nightshade_c4
README
Nightshade C4
(Project_Nightshade upgrade xox)
Document Dropper and C2 Framework.
by: ek0ms savi0r
Overview
Nightshade C4 generates weaponized documents (Excel, PDF, HTA, LNK) that deploy multi-stage, in-memory payloads with encrypted C2 communication, sandbox evasion, AMSI bypass, ETW patching, and anti-forensic countermeasures.
The framework consists of two components: a document generator and a C2 server. Documents are distributed to target systems; the C2 server manages implant sessions, queues commands, and collects results.
DISCLAIMER
For authorized security testing and Educational Purposes only.
Features
Payload Capabilities
- Three-tier payload system: Reverse shell (raw TCP), RCE beacon (HTTP C2), full implant (HTTP C2 + WMI persistence)
- Multi-stage staging: Stage 0 (sleep + DNS beacon, zero malicious static signature), Stage 1 (evasion preamble + decompress Stage 2), Stage 2 (implant execution)
- Evasion chain: AMSI bypass (4 polymorphic variants), ETW patching, multi-factor sandbox detection (VM model, analysis tools, disk count, disk size, RAM, CPU cores, username, boot time, process count)
- Beacon jitter: Variable 45-120s check-in intervals
- Payload obfuscation: Polymorphic PowerShell with random casing, backtick insertion, char encoding, GZip compression, junk comment injection
Document Types
| Type | Technique | Trigger | Persistence Required |
|---|---|---|---|
| Excel (.xlsx) | OLE Template Injection | User clicks "Enable Content" | No |
| PDF (.pdf) | OpenAction JavaScript | Document opens | No |
| HTA (.hta) | VBScript/JS execution | Document opens | No |
| LNK (.lnk) | Shortcut + obfuscated PowerShell | User double-clicks | No |
C2 Infrastructure
- HTTP staging server with TLS support
- DNS-based C2 channel (protocol-encoded commands in subdomain queries)
- Ngrok tunnel management (TCP and HTTP)
- Time-based domain rotation (hourly cycling through realistic domains)
- Custom domain support
Anti-Forensics
- Mark-of-the-Web (Zone.Identifier) automatic stripping
- File timestamp randomization (timestomping)
- Self-delete on completion
- Event log wiping (application, security, system, PowerShell operational)
Security
- AES-256-GCM authenticated encryption with HKDF-SHA256 key derivation
- Self-signed TLS certificate generation for HTTPS C2
- Database-logged request history and command audit trail
- Per-campaign encryption keys (auto-generated)
Installation
Requirements
- Python 3.9+
- Pip dependencies (see requirements.txt)
Setup
git clone https://github.com/ekomsSavior/nightshadeRANGER.git
cd nightshadeRANGER
pip install -r requirements.txt
For TLS support, the cryptography library is required (included in requirements.txt).
Ngrok (Optional)
For tunnel-based delivery:
wget https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-linux-amd64.tgz
tar -xzf ngrok-v3-stable-linux-amd64.tgz
sudo mv ngrok /usr/local/bin/
ngrok config add-authtoken YOUR_AUTHTOKEN_HERE
Usage
Interactive Document Generation
python3 nightshade.py generate
Walks through a wizard to configure:
- Encryption key (auto-generated or custom)
- Payload tier (1-3)
- C2 address and port
- Document type (xlsx, pdf, hta, lnk)
- Delivery method (ngrok, domain rotation, custom domain)
- Multi-stage payload toggle
- Anti-forensics options (self-delete, timestomping, MotW stripping, log wiping)
Headless Generation
python3 nightshade.py generate --headless --config config.yaml
Environment variables can also be used:
NIGHTSHADE_KEY="your-key" \
NIGHTSHADE_C2_URL="http://your-server:8080" \
NIGHTSHADE_TIER="2" \
NIGHTSHADE_DOC="xlsx" \
NIGHTSHADE_OUTPUT="Q3_Financials.xlsx" \
python3 nightshade.py generate --headless
Starting the C2 Server
# HTTP (default port 8080)
python3 nightshade.py serve
# HTTPS with TLS
python3 nightshade.py serve --tls --port 443
# Custom port
python3 nightshade.py serve --port 8080 --host 0.0.0.0
# With a specific encryption key
python3 nightshade.py serve --key "your-encryption-key"
When the server starts, it listens for:
- Template requests from documents (GET /template.ole)
- Implant check-ins (POST /c2/checkin)
- Command results (POST /c2/result)
- Administrative commands (POST /c2/command)
The server console provides interactive commands:
- sessions - List active implant sessions
- cmd <session_id> <command> - Queue a command for a specific session
- interact <session_id> - Open an interactive shell with a session
- history - View command history
- export - Export task results as CSV
- stats - Show server statistics
- help - Show available commands
- quit - Stop the server
DNS C2 Listener
python3 nightshade.py dns --domain c2.example.com --port 53
The DNS C2 handler encodes commands as subdomain queries. Implants resolve A/AAAA records for check-ins and receive commands via TXT record responses. This requires a nameserver that the target can resolve queries against.
DNS C2 console commands:
- sessions - List active DNS sessions
- cmd <session_id> <command> - Queue a command for a session
- results <session_id> - View session results
- quit - Stop the listener
Configuration File
# Create a default config
python3 nightshade.py config --init
# View current config
python3 nightshade.py config --show
Example config.yaml:
c2_url: "http://127.0.0.1:8080"
lhost: "127.0.0.1"
lport: 4444
tier: 2
doc_type: "xlsx"
output: "nightshade_output.xlsx"
template_url: ""
multi_stage: true
dns_c2: false
dns_domain: "dns-c2.local"
key: ""
TLS Certificate Management
# Generate a new certificate
python3 nightshade.py cert --generate --common-name nightshade-c2.local --campaign default
# List existing certificates
python3 nightshade.py cert --list
# Custom key size and validity
python3 nightshade.py cert --generate --key-size 4096 --validity 730
Certificates are stored in the certs/ directory and auto-loaded when starting the server with --tls.
Payload Architecture
Single-Stage
The document contains a compressed, encrypted PowerShell payload. When the template loads, it decrypts and executes the payload directly.
- Document opens -> OLE template fetches from C2 server
- Server returns encrypted payload
- Document decrypts and executes via PowerShell
Multi-Stage (3 Stages)
The document contains a minimal Stage 0 beacon. The payload is delivered in three stages to reduce document footprint and evade static analysis.
- Stage 0: Embedded in document. Sleeps 3-8 seconds, then resolves a DNS A/AAAA query or makes a simple HTTP GET request to check in. Contains no malicious logic visible to static analysis.
- Stage 1: Returned by the C2 server in response to the Stage 0 beacon. Contains AMSI bypass, ETW patch, sandbox detection, and the GZip-compressed Stage 2 payload.
- Stage 2: Decompressed and executed by Stage 1. The actual implant (reverse shell, RCE beacon, or full agent).
Tier 1: Reverse Shell
Direct TCP connection back to the C2 server. Best for immediate interactive access.
- Transport: Raw TCP
- Persistence: Scheduled task
- Shell: PowerShell interactive session
Tier 2: RCE Beacon
HTTPS beacon that checks in for commands and posts results. Best for stealthy command execution.
- Transport: HTTP C2
- Persistence: Scheduled task + Registry (HKCU run key)
- Protocol: Encrypted beacon with variable jitter
Tier 3: Full Agent
Maximum capability implant with redundant persistence.
- Transport: HTTP C2
- Persistence: Scheduled task + Registry + WMI event subscription
- Protocol: Encrypted beacon with modulus-based variable jitter
Evasion Chain
When a multi-stage payload executes, the following evasion sequence runs on the target system (not the operator's machine):
- Sleep delay: 3-8 seconds initial delay (evades sandbox timeouts)
- AMSI bypass: One of 4 polymorphic variants (registry patch, memory patch, amsiInitFailed flag, registry disable)
- ETW bypass: Patch .NET EventLogger.EventProviderEnabled
- Sandbox detection: Multi-factor check on VM model, analysis tools, disk count, disk size (<120GB), RAM (<2GB), CPU cores (<2), username patterns, boot time (<10 min)
- If sandbox detected: Payload silently exits with no indicators
- Mark-of-Web removal: Delete Zone.Identifier streams
- Timestomping: Randomize file timestamps
- Payload execution: Decompress and execute Stage 2
- Self-delete: Remove the document and temporary files (optional)
- Beacon jitter: Variable 45-120s between check-ins
C2 API Reference
| Endpoint | Method | Description |
|---|---|---|
| /template.ole | GET | Serve dropper template (validates User-Agent) |
| /c2/checkin | POST | Implant beacon (encrypted) |
| /c2/result | POST | Task result callback (encrypted) |
| /c2/command | POST | Submit command to session |
| /c2/sessions | GET | List active sessions |
| /c2/tasks | GET | View task queue (optional ?session_id=) |
| /c2/history | GET | Task history (supports ?format=csv) |
| /admin/stats | GET | Server statistics |
| /stage0/ |
GET | Stage 1 payload delivery endpoint |
Session Management
Sessions are tracked server-side with:
- Unique session ID generated per campaign
- IP address, hostname, and username of the implant
- Check-in count and timestamp
- Status (active/expired)
Commands are queued per-session. Each implant receives one command per check-in. Results are associated with the originating session and stored in the SQLite database.
OPSEC Notes
- The staging server rejects requests without legitimate Office or PDF User-Agent headers
- Encryption keys are per-campaign; each deployment should use a unique key
- No hardcoded IPs or domains in the framework -- all addresses are configurable
- Variable jitter prevents detection via fixed-interval beaconing patterns
- DNS C2 queries use base32 encoding to avoid base64 fingerprinting
- The C2 server validates session IDs on all check-in requests
- TLS certificates are self-signed; for production, use a trusted CA or internal CA
Architecture
+-----------------------+
| Nightshade C4 C2 |
| Server (Flask) |
| :8080 (HTTP/TLS) |
+-----------+-----------+
|
+---------------------+----------------------+
| | |
v v v
+-----------+ +-------------+ +-----------+
| Staging | | C2 Beacon | | Reverse |
| :8080 | | :8080/c2/* | | Shell |
| /template| | endpoints | | :4444 |
+-----+----+ +------+------+ +-----+-----+
| | |
v v v
Documents Implants TCP Shells
(xlsx/pdf/ (HTTP) (raw TCP)
hta/lnk)
+-------------------------------------------------------+
| DNS C2 Handler (:53/udp) |
| Subdomain-encoded check-in + commands |
+-------------------------------------------------------+
source code
files
- README.md
- c2/__init__.py
- c2/handlers/__init__.py
- c2/handlers/dns.py
- c2/protocol.py
- c2/server.py
- config.yaml
- core/__init__.py
- core/anti_forensics.py
- core/crypto.py
- core/evasion.py
- core/obfuscation.py
- documents/__init__.py
- documents/excel.py
- documents/hta.py
- documents/lnk.py
- documents/pdf.py
- documents/templates.py
- infrastructure/__init__.py
- infrastructure/domains.py
- infrastructure/ngrok.py
- infrastructure/tls.py
- nightshade.py
- payloads/__init__.py
- payloads/powershell.py
- payloads/shellcode.py
- payloads/stager.py
- payloads/vba.py
- requirements.txt
viewer
// click a file to view source