Encrypted C2 framework. Go beacon, TypeScript teamserver.
Phase 1 C2 framework: Go implant compiled to a static binary (~95KB stripped) with zero external dependencies, X25519 handshake, HKDF-SHA256 session derivation, and AES-256-GCM task encryption. TypeScript teamserver on Node.js with SQLite (better-sqlite3), REST operator API, and per-beacon monotonic nonce counters. DoH (DNS-over-HTTPS) transport alongside HTTPS. No React dashboard — operator interacts via REPL console over loopback HTTPS.
scroll to access
Kill_Chain_Position
Capabilities
X25519 key exchange
Teamserver static keypair baked at build time; beacon generates ephemeral keypair per registration — static key never leaves teamserver
AES-256-GCM task encryption
All beacon↔teamserver traffic double-encrypted (AES-GCM payload inside HTTPS); monotonic 96-bit nonce counter per direction
Go beacon — zero deps
Single static binary, CGO disabled, stripped via -ldflags="-s -w", baked config via -X linker flag — no registry, no config file, no env vars
DNS-over-HTTPS transport
Beacon polls C2 via DoH TXT records through Cloudflare 1.1.1.1; HTTPS fallback with profile-driven URL/header mimicry
10 task types
shell, upload, download, sysinfo, proclist, env, ls, rm, sleep, die — enum-bounded, no arbitrary code execution from server
Hard expiration + self-destruct
Every binary bakes an ExpiresAt timestamp; beacon self-deletes (MoveFileEx on Windows, os.Remove on Linux) on expiry
Teamserver scope enforcement
Beacon reports hostname+IP on first check-in; validated against engagement scope; out-of-scope beacons rejected and logged
ARES → NYX → STYX handoff
ares-import.ts consumes TargetArtifact JSON; styx-export.ts writes BeaconHandle JSON; beacon-deployer.ts deploys via webshell/SSH/RCE/cloud
Architecture
Split codebase: TypeScript teamserver (src/, 22 modules) and Go implant (beacon/, 37 Go files). Teamserver: Node.js native http/https servers on separate BEACON_PORT and OPERATOR_PORT, TLS via internal CA cert. SQLite via better-sqlite3 for synchronous single-file storage. Crypto: X25519 via node:crypto, HKDF-SHA256, AES-256-GCM. Operator API at /api/v1 with Bearer token auth. Implant: transport.Transport interface with HTTPS and DoH implementations; tasks routed via Type enum to handlers; platform-specific code under beacon/internal/platform/{windows,linux}/. OPSEC: Gaussian sleep jitter via Box-Muller, DNS resolution cached after first handshake, teamserver log redaction strips keys and base64 blobs. Stager (beacon/cmd/stager/) is a separate tiny binary. Build: make build-beacon cross-compiles via GOOS/GOARCH, bakes config as base64 via -X main.Config.
Engagement_Types
Also_In_The_Suite
Secure_Channel
All work requires a signed scope document. Initial contact is encrypted. Response within 48h.
INITIALIZE_CONTACT