Phantom-C2 is a professional Proof-of-Concept (PoC) demonstrating a stealthy Command & Control (C2) channel that leverages legitimate cloud APIs for transport and modern authenticated encryption for security.
Traditional security measures (EDR, Firewalls, DLP) often rely on domain reputation and known communication patterns. Phantom-C2 challenges this by using the Notion API as a transport layer, effectively "living off trusted services" (LoTS).
- Stealth Transport: Communicates over native HTTPS via
api.notion.com, making it virtually indistinguishable from legitimate business traffic. - XChaCha20-Poly1305 Encryption: End-to-end encrypted communication using a 192-bit nonce, ensuring high collision resistance and performance.
- Decoupled Architecture: Features a Python-based controller and a multi-platform stealth agent (Python/Go ready).
- EDR Evasion: Bypasses many behavioral analysis tools by leveraging trusted SaaS infrastructure for command delivery and exfiltration.
Instead of establishing a direct connection, the controller injects encrypted tasks into a private Notion database. The agent periodically polls this database, decrypts the payload, and executes the command locally.
The tool uses the XChaCha20 stream cipher combined with the Poly1305 MAC for authenticated encryption. This provides:
- Confidentiality: Commands are unreadable even to the API provider.
- Integrity: Payloads cannot be tampered with in transit without detection.
- Create a Notion Internal Integration.
- Create a private Database with columns:
Command(Title) andStatus(Select). - Connect the Integration to your Database.
Set the following on both the controller and the agent:
export NOTION_TOKEN="your_integration_token"
export NOTION_DB_ID="your_database_id"- Controller:
python3 controller/main.py - Agent:
python3 agent/main.py
This project is for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal and unethical.
Developed as a showcase for advanced adversary simulation and secure communication architecture.