XoloC2

Open-source Command & Control framework for authorized penetration testing.

|

Python Java Go PowerShell Zero target deps MIT License
Get Started Documentation GitHub
v0.7.0 PowerShell beacon — AMSI bypass · ETW disable · ScriptBlock logging disable · in-memory execution Full changelog →
4
Beacon types
8+
Delivery methods
3
Encryption modes
MIT
License

See it in action

Sessions Dashboard

Sessions Dashboard

Terminal & File Browser

Terminal & File Browser

PTY Shell + SOCKS5 Tunnel

PTY Shell + SOCKS5 Tunnel

Beacon Generator

Beacon Generator

Geographic Agent Map

Geographic Agent Map

Engagement Report

Engagement Report

Features

Four Beacon Types

Python, Java, Go, and PowerShell agents. Zero external dependencies on the target. Cross-platform Windows, Linux, and macOS.

Encrypted Comms

Unique XOR key per generation, per-request XOR + nonce encryption, and server-side AES key delivery. Two beacons from the same server have different static content.

Stager Delivery

AES-256-CBC encrypted payload delivery over one-time tokens. PS IEX, HTA, VBS, curl, wget, certutil and more — all from a single stager token.

SOCKS5 Tunnel

HTTP-tunnelled SOCKS5 proxy multiplexed over beacon polling. No extra tools on the target. Compatible with proxychains, Burp Suite, and any SOCKS5-aware tool.

Real-time PTY

Full interactive pseudo-terminal via xterm.js and WebSocket. CWD tracking across check-ins on both Windows and Linux.

OPSEC Features

Sandbox/VM detection, process masquerade, traffic camouflage with real browser User-Agents, kill date, heartbeat timeout, and background execution.

PowerShell Evasion

AMSI bypass, ETW disable, and ScriptBlock logging disable built into the PowerShell beacon. Executes in memory with no files on disk.

Network Topology

vis.js graph of discovered internal network. Run neighbors on any beacon to map nearby hosts and build a visual pivot map.

Security & Multi-user

JWT auth, TOTP/MFA, IP whitelist, rate limiting, bcrypt passwords, audit log, agent secret rotation, and webhook notifications.

Built for real engagements

Authorized penetration testing, red team operations, and lab environments.

Pentesting Engagements

  • Generate beacon per target scope
  • Stager delivery — no file on disk
  • Redirector hides real C2 IP
  • Engagement report with timeline & exfil
  • Kill date auto-cleanup post-engagement

Red Team Operations

  • Multi-operator with shared session pool
  • AMSI/ETW bypass on Windows targets
  • SOCKS5 pivot through compromised hosts
  • Network topology graph for pivot planning
  • Agent secret rotation between ops

Labs & CTFs

  • 1-command install on any Linux VPS
  • Python beacon — stdlib only, no setup
  • Full PTY shell in browser via xterm.js
  • Screenshot, file browser, process list
  • MIT license — use and modify freely

Project

Resources, release history, and usage guidelines.

Changelog

Latest: v0.7.0

Full release history — what was added, changed, or fixed in each version.

FAQ

Common questions about installation, beacons, pivoting, security, and updates.

Responsible Use

Legal requirements, authorization guidelines, and operator responsibilities.

Quick Install

Clone, install, and have your C2 running in minutes.

$ git clone https://github.com/Juguitos/XoloC2.git

$ cd XoloC2

$ bash install.sh

$ ./start.sh

Full Installation Guide