Kernel namespace isolation for Linux
post-exploitation and adversary simulation
Kernel namespace isolation turns the OS against its own defenses. Multi-channel C2 with polymorphic beacons keeps traffic invisible. 36 stealth modules handle the rest.
PID, Mount, Network, UTS, and Cgroup namespace isolation with veth pair routing and NAT masquerade. Kernel-enforced sandbox with DNAT loopback routing.
HTTPS primary with domain fronting. DNS tunneling fallback via TXT records. DNS-over-HTTPS for restrictive networks. Raw Layer 2 Ethernet below netfilter.
18 rotating paths, 8 content-types, 13 user-agents, randomized headers per cycle. JA3 fingerprint randomization per session with cryptographic jitter.
ProtectedConfig encrypts C2 URLs and keys at rest with XOR rekeying. []byte API with deterministic shredding.
Kernel-level argv and /proc/[pid]/comm rewrite. Direct /proc/self/mem environ zeroing. GOMAXPROCS(1) thread reduction.
eBPF cloaking hides PIDs in BPF maps. memfd_create + execveat for fileless exec. Kernel keyring secrets. Anti-dump regions. io_uring shared ring buffers.
Hostname, CIDR range, MAC address, machine ID, canary file, and kill date guardrails prevent lab escape. Auto-terminates and cleans up on guardrail failure.
Systemd generators run before all units at boot. NSS modules trigger on DNS/user lookups. Logrotate, DHCP, APT, audit dispatcher, NM dispatcher, sysctl.d, and modprobe hooks fire on routine events.
Cascading transport failover with polymorphic profiles. Every beacon cycle uses fresh paths, headers, and fingerprints.
Parent runs pre-namespace evasion, re-execs into isolated namespaces, child operates the beacon loop with encrypted C2 and transport failover.
Parent runs guardrails, VM detection, EDR adaptation, and OPSEC hardening. Re-execs into isolated namespaces. Child operates the beacon loop in kernel-enforced isolation. Parent handles SIGTERM/SIGINT and cleans up host-side artifacts on exit.
XOR-encrypted blobs for C2 URLs and session keys with rekeying each cycle. GetC2ServersBytes() returns []byte slices that callers shred after use.
HTTPS primary with domain fronting, DNS fallback via TXT records, DoH for restrictive networks. Polymorphic profiles rotate paths, headers, and fingerprints per cycle.
CLONE_NEWPID|NEWNS|NEWNET|NEWUTS|NEWCGROUP with veth pair, NAT masquerade, and DNAT loopback routing for host connectivity inside full kernel isolation.
Development builds, obfuscated releases, integration tests, and OPSEC verification. The Makefile handles everything.
Clone, build, deploy. The Makefile handles compilation, stripping, and static linking. The C2 server manages sessions.
make build produces a stripped, statically-linked binary with all configuration baked in via -ldflags. No runtime config files needed.
The test implant at cmd/test-implant/ runs without namespace isolation or evasion checks, making it suitable for lab/VM environments. Built with -tags testbuild.
For production, use make build-release which adds garble obfuscation, UPX compression, and UPX signature scrubbing. Run make opsec-check to verify the binary is clean.