Skip to content

N0L3X/phantom-c2

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Phantom-C2 — Advanced Stealth PoC

Phantom-C2 is a professional Proof-of-Concept (PoC) demonstrating a stealthy Command & Control (C2) channel that leverages legitimate cloud APIs for transport and modern authenticated encryption for security.

Overview

Traditional security measures (EDR, Firewalls, DLP) often rely on domain reputation and known communication patterns. Phantom-C2 challenges this by using the Notion API as a transport layer, effectively "living off trusted services" (LoTS).

Key Features

  • Stealth Transport: Communicates over native HTTPS via api.notion.com, making it virtually indistinguishable from legitimate business traffic.
  • XChaCha20-Poly1305 Encryption: End-to-end encrypted communication using a 192-bit nonce, ensuring high collision resistance and performance.
  • Decoupled Architecture: Features a Python-based controller and a multi-platform stealth agent (Python/Go ready).
  • EDR Evasion: Bypasses many behavioral analysis tools by leveraging trusted SaaS infrastructure for command delivery and exfiltration.

Technical Deep Dive

Transport: Notion as a Dead Drop Resolver

Instead of establishing a direct connection, the controller injects encrypted tasks into a private Notion database. The agent periodically polls this database, decrypts the payload, and executes the command locally.

Cryptography

The tool uses the XChaCha20 stream cipher combined with the Poly1305 MAC for authenticated encryption. This provides:

  1. Confidentiality: Commands are unreadable even to the API provider.
  2. Integrity: Payloads cannot be tampered with in transit without detection.

Setup & Demo

1. Notion Integration

  1. Create a Notion Internal Integration.
  2. Create a private Database with columns: Command (Title) and Status (Select).
  3. Connect the Integration to your Database.

2. Environment Variables

Set the following on both the controller and the agent:

export NOTION_TOKEN="your_integration_token"
export NOTION_DB_ID="your_database_id"

3. Execution

  • Controller: python3 controller/main.py
  • Agent: python3 agent/main.py

Disclaimer

This project is for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal and unethical.


Developed as a showcase for advanced adversary simulation and secure communication architecture.

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors