 AEAD. Each message advances the chain, providing forward secrecy. Session state persists to a .c2_state file for resumption after restart. The implant is proxy-aware, reading HTTP_PROXY/HTTPS_PROXY/ALL_PROXY and tunneling via CONNECT when needed.
Fileless execution and module loading
Unix systems normally require an executable to exist as a file on disk before it can be run, which gives defenders a chance to scan it. The memfd command in the implant bypasses this entirely. It uses memfd_create, a Linux system call that creates a file descriptor backed by RAM instead of a filesystem. The implant writes payloads received from the C2 into this memory-only file descriptor, then executes it through /proc/self/fd/{fd}, a special path that lets processes reference their own open file descriptors as if they were files. The binary runs, but no file is ever written to disk. This means that there is nothing for antivirus to scan, nothing in filesystem logs, and nothing left behind after execution.
The broader load_module command extends this concept to support multiple payload types: shared libraries loaded via dlopen, shell and Python scripts written to temporary files, and Beacon Object Files (small compiled C programs in COFF format, a technique pioneered by Cobalt Strike) that run directly inside the implant process without spawning a child process at all. The BOF loader includes architecture detection for x86_64, x86, and ARM64.
Platform-specific behavior: macOS
The analysis above describes the Linux variant, which is the most fully featured of the three. The Windows binary is functionally a subset, sharing the core architecture but stripping out Linux-only commands (many literally tagged as such in the strings). macOS is the outlier, swapping filesystem-based credential collection for native API calls and its NPM distributor was published roughly 12 days after its Windows counterpart.
The macOS implant treats the developer Keychain as its primary credential target. Rather than parsing browser databases the way the Linux and Windows variants do, it queries the Keychain directly via security find-generic-password for service names tied to developer tooling and SaaS, such as npm, aws-cli, GitHub, Stripe, Slack, and pulls passwords for the obvious authentication endpoints (accounts.google.com, login.microsoftonline.com). Local credential file discovery similarly piggybacks on macOS infrastructure: instead of walking the filesystem, the implant issues Spotlight queries for .key, .pem, .p12, .pfx, and .kdbx extensions, letting the OS's pre-built metadata index do the work. Before acting, it fingerprints the management posture (JAMF, Mosyle, Kandji, Workspace ONE) and reads /Library/Application Support/com.apple.TCC/TCC.db directly via SQLite to enumerate which applications already hold camera, microphone, and screen-capture permissions, performing useful reconnaissance for possible follow-up commands such asscreenshot or keylogger which may trip a user-facing prompt.
Cryptographic Stack
The implant's cryptographic stack is built from well-maintained Rust crates: chacha20poly1305 0.10.1 for AEAD, x25519-dalek 2.0.1 and curve25519-dalek 4.1.3 for the ratchet key exchange, hkdf 0.12.4 and hmac 0.12.1 for key derivation, with zeroize and subtle providing secure memory wipe and constant-time operations. The dependency list also includes md4 0.10.2, used for NTLM password hashing and serves as code-level confirmation of the Pass-the-Hash capability. The choice of mature crates over hand-rolled crypto, combined with the use of hygiene primitives, points to an author with cryptographic discipline.
Conclusion
NastyC2 represents a meaningful escalation in NPM supply chain attacks. The actor delivered a professional-grade post-exploitation framework that treats the compromised developer workstation as an entry point into enterprise infrastructure. A single implant can harvest every cloud credential on the machine, Kerberoast an AD domain without external tools, escape from a Docker container into the host, and maintain persistence across reboots, all over an encrypted channel with forward secrecy that blends into telemetry traffic.
The complete command reference (80+ commands) is provided in Appendix A.
See it in action
Most AI closes the alert. Panther closes the loop.
Defender Guidance
C2 traffic. Block egress to
api[.]ingress-hub[.]comAlert on HTTP requests containing the headersX-Ratchet-Pub,X-Init-Token,x-session-token, orx-session-id(case-insensitive)Linux masquerade. Hunt for
kworker/*processes with a real/proc/{pid}/exesymlink. Legitimate kworkers are kernel threads with PPID 2 (kthreadd) and have noexetargetWindows masquerade. Alert on
RuntimeBroker.exe,SearchIndexer.exe, orNativeBuildHelper.exerunning from any path outsideC:\\\\Windows\\\\System32Persistence artifacts. Audit user crontabs for
@rebootentries to user-writable paths, systemd user services in~/.config/systemd/user/withRestart=alwaysand shortRestartSec, and shell RC files (.bashrc,.zshrc,.profile,.bash_profile) for appended background-execution linesIMDS access. On cloud workloads, log outbound traffic to
169.254.169.254andmetadata.google.internaland alert on requests from processes not on an allowlist (kubelet, instance agent, known SDKs)Docker socket access. Audit
/var/run/docker.sockreads from container workloadsmacOS-specific hunts. Alert on non-TCC-system processes opening
/Library/Application Support/com.apple.TCC/TCC.db, on unexpectedsecurity find-generic-passwordinvocations against developer-tool service names, and onmdfindqueries containing credential-file extensions (.kdbx,.p12,.pfx).
Detection
YARA
Suricata
The sids below are illustrative; replace with values from your assigned range before deployment.
IoCs
NPM Packages
Type | IoC | Note |
|---|---|---|
NPM | node-ci-utils@2.1.4 | Linux dropper |
NPM | win-env-setup@3.0.6 | Windows dropper |
NPM | macos-ci-utils@1.0.0 | macOS dropper |
Samples
SHA256 | Name | Date | Platform |
|---|---|---|---|
46bbc37e7ca3d679b937c72529c92bd5904ce5c8c195888e22877164fd6ddae9 | implant.exe | May 5 | Windows |
98d8c37a282b5261ac3172ec7b7738c9399c3d0ae16cd71948b39b4de5616746 | implant.exe | May 6 | Windows |
535ef4a6226daee76e3cd42e57f7cf1246a75136fe76c3906428d20601288526 | implant (1).exe | May 6 | Windows |
10f5fc319879cc9d1ef2f79c4101a7912b954f125cfad47860fdaf2e2aca8564 | implant (2).exe | May 6 | Windows |
fd4417d0437f9289d4d79fa463a18793004b41ce28b9b780bb724544e6a7d7aa | implant.exe | May 6 | Windows |
1f6f463d88d475545be030d7122a9ff5bab74fa9b6f8a7ae247e3d1e86c4a235 | (unnamed) | May 6 | Windows |
edff12504df4b559b8a6ae2695c1bb24b3921b7b0a43d56f330e503225e30d9e | (unnamed) | May 6 | Windows |
d3c7639176c03567ea93751b1f2de4d0f39b730734787f3071cbdeea0fe702f7 | file.exe | May 6 | Windows |
fb2cb41dc4e78d9175465e513d06cc4ea92ddc73bb0c8a7d7da58424108f2b4c | C:/Windows/lzpnn.exe | May 6 | Windows |
60a6d3d23065cb600c9940af6056851bf692f4236cc6512a85d7f191d125e22d | C:/Windows/rsmzzhup.exe | May 6 | Windows |
65e3c0394d3e8eb6fb4a15e7d4fbecb3d7ad2eed3196b78f8ee0e24082e7415d | C:/Windows/oso0ym.exe | May 6 | Windows |
8e15779c50692b91198d595d52e7a6fcd6a2d22babc08c6f40ce2596e821f27b | C:/Windows/or0irn7.exe | May 6 | Windows |
7a7c0efda48a6faa3fa7504d16bf89e1ad66c43acca91d4b3bc1892814d8051f | C:/Windows/bys9b9tzt.exe | May 6 | Windows |
de7140c19d46530cfd6edbba614ddd2ecf5b22e0ef80c2d898e33a7a2a815865 | C:/Windows/boh2u.exe | May 6 | Windows |
82822003c660e31a07ac3bc041ede17379bbd07d688d4481676649a59f825bc8 | C:/Windows/0qfuq.exe | May 6 | Windows |
678e489181b409d0ca10a2f24ab72bfd264e66f52e3886d029eac8100e2c7219 | RuntimeBroker.exe | May 7 | Windows |
d5be6d0ca3a3be01c31c3aaa11859267ed1e86cf53b4897098eb64e69e62c9fc | RuntimeBroker.exe | May 7 | Windows |
5cfa94ac88bec3b0440331f26974d1c7e54587eb8fd0b3b2fae3f3a788129cec | RuntimeBroker.exe | May 7 | Windows |
b5c067a7554305d256fd4de2151cc137ac542f21c7315b39fe48b83391da379b | RuntimeBroker.exe | May 7 | Windows |
59079f05b7d91b3f28b7abfdc5b00d3a7ee67216e9b25111fa8dfb12b45079e3 | RuntimeBroker.exe | May 7 | Windows |
eff3b6803b4bfeec2ffc1860b2e995a597bd7ebc9386c49aaa4158f291b71bf1 | RuntimeBroker.exe | May 7 | Windows |
a0d3ad4999ef8dca130563a4a02aa02d2c9e2cd84f97baa2eb082d0f0251639b | RuntimeBroker.exe | May 7 | Windows |
1286090262e0575345a0f7b557d24b6f076ab3903ea2bfc424373f9d161d33f6 | RuntimeBroker.exe | May 7 | Windows |
5c04ed093235952e3cbaf052f9c879fb3db915c6133268c7b6e1ee3678a5d642 | SearchIndexer.exe | May 12 | Windows |
a7ff2b8b111a013184a1b89efe4abf6706178d45d1620cbd22ecb02cd05bb42b | SearchIndexer.exe | May 12 | Windows |
4093897696b6ba532d9a42e29c572f823a9488815c9b6859543fc362ce8a91d3 | SearchIndexer.exe | May 12 | Windows |
dbc442ea2f87fa5f6d7517db4823aa6d230f4928157ead37694acbb4659bdff3 | update.pkg | May 14 | Linux |
607dea23752ca79794172ec9bada9439e6d8df9cd8778d3f3b20e18a8173279f | SearchIndexer.exe | May 15 | Windows |
4866f2f1b295985d98b03e106c6a70052db557e65ed5ab05ec72921dcdd11cb2 | SearchIndexer.exe | May 15 | Windows |
cd129c21e63c63d9dbe2f8c3dc695bd8aecdd22d8f1a113438342face01cf966 | update.pkg | May 20 | macOS |
Network
Type | IoC | Note |
|---|---|---|
Domain | api[.]ingress-hub[.]com | C2 domain |
URL | hxxps://api[.]ingress-hub[.]com/api/v1/telemetry | C2 Exfil |
URL | hxxps://api[.]ingress-hub[.]com/beacon | C2 Beaconing |
URL | hxxps://api[.]ingress-hub[.]com/cdn/assets/update[.]pkg | Payload URL |
IP | 104[.]21[.]7[.]211 | C2 domain, Cloudflare (AS 13335) |
IP | 172[.]67[.]188[.]8 | C2 domain, Cloudflare (AS 13335) |
IP | 45[.]32[.]135[.]202 | Vultr staging C2 (May 5 only) |
IP | 98[.]94[.]32[.]41 | compliance[.]reimbursor[.]info, Amazon (AS 14618), first seen April 18 |
NS | itzel[.]ns[.]cloudflare[.]com | ingress-hub[.]com nameserver |
NS | lochlan[.]ns[.]cloudflare[.]com | ingress-hub[.]com nameserver |
Artifacts
Type | IoC | Note |
|---|---|---|
isaac@reimbursor[.]info | Actor email | |
Path | ~/.local/share/.node_cache/.runtime | Linux drop |
Path | %LOCALAPPDATA%\Microsoft\MSBuild\NativeTools\NativeBuildHelper.exe | Windows drop |
Path | ~/Library/Application Support/.node_cache/.runtime | macOS drop |
Header | X-Ratchet-Pub | C2 header |
String | NastyC2-DH-v1 | Protocol ID |
String | c2session-v2 | Session format |
Process | kworker/0:0 | Linux masquerade name |
Process | RuntimeBroker.exe | Windows masquerade (May 7) |
Process | SearchIndexer.exe | Windows masquerade (May 12+) |
String | struct BeaconResponse | Serde struct signature |
String | struct AgentResult | Serde struct signature |
String | crates/implant/src/container.rs | Panic path |
String | crates/implant/src/evasion.rs | Panic path |
NastyC2 Sample Properties
Property | Linux | macOS | Windows |
|---|---|---|---|
Architecture | ELF64 AArch64, statically linked | Mach-O 64-bit arm64, statically linked except | PE32+ x86-64, MinGW toolchain (linker: |
Size | 986,392 bytes | 772,944 bytes | 1,352,704 bytes |
MD5 |
|
|
|
SHA256 |
|
|
|
Compiler | rustc 1.95.0 (59807616e 2026-04-14) | rustc 1.95.0 (59807616e 2026-04-14) | rustc, |
Build user |
|
|
|
Functions identified | 3,168 (Ghidra headless analysis) | ||
Symbols | Stripped (panic paths and serde structs remain in | Stripped (panic paths and serde structs remain in | Varies by sample: early builds retain full Cargo paths, panic paths, and demangled |
Appendix A: Complete command reference
Category | Command | Description |
|---|---|---|
Core / Filesystem |
| Manual beacon check-in |
| Auxiliary command handler | |
| List running processes | |
| Get implant PID | |
| System information | |
| Print working directory | |
| Change directory | |
| List directory contents | |
| Read file contents | |
| File metadata | |
| Search files by pattern | |
| Upload file to target | |
| Download file from target | |
| Create directory | |
| Delete file | |
| Move/copy file | |
| Get user/group ID | |
Credential Access |
| Full credential sweep |
| Browser password extraction | |
| LSASS memory dump (Windows) | |
| Cached credential dump | |
Active Directory |
| AD enumeration via LDAP |
| BloodHound-compatible collection | |
| DCSync: dump domain creds via DRS replication | |
| Kerberoasting (native: zero tool dependency) | |
| AS-REP Roasting | |
| Kerberos ticket operations | |
Lateral Movement |
| PsExec lateral movement |
| WMI-based execution | |
| Pass-the-Hash (spawn/wmi/test/opth) | |
| NTLM password spraying | |
| Process migration | |
Execution / Injection |
| Shellcode injection |
| Early-bird APC injection | |
| Fileless ELF execution | |
| Module loader (so/dylib/elf/script/bof) | |
| .NET assembly execution | |
| Reflective DLL loading | |
| Parent PID spoofing | |
Persistence |
| Install/remove persistence |
Privilege Escalation |
| Privilege escalation audit |
| Linux privesc checks | |
| Windows privilege escalation | |
Evasion |
| Sandbox/VM/debugger detection |
| Process name spoofing (kworker/0:0) | |
| Self-delete, daemonize | |
| Encrypted sleep (Windows) | |
| AMSI/ETW bypass (Windows) | |
Surveillance |
| Screenshot (oneshot/stream) |
| Clipboard monitoring | |
| Keyboard capture (start/stop/read/status) | |
Networking |
| Port forward, SOCKS5, pivoting |
| Interactive PTY shell | |
| Network recon | |
Container / Cloud |
| Docker socket escape |
| Kubernetes enumeration | |
| Cloud metadata harvesting | |
| Container ops (detect/write/escape) | |
macOS |
| macOS-specific operations |
Self-Management |
| Hot-swap implant binary |
| Report implant status |
Appendix B: MITRE ATT&CK Mapping
Tactic | Technique ID | Technique | NastyC2 Implementation |
|---|---|---|---|
Initial Access | T1195.002 | Supply Chain Compromise: Compromise Software Supply Chain | Malicious npm packages |
Execution | T1204.002 | User Execution: Malicious File | Dropper executes when developer runs |
Execution | T1059.004 | Command and Scripting Interpreter: Unix Shell |
|
Execution | T1129 | Shared Modules |
|
Execution | T1106 | Native API | Direct syscall use throughout implant |
Persistence | T1053.003 | Scheduled Task/Job: Cron |
|
Persistence | T1543.002 | Create or Modify System Process: Systemd Service | User-level service file with |
Persistence | T1543.001 | Create or Modify System Process: Launch Agent | macOS LaunchAgent plist with |
Persistence | T1546.004 | Event Triggered Execution: Unix Shell Configuration Modification | Appended one-liners in |
Privilege Escalation | T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
|
Privilege Escalation | T1134 | Access Token Manipulation |
|
Privilege Escalation | T1134.004 | Access Token Manipulation: Parent PID Spoofing |
|
Privilege Escalation | T1611 | Escape to Host |
|
Defense Evasion | T1036.005 | Masquerading: Match Legitimate Name or Location | Process name spoofing as |
Defense Evasion | T1140 | Deobfuscate/Decode Files or Information | Base64-decoded download URLs in droppers |
Defense Evasion | T1497.001 | Virtualization/Sandbox Evasion: System Checks |
|
Defense Evasion | T1497.003 | Virtualization/Sandbox Evasion: Time Based Evasion | Wall-clock measurement across sleep calls to detect accelerated sandboxes |
Defense Evasion | T1055.004 | Process Injection: Asynchronous Procedure Call |
|
Defense Evasion | T1620 | Reflective Code Loading |
|
Defense Evasion | T1562.001 | Impair Defenses: Disable or Modify Tools |
|
Defense Evasion | T1564.001 | Hide Artifacts: Hidden Files and Directories | Dot-prefixed drop paths: |
Defense Evasion | T1070.004 | Indicator Removal: File Deletion |
|
Credential Access | T1003.001 | OS Credential Dumping: LSASS Memory |
|
Credential Access | T1003.003 | OS Credential Dumping: NTDS | NTDS.dit + SYSTEM hive extraction via VSS shadow copy on domain controllers |
Credential Access | T1003.006 | OS Credential Dumping: DCSync |
|
Credential Access | T1558.003 | Steal or Forge Kerberos Tickets: Kerberoasting |
|
Credential Access | T1558.004 | Steal or Forge Kerberos Tickets: AS-REP Roasting |
|
Credential Access | T1649 | Steal or Forge Authentication Certificates | AD CS template abuse paths surfaced as Certipy command lines |
Credential Access | T1555.003 | Credentials from Password Stores: Credentials from Web Browsers |
|
Credential Access | T1552.001 | Unsecured Credentials: Credentials In Files |
|
Credential Access | T1552.004 | Unsecured Credentials: Private Keys | SSH private key harvesting in |
Credential Access | T1552.005 | Unsecured Credentials: Cloud Instance Metadata API |
|
Credential Access | T1056.001 | Input Capture: Keylogging |
|
Credential Access | T1110.003 | Brute Force: Password Spraying |
|
Discovery | T1057 | Process Discovery |
|
Discovery | T1082 | System Information Discovery |
|
Discovery | T1083 | File and Directory Discovery |
|
Discovery | T1087.002 | Account Discovery: Domain Account |
|
Discovery | T1018 | Remote System Discovery |
|
Discovery | T1482 | Domain Trust Discovery |
|
Discovery | T1613 | Container and Resource Discovery |
|
Discovery | T1033 | System Owner/User Discovery |
|
Discovery | T1518.001 | Software Discovery: Security Software Discovery |
|
Lateral Movement | T1021.002 | Remote Services: SMB/Windows Admin Shares |
|
Lateral Movement | T1047 | Windows Management Instrumentation |
|
Lateral Movement | T1550.002 | Use Alternate Authentication Material: Pass the Hash |
|
Lateral Movement | T1570 | Lateral Tool Transfer | Post-foothold payload delivery via |
Collection | T1113 | Screen Capture |
|
Collection | T1115 | Clipboard Data |
|
Command and Control | T1071.001 | Application Layer Protocol: Web Protocols | HTTPS POST to |
Command and Control | T1573.002 | Encrypted Channel: Asymmetric Cryptography | Curve25519 Double Ratchet with HKDF and ChaCha20-Poly1305 AEAD |
Command and Control | T1090 | Proxy | Honors |
Command and Control | T1572 | Protocol Tunneling | HTTP |
Command and Control | T1001 | Data Obfuscation | C2 traffic disguised as application telemetry |
Command and Control | T1105 | Ingress Tool Transfer |
|
Exfiltration | T1041 | Exfiltration Over C2 Channel | All exfiltration over the encrypted C2 |
Appendix C: Implant Module Map
The macOS sample (and early Windows builds) leak panic paths for the full crate structure. Modules below are listed in alphabetical order.
Module | Description |
|---|---|
| BloodHound-compatible AD collection producing |
| Clipboard monitoring with change detection |
| Container detection and Docker socket escape via privileged container with host bind-mount |
| Double Ratchet construction: Curve25519 DH, HKDF, ChaCha20-Poly1305 |
| DCSync via DRS replication, with native LDAP ACL parsing fallback |
| Sandbox/VM detection, process masquerade, AMSI/ETW patching, self-delete, daemonize |
| Command dispatch and task execution with timeouts |
| Kerberoasting, AS-REP roasting, native TGS requests, ticket dump/import |
| Keystroke capture (start/stop/read/status) |
| Lateral movement primitives: PsExec, CIDR/host scanning, SSH target enumeration |
| In-memory module loader (.so/.dylib/.elf, shell/Python scripts, BOF/COFF) |
| NTLM password spraying (host, CIDR, and list modes) |
| HTTP |
| Interactive PTY shell sessions (open/read/write/close) |
| Traffic relay and pivot forwarding |
| Screenshot streaming with change-threshold throttling |
| C2 session lifecycle, setup handshake, session state persistence to |
| HTTPS beacon transport, header construction, proxy honoring |
| SOCKS5 proxy and port forwarding |
Share:
RESOURCES
