Beacons
Beacons
Section titled “Beacons”| Beacon | Platform | Format | Dependencies |
|---|---|---|---|
| Python 3 | Windows · Linux · macOS | .py / ELF (PyInstaller) / EXE | None — stdlib only |
| Java 11 | Windows · Linux · macOS | .jar (ProGuard obfuscated) | JRE on target |
| Go 1.21 | Windows · Linux · macOS | ELF / EXE | None — statically compiled |
| PowerShell 5.1 | Windows | .ps1 | None — built-in to Windows |
Common features
Section titled “Common features”All beacon types share:
- HTTPS polling — configurable sleep interval (1–300 s) and jitter % (0–80%)
- Multi-listener failover — primary C2 URL + unlimited fallback URLs
- Unique XOR key per generation — C2 URLs, agent secret, and sensitive strings are XOR-encoded with a fresh random key; two beacons from the same server have different static content
- Per-request XOR + nonce payload encryption — each request body is encrypted with a random nonce
- Server-side key delivery — optional mode where the beacon fetches its AES key at runtime; key never embedded in the binary
- Kill date — beacon self-destructs after the configured date
- Heartbeat timeout — beacon self-destructs if the C2 is unreachable for N days
- Persistence — Windows Registry Run key · Linux crontab
@reboot - Traffic camouflage — randomized real-browser User-Agents and Referer headers
- Sandbox detection — detects VMs, low CPU/RAM, sandbox usernames/hostnames, analysis tools, timing attacks
- Background execution — Windows: no-console process · Linux: double-fork daemon
- CWD tracking — current working directory persisted across check-ins
PowerShell-specific
Section titled “PowerShell-specific”The PowerShell beacon adds:
- AMSI bypass — disables AMSI before loading the payload
- ETW disable — patches Event Tracing for Windows
- ScriptBlock logging disable — prevents PowerShell from logging executed code
- In-memory execution — no files written to disk
Available commands
Section titled “Available commands”All beacons respond to these commands from the operator panel:
| Command | Description |
|---|---|
<any shell command> | Execute in the system shell |
__ls__ [path] | File browser |
__upload__ <remote_path> | Upload a staged file to target |
__b64file__ <path> | Exfiltrate a file |
__tunnel__ <port> | Start SOCKS5 proxy on given port |
__tunnel__ stop | Stop SOCKS5 proxy |
__pty__ | Open PTY shell (Python/Linux only) |
find [path] <pattern> | Search files on target |
screenshot | Capture screen |
screenshot <N> | Auto-screenshot every N minutes |
screenshot 0 | Stop screenshot schedule |
ps | List running processes |
kill <pid> | Kill a process |
sleep <seconds> | Change sleep interval |
neighbors | Discover internal network neighbors |
Encryption modes
Section titled “Encryption modes”All beacon types support three string-encryption modes, selectable in the generator:
| Mode | Label in UI | How it works |
|---|---|---|
| XOR | XOR (fast, basic) | C2 URLs, agent secret, and sensitive strings XOR-encoded with a unique random key per generation. Per-request payload also XOR+nonce encrypted. Default mode. |
| AES-256-CTR | AES-256 / SHA-256 CTR (strong) | Same XOR layer for static strings, but per-request payload encrypted with AES-256 in CTR mode. Key derived with SHA-256. Stronger payload confidentiality. |
| Server-side key | Server-side key delivery (strongest) | Beacon fetches its AES key from the C2 at first check-in. Key never embedded in the binary — not recoverable by static analysis. Requires a successful C2 connection to operate. |
When to use each:
- XOR — fast, no runtime overhead, no key-fetch round-trip. Sufficient for most engagements.
- AES-256-CTR — use when traffic may be captured and you want stronger payload confidentiality.
- Server-side key — use when binary forensics is a concern (e.g., target has EDR/memory forensics). The beacon is useless without the C2 key.
Two beacons generated from the same server always have different static byte content regardless of encryption mode — each generation uses a fresh random key.
Generating a beacon
Section titled “Generating a beacon”From the web UI, go to Generate Beacon:
- Select beacon type (Python / Java / Go / PowerShell)
- Set your C2 URL(s) — primary + optional fallbacks
- Configure sleep interval, jitter %, optional kill date and heartbeat timeout
- Choose encryption mode (XOR / AES-256-CTR / Server-side key)
- Choose evasion options: traffic camouflage, sandbox detection, process masquerade
- Enable persistence if needed
- Set output filename
- Click Download (source) or Compile (binary)
Download vs Compile:
| Option | Output | Use when |
|---|---|---|
| Download | Raw source (.py, .ps1, .jar) | You want to inspect, modify, or stage via the stager system |
| Compile | Native binary (ELF/EXE for Python/Go, fat JAR for Java) | Target has Python/JRE available or you want a standalone executable |
Java compile uses ProGuard to obfuscate the JAR. Python compile uses PyInstaller (cross-compiled for Windows via Wine when building Windows EXE on Linux).