XChaCha20-Poly1305 encrypted reverse shell for Windows
~37 KB implant with interactive Python listener
A minimal encrypted reverse shell that layers XChaCha20-Poly1305 over HTTPS, uses cryptographic jitter, and fits in ~37 KB.
HTTPS via WinHTTP for transport, plus XChaCha20-Poly1305 AEAD for command payloads. Defense-in-depth with self-signed cert support.
Minimal extraction of Monocypher (~370 lines). XChaCha20-Poly1305 with 24-byte random nonces. No nonce management headaches.
Centered jitter via RtlGenRandom. Sleeps between 70-130% of base interval. No predictable beacon pattern for defenders to fingerprint.
CreateProcess with piped stdout/stderr. 64 KB output cap with truncation notification. Remote EXIT for clean shutdown.
Stripped and size-optimized with -Os -s. No runtime dependencies beyond Windows system DLLs. Cross-compiled from Kali with MinGW.
Network errors, bad responses, and decryption failures handled silently. The implant keeps polling until you tell it to stop.
A C implant that polls over HTTPS and a Python listener that queues commands and decrypts results.
Native Windows TLS via WinHttpOpen / WinHttpSendRequest. Proxy-aware. Self-signed cert bypass for lab use.
AEAD encryption via Monocypher. Wire format: [nonce(24)][mac(16)][ct]. Fresh random nonce per message.
HTTPS server with interactive prompt. Thread-safe command queue. PyNaCl for matching XChaCha20-Poly1305 decrypt/encrypt.
POST /poll with encrypted beacon ID. POST /result with encrypted output. 200 = command, 204 = sleep.
One script builds the implant, generates a key, and prints the listener command. No Docker, no frameworks.
build.sh generates a random 256-bit PSK, cross-compiles dew.exe (~37 KB), and prints the exact listener command with your key. One command.
The listener auto-generates a self-signed TLS certificate on first launch. All traffic is encrypted end-to-end: TLS for transport, XChaCha20-Poly1305 for payloads.
Requires mingw-w64 for compilation. Python 3 with PyNaCl for the listener.