- Регистрация
- 23.06.25
- Сообщения
- 3
GENERAL
* C++ Windows modular RAT
* php/js dynamic c2 server (web panel)
* not based on another malware
(!) [important] the panel is limited to 1000 bots. the tool is oriented to targeted attacks (not mass)
MODULAR
Setup consists of:
* Bot (required)
* Stealer (optional)
* Hidden Apps (optional)
* Vnc/Screencast (optional)
* Micro Bot (optional)
BOT/LOADER
(+) upload + download + execute (exe/bat/vbs)
(+) execute the modules (stealer+hidden apps)
(+) execute 2nd stage payloads (exe/bat/vbs) at first boot (another stealer, miner, etc)
(+) update "refud/replace"
(+) processes list+kill
(+) kill+delete bot/modules
(+) startup+persistence (auto-run)
* startup shortcut (survive pc reboot)
* scheduled task to re-execute the bot if killed (needs admin user. no uac)
(+) pc info
* installed programs + hardware info
(+) single/group/mass commands
(+) multiple commands for each bot (commands queue)
* if the target is offline commands will be executed when online
* show/cancel pending commands
STEALER (MODULE)
(+) files explorer
# navigate + create new folders
# download files
# upload + delete + rename (files+folders)
# search
# detects installed drives (c:\, d:\, e:\, etc)
(+) harvest / find (files grabber)
* find
* by filename / extension / filename+extension
* folders: predefined / custom
* optional "max file size" value (avoid uploading huge files)
* upload files from search results
* harvest
* zip found files and upload the package
(+) pass recovery + browsers data
* pass: chrome / firefox / edge / opera / thunderbird
* firefox autofill+history+cookies
* chrome/edge/opera autofill+credit cards+history+cookies
(+) clipboard stealer
* live mode + download/delete data
* saves the active window (program)
(+) crypto clipper/swapper
* replaces bitcoin/ethereum/monero addresses with yours
(+) keylogger
* offline mode
* 3 predefined intervals to send the logs
* saves the active window (program)
(+) live keylogger
* titles filter: send keys only if a certain app/title is focused
(+) screenshot
(+) screenshot burst
* take multiple screenshots when a window/app is focused and matches the titles/strings specified
* configure 3/5/10 screenshots burst
(+) shell/cmd (simple)
* run cmds and get the output (single mode)
* run cmds as "one-liners" without output (mass/group mode)
* note: not a fully interactive reverse shell (check hidden apps module for a better solution)
HIDDEN APPS (MODULE)
(+) hidden browsers
* use the target's browser hidden from the user (firefox/chrome/edge)
* browser default user profile is used. access the sessions, passwords saved, bookmarks, history, etc.
* notes: connection is http (not super fast). does not replace a full hvnc.
(+) hidden cmd.exe (reverse shell)
* fully interactive
VNC/SCREENCAST (MODULE)
- control the main desktop [click/type]. visible not hidden.
- can be used as screencast also
- "pseudo" vnc. does not replace a real vnc or rmm (anydesk, etc)
https://imgur.com/a/96DHGMs
https://ibb.co/HY9Ct7Z
MICRO BOT [ALTERNATIVE LOADER]
(+) low detections
(+) no need to crypt
(+) use as a fallback/backup in case your main bot/rat gets detected
MISC
# run cmds (shell) one-liners at first boot
# strings dynamic decryption
# randomized internal strings (bot+panel)
# campaign/bot id option
# cookies in json+netscape format
(+) anti-analysis
* if analysis tools are running the bot exits
* unique mutex for each build
* binary strings obfuscated
(+) Unicode support (works on all languages)
(+) chromium decryption server-side
(+) strings encryption randomized for each sample
(+) features can be removed from the stealer by request if not needed (main ones like keylogger, clipboard, etc).
(+) custom features can be added for an extra fee
C2 WEB PANEL
(!) [important] the panel is limited to 1000 bots. the tool is now oriented to targeted attacks (not mass spam)
* list targets + set commands
* first boot (auto-tasks/configs). config the modules for the first time execution.
* targets' log (activity/commands executed)
* dark/light theme
* secure login with user/password and "2fa" code
* country info+flag
* save aliases (friendly bot names)
* cancel commands
* download all files as zip
* resources tab > easy management of the files/modules to be dropped on targets (upload/delete/rename)
* filter uploaded files by current selected target and file types (imgs, dumps, etc)
* filter bots by ip, country, os, etc
* bots list showing last connection, boot counts, alive time, campaign/bot id, screenshots count
* screenshots > thumbnails (gallery)
* show hide columns os/campaign id/last connection
* ping/knock custom randomized interval
=== V7 NEW FEATURES ===
# http communications encryption (bot/modules <> server)
# [stealer] wallet grabber > desktop + web (chrome)
# proxy servers > configurable on the panel. protect the c2 (bot > proxy > c2)
(+) in case of blacklist/ban/detections replace the proxy vps and update the list
# [stealer] keylogger > offline mode > add filtering by strings in app/titles
# [stealer] keylogger > offline mode > avoid saving logs to file. keeping on memory
# [stealer] keylogger > offline mode > show all compiled txt data on the panel page
# first boot persistence > set custom stub path
# download files > md5 hash integrity check
# check if the stealer is found and report to server
# panel > show warning if errors are found on logs
# execute > retry if failed the first time
# update > refud > set custom folder/path for the stub
# [stealer] files explorer > added button to go up one folder
=== V8 NEW FEATURES ===
# bot > run powershell (oneliners)
# bot > show AV found (from software list)
# bot > execute dlls (rundll32 + function)
# bot > autorun > startup registry (run) added method
# bot > autorun > option to choose between the 3 supported methods
# bot > autorun > report the current state of the methods (found / deleted on the pc)
# bot > software+hardware info moved back to the bot
# bot > report the stealer process presence to the panel (both on disk + process)
# bot > retry downloads if failed
# stealer > firefox pwds decryption moved server-side for stealth
=== V9 NEW FEATURES ===
# bot > report exe/stub presence on disk
# panel > check the proxy servers state
# panel > stealer stub randomization. every stub has a different hash on disk. avoid av hash signatures.
# download big files in chunks
# kill+delete > bot folder cleanup on the pc (with libs/files)
# added more chrome wallet extensions to the list
# commands > execute each with a thread [avoid hangs]
# stealer update > avoid killing if found running
# uploaded files > confirm server-side with file hash
# [stealer] commands > execute each with a thread [avoid hangs]
# [bot] restart command
# [bot] file uploads > curl option as fallback
# [bot] winapi startup shortcut as fallback for unicode paths
# [bot] defender exclusion (visible)
Will prompt for UAC (yes/no) using Microsoft/Powershell (verified publisher)
Adds C:\ to excluded folders. Works only if the user is admin
# ProgramData folder added for stub path/file downloads/etc
# [bot] killed state added
# [bot] auto-run command > delete+recreate scheduled task/registry run/startup shortcut
- useful if wrongly setup or not setup in the first boot
# [panel] alias + campaign id filters added
# [stealer] show busy label while running the first boot commands
# 7z archives (packs) use a list file for faster packing
# panel > wallets > list names from within zips/archives
# chromium browsers multi profile pwds+data added
# unlock browsers db files if opened
# find/harvest added banned folders when searching the drive
# panel > info page > enable for mass/group. review installed programs + hardware info of all targets or selected
=== V10 NEW FEATURES [WIP] ===
autorun - logon script registry (new method added)
prevent pc sleeps
screen burst - auto time interval mode
hidden apps - turn on off the browser while keeping the module running + show ping status
autorun - av conditional smart auto mode
new chrome v20 cookies encryption support
vnc module
clipper - added new addresses
chrome v20 cookies encryption - add injection helper alternative method
micro bot integration (deploy from the main rat)
show bot uptime (panel)
ftp upload to post data (alternative)
run payloads with dll sideloading
parse chrome fully serverside + chrome v20 pwds encryption
anti virtual box (optional)
anti delay (optional)
libcurl file download (optional)
telegram notifications
V8 PANEL SCREENSHOTS - PREVIEW
https://imgur.com/a/nss0Pf6
V9 PANEL SCREENSHOTS - PREVIEW
https://imgur.com/a/ouz3cYR
PROS
+ secure. the panel runs from a vps
+ secure. you can login using Tor (needs javascript full turned on)
+ no setup. avoid vpns with port forwarding or tunneling. you get ready access to the panel
+ multiple features coming on future versions
CRYPTING
you will need to crypt all the files with a crypter (with native or shellcode support)
compatible methods: runpe/loadpe/shellcode-injection/dll sideload
OS SUPPORT
Win 10 + Win 11
CAVEATS / NOTES
(*) c2 panel needs javascript full turned on
(*) raw exe sizes are ~300kb (bot) ~400kb (stealer) ~280kb (hidden apps)
(*) tested on Windows 10/11
ASSETS YOU WILL RECEIVE
* exes
* access to the c2 panel
* readme
MONTHLY PRICING
- bot 425 (required)
- vps+domain+panel 50 (c2 server / required)
- stealer 275 (optional module/exe)
- hidden apps 125 (optional module/exe)
- vnc/screencast 100 (optional module/exe)
- micro bot 150 (optional alternative bot - includes vps+domain+panel)
- proxy server 50 (optional for c2 server protection. bot > proxy > c2 server)
(*) prices are monthly
(*) xmr / btc / ltc / bch / eth / usdt / dai accepted
(*) vps/c2 panel re-setup 75 (if server/domain gets banned. add the proxy to avoid this)
(*) proxy server has pro/cons. discuss based on your needs. proxy re-setup [or add new] $50
CONTACTS
Jabber(OTR) + Tox. Request by PM.
SIZE
- build size is between ~500kb and ~1.3MB [depending con configs]
SETUP
vps+domain+panel are all setup by me, you get ready access to the panel
TERMS OF SERVICE
* each client gets a unique domain+vps services (not shared)
* your plan starts once the vps+domain is setup and you get access to the panel. if there is a delay between the payment and the setup, you won't lose any time of using the tool
* setup time (after payment confirmation) is done within 24hs (on normal conditions)
* your panel domain will be randomly generated. it cannot be changed or chosen
* no ssh/ftp/cpanel access will be provided directly to the vps service
* the panel source is not provided for self-installation
* refund is only done (in special cases) for the tool price only (not the vps/domain costs)
* C++ Windows modular RAT
* php/js dynamic c2 server (web panel)
* not based on another malware
(!) [important] the panel is limited to 1000 bots. the tool is oriented to targeted attacks (not mass)
MODULAR
Setup consists of:
* Bot (required)
* Stealer (optional)
* Hidden Apps (optional)
* Vnc/Screencast (optional)
* Micro Bot (optional)
BOT/LOADER
(+) upload + download + execute (exe/bat/vbs)
(+) execute the modules (stealer+hidden apps)
(+) execute 2nd stage payloads (exe/bat/vbs) at first boot (another stealer, miner, etc)
(+) update "refud/replace"
(+) processes list+kill
(+) kill+delete bot/modules
(+) startup+persistence (auto-run)
* startup shortcut (survive pc reboot)
* scheduled task to re-execute the bot if killed (needs admin user. no uac)
(+) pc info
* installed programs + hardware info
(+) single/group/mass commands
(+) multiple commands for each bot (commands queue)
* if the target is offline commands will be executed when online
* show/cancel pending commands
STEALER (MODULE)
(+) files explorer
# navigate + create new folders
# download files
# upload + delete + rename (files+folders)
# search
# detects installed drives (c:\, d:\, e:\, etc)
(+) harvest / find (files grabber)
* find
* by filename / extension / filename+extension
* folders: predefined / custom
* optional "max file size" value (avoid uploading huge files)
* upload files from search results
* harvest
* zip found files and upload the package
(+) pass recovery + browsers data
* pass: chrome / firefox / edge / opera / thunderbird
* firefox autofill+history+cookies
* chrome/edge/opera autofill+credit cards+history+cookies
(+) clipboard stealer
* live mode + download/delete data
* saves the active window (program)
(+) crypto clipper/swapper
* replaces bitcoin/ethereum/monero addresses with yours
(+) keylogger
* offline mode
* 3 predefined intervals to send the logs
* saves the active window (program)
(+) live keylogger
* titles filter: send keys only if a certain app/title is focused
(+) screenshot
(+) screenshot burst
* take multiple screenshots when a window/app is focused and matches the titles/strings specified
* configure 3/5/10 screenshots burst
(+) shell/cmd (simple)
* run cmds and get the output (single mode)
* run cmds as "one-liners" without output (mass/group mode)
* note: not a fully interactive reverse shell (check hidden apps module for a better solution)
HIDDEN APPS (MODULE)
(+) hidden browsers
* use the target's browser hidden from the user (firefox/chrome/edge)
* browser default user profile is used. access the sessions, passwords saved, bookmarks, history, etc.
* notes: connection is http (not super fast). does not replace a full hvnc.
(+) hidden cmd.exe (reverse shell)
* fully interactive
VNC/SCREENCAST (MODULE)
- control the main desktop [click/type]. visible not hidden.
- can be used as screencast also
- "pseudo" vnc. does not replace a real vnc or rmm (anydesk, etc)
https://imgur.com/a/96DHGMs
https://ibb.co/HY9Ct7Z
MICRO BOT [ALTERNATIVE LOADER]
(+) low detections
(+) no need to crypt
(+) use as a fallback/backup in case your main bot/rat gets detected
MISC
# run cmds (shell) one-liners at first boot
# strings dynamic decryption
# randomized internal strings (bot+panel)
# campaign/bot id option
# cookies in json+netscape format
(+) anti-analysis
* if analysis tools are running the bot exits
* unique mutex for each build
* binary strings obfuscated
(+) Unicode support (works on all languages)
(+) chromium decryption server-side
(+) strings encryption randomized for each sample
(+) features can be removed from the stealer by request if not needed (main ones like keylogger, clipboard, etc).
(+) custom features can be added for an extra fee
C2 WEB PANEL
(!) [important] the panel is limited to 1000 bots. the tool is now oriented to targeted attacks (not mass spam)
* list targets + set commands
* first boot (auto-tasks/configs). config the modules for the first time execution.
* targets' log (activity/commands executed)
* dark/light theme
* secure login with user/password and "2fa" code
* country info+flag
* save aliases (friendly bot names)
* cancel commands
* download all files as zip
* resources tab > easy management of the files/modules to be dropped on targets (upload/delete/rename)
* filter uploaded files by current selected target and file types (imgs, dumps, etc)
* filter bots by ip, country, os, etc
* bots list showing last connection, boot counts, alive time, campaign/bot id, screenshots count
* screenshots > thumbnails (gallery)
* show hide columns os/campaign id/last connection
* ping/knock custom randomized interval
=== V7 NEW FEATURES ===
# http communications encryption (bot/modules <> server)
# [stealer] wallet grabber > desktop + web (chrome)
# proxy servers > configurable on the panel. protect the c2 (bot > proxy > c2)
(+) in case of blacklist/ban/detections replace the proxy vps and update the list
# [stealer] keylogger > offline mode > add filtering by strings in app/titles
# [stealer] keylogger > offline mode > avoid saving logs to file. keeping on memory
# [stealer] keylogger > offline mode > show all compiled txt data on the panel page
# first boot persistence > set custom stub path
# download files > md5 hash integrity check
# check if the stealer is found and report to server
# panel > show warning if errors are found on logs
# execute > retry if failed the first time
# update > refud > set custom folder/path for the stub
# [stealer] files explorer > added button to go up one folder
=== V8 NEW FEATURES ===
# bot > run powershell (oneliners)
# bot > show AV found (from software list)
# bot > execute dlls (rundll32 + function)
# bot > autorun > startup registry (run) added method
# bot > autorun > option to choose between the 3 supported methods
# bot > autorun > report the current state of the methods (found / deleted on the pc)
# bot > software+hardware info moved back to the bot
# bot > report the stealer process presence to the panel (both on disk + process)
# bot > retry downloads if failed
# stealer > firefox pwds decryption moved server-side for stealth
=== V9 NEW FEATURES ===
# bot > report exe/stub presence on disk
# panel > check the proxy servers state
# panel > stealer stub randomization. every stub has a different hash on disk. avoid av hash signatures.
# download big files in chunks
# kill+delete > bot folder cleanup on the pc (with libs/files)
# added more chrome wallet extensions to the list
# commands > execute each with a thread [avoid hangs]
# stealer update > avoid killing if found running
# uploaded files > confirm server-side with file hash
# [stealer] commands > execute each with a thread [avoid hangs]
# [bot] restart command
# [bot] file uploads > curl option as fallback
# [bot] winapi startup shortcut as fallback for unicode paths
# [bot] defender exclusion (visible)
Will prompt for UAC (yes/no) using Microsoft/Powershell (verified publisher)
Adds C:\ to excluded folders. Works only if the user is admin
# ProgramData folder added for stub path/file downloads/etc
# [bot] killed state added
# [bot] auto-run command > delete+recreate scheduled task/registry run/startup shortcut
- useful if wrongly setup or not setup in the first boot
# [panel] alias + campaign id filters added
# [stealer] show busy label while running the first boot commands
# 7z archives (packs) use a list file for faster packing
# panel > wallets > list names from within zips/archives
# chromium browsers multi profile pwds+data added
# unlock browsers db files if opened
# find/harvest added banned folders when searching the drive
# panel > info page > enable for mass/group. review installed programs + hardware info of all targets or selected
=== V10 NEW FEATURES [WIP] ===
autorun - logon script registry (new method added)
prevent pc sleeps
screen burst - auto time interval mode
hidden apps - turn on off the browser while keeping the module running + show ping status
autorun - av conditional smart auto mode
new chrome v20 cookies encryption support
vnc module
clipper - added new addresses
chrome v20 cookies encryption - add injection helper alternative method
micro bot integration (deploy from the main rat)
show bot uptime (panel)
ftp upload to post data (alternative)
run payloads with dll sideloading
parse chrome fully serverside + chrome v20 pwds encryption
anti virtual box (optional)
anti delay (optional)
libcurl file download (optional)
telegram notifications
V8 PANEL SCREENSHOTS - PREVIEW
https://imgur.com/a/nss0Pf6
V9 PANEL SCREENSHOTS - PREVIEW
https://imgur.com/a/ouz3cYR
PROS
+ secure. the panel runs from a vps
+ secure. you can login using Tor (needs javascript full turned on)
+ no setup. avoid vpns with port forwarding or tunneling. you get ready access to the panel
+ multiple features coming on future versions
CRYPTING
you will need to crypt all the files with a crypter (with native or shellcode support)
compatible methods: runpe/loadpe/shellcode-injection/dll sideload
OS SUPPORT
Win 10 + Win 11
CAVEATS / NOTES
(*) c2 panel needs javascript full turned on
(*) raw exe sizes are ~300kb (bot) ~400kb (stealer) ~280kb (hidden apps)
(*) tested on Windows 10/11
ASSETS YOU WILL RECEIVE
* exes
* access to the c2 panel
* readme
MONTHLY PRICING
- bot 425 (required)
- vps+domain+panel 50 (c2 server / required)
- stealer 275 (optional module/exe)
- hidden apps 125 (optional module/exe)
- vnc/screencast 100 (optional module/exe)
- micro bot 150 (optional alternative bot - includes vps+domain+panel)
- proxy server 50 (optional for c2 server protection. bot > proxy > c2 server)
(*) prices are monthly
(*) xmr / btc / ltc / bch / eth / usdt / dai accepted
(*) vps/c2 panel re-setup 75 (if server/domain gets banned. add the proxy to avoid this)
(*) proxy server has pro/cons. discuss based on your needs. proxy re-setup [or add new] $50
CONTACTS
Jabber(OTR) + Tox. Request by PM.
SIZE
- build size is between ~500kb and ~1.3MB [depending con configs]
SETUP
vps+domain+panel are all setup by me, you get ready access to the panel
TERMS OF SERVICE
* each client gets a unique domain+vps services (not shared)
* your plan starts once the vps+domain is setup and you get access to the panel. if there is a delay between the payment and the setup, you won't lose any time of using the tool
* setup time (after payment confirmation) is done within 24hs (on normal conditions)
* your panel domain will be randomly generated. it cannot be changed or chosen
* no ssh/ftp/cpanel access will be provided directly to the vps service
* the panel source is not provided for self-installation
* refund is only done (in special cases) for the tool price only (not the vps/domain costs)
