FAQ
Installation & Setup
Section titled “Installation & Setup”Does XoloC2 run on Windows as a server?
Section titled “Does XoloC2 run on Windows as a server?”No. The server requires Linux. Ubuntu 22.04 LTS on a VPS is the recommended setup. The beacons run on Windows, Linux, and macOS targets.
Can I use a valid TLS certificate instead of the self-signed one?
Section titled “Can I use a valid TLS certificate instead of the self-signed one?”Yes. Replace server/certs/cert.pem and server/certs/key.pem with your own certificate files. For a redirector VPS, use Let’s Encrypt:
certbot certonly --standalone -d your-redirector.comThen reference the Let’s Encrypt files in your web server config. The C2 itself can keep a self-signed cert since beacons are configured to skip cert verification.
Can I change the port after installation?
Section titled “Can I change the port after installation?”Edit start.sh and update the --port argument. If you have a systemd service, also update the ExecStart line in the service file and run systemctl daemon-reload.
Why does the installer ask about JDK and Go?
Section titled “Why does the installer ask about JDK and Go?”JDK is needed to compile Java beacons (.jar) server-side. Go is needed to cross-compile Go beacons (Linux ELF / Windows EXE). If you decline, those beacon types can still be downloaded as source and compiled manually.
Beacons
Section titled “Beacons”Why is PTY shell only available for Python beacons on Linux?
Section titled “Why is PTY shell only available for Python beacons on Linux?”The full PTY requires a real Unix pseudo-terminal (pty.openpty()), which is Python-only in XoloC2’s current implementation. On Windows, the Python beacon uses PowerShell pipe mode instead. Java and Go beacons currently show “not supported” for PTY — use a Python beacon when you need a full interactive shell.
Why does my Go/Python compiled beacon get flagged by AV?
Section titled “Why does my Go/Python compiled beacon get flagged by AV?”Static binaries and PyInstaller EXEs have well-known signatures. Obfuscation helps (ProGuard for Java, xPy + PyArmor + --strip for Python), but no beacon is guaranteed to evade all AV. For high-security targets, use the server-side key delivery encryption mode and consider delivering via the stager. The PowerShell beacon (-nop -w hidden) is the stealthiest option on Windows as it runs in-memory without touching disk.
What’s the difference between the three encryption modes?
Section titled “What’s the difference between the three encryption modes?”| Mode | Best for |
|---|---|
| XOR (default) | Most engagements — fast, no overhead, different byte content per generation |
| AES-256-CTR | When traffic capture is a risk and you want stronger payload confidentiality |
| Server-side key | When binary forensics is a concern — AES key never in the binary, useless without C2 |
See Beacons → Encryption modes for full details.
Can I run the beacon without internet access on the target?
Section titled “Can I run the beacon without internet access on the target?”Yes, as long as the target can reach your C2 server (or redirector) over HTTPS. The beacon does not need external internet access — only connectivity to the C2 URL you configured.
Does the beacon support IPv6?
Section titled “Does the beacon support IPv6?”The beacon connects to whatever hostname/IP you configured as the C2 URL. If you use an IPv6 address as the C2 URL, the beacon connects over IPv6. No special configuration needed.
Pivoting & Networking
Section titled “Pivoting & Networking”Can I run multiple SOCKS5 tunnels at the same time?
Section titled “Can I run multiple SOCKS5 tunnels at the same time?”Yes. Each session can have its own tunnel on a different port:
# Session A → port 1080__tunnel__ 1080
# Session B → port 1081__tunnel__ 1081Does the SOCKS5 tunnel support UDP?
Section titled “Does the SOCKS5 tunnel support UDP?”No. UDP ASSOCIATE is not implemented. All TCP protocols work: HTTP, HTTPS, SSH, SMB, RDP, and more.
Why does Cloudflare block my beacon traffic?
Section titled “Why does Cloudflare block my beacon traffic?”Cloudflare inspects TLS SNI and may block non-browser traffic patterns. Use a dedicated redirector VPS (not proxied through Cloudflare) for C2 traffic. See the Redirectors tutorial.
Security & Operations
Section titled “Security & Operations”Can operators see each other’s sessions?
Section titled “Can operators see each other’s sessions?”Yes. All operators share the same beacon pool. There is no per-operator session isolation — everyone sees the same Sessions list.
How do I promote a user to admin?
Section titled “How do I promote a user to admin?”There is no UI for this. Edit the database directly:
sqlite3 server/xoloc2.db "UPDATE users SET is_admin=1 WHERE username='username';"What happens if I rotate the agent secret while beacons are active?
Section titled “What happens if I rotate the agent secret while beacons are active?”Active beacons receive the new secret on their next check-in and update automatically. The old secret stays valid until all beacons have rotated, so there is no outage. After rotation, beacons generated with the old secret stop working.
Where are exfiltrated files stored?
Section titled “Where are exfiltrated files stored?”In server/uploads/ on the C2 server, organized by session ID. They are also accessible from the File Browser in the panel.
Does XoloC2 log operator activity?
Section titled “Does XoloC2 log operator activity?”Yes — the audit log (admin only) records: LOGIN, LOGIN_FAIL, TASK_SENT, FILE_UPLOAD, AGENT_DELETED, USER_CREATED, USER_DELETED, PASSWORD_CHANGED, SECRET_ROTATED. Filterable by user, action type, and date range.
Updating
Section titled “Updating”How do I update XoloC2?
Section titled “How do I update XoloC2?”cd XoloC2cp server/xoloc2.db server/xoloc2.db.bak # back up databasegit pullbash install.sh # re-run to apply any new dependencies./start.shThe database auto-migrates on startup — new columns are added without losing existing data.
Can I update without losing my sessions and data?
Section titled “Can I update without losing my sessions and data?”Yes. The database is preserved across updates. Always back up server/xoloc2.db before pulling, just in case.