b3acon: In-Memory C# IMAP C2 over Email

by ddos · Published · Updated

b3acon is a mail based C2 that uses an in-memory, dynamically compiled C# IMAP client via PowerShell. It communicates entirely through standard email protocols, fetching commands from email drafts and sending execution results to the inbox.

C2 framework, email C2

Features

  • Command and Control via Email
  • In-memory dynamic C# compilation
  • Reads commands from email drafts
  • Sends output back to inbox via SMTP
  • Works with Yandex (other IMAP/SMTP providers may work with small adjustments)
  • Includes a Web Generator that outputs in:
    • PowerShell
    • HTA
    • VBS
    • JavaScript (WScript)
  • Optional Base64 encoding for PowerShell
  • Supports both fixed and randomized delay options

How It Works

  1. You (the operator) create a draft email:

    • The Subject is the command ID — a number between 0 and 9999 (e.g., 101)
    • The Body contains the actual PowerShell command: 
      Get-Process

  2. The script runs on the target system and:

    • Connects to IMAP and reads the Drafts folder
    • Skips any draft IDs that have already been executed
    • Executes new commands found in draft bodies
    • Sends the result back to the same inbox via SMTP

  3. Output delivery:

    • If the command produces output (e.g., Get-Process), it will appear in the Inbox as an email with subject: 
      Output of command ID 101
    • If the command generates no output (e.g., Start-Process calc.exe), the email will still be sent with a message confirming successful execution.

  4. To issue new commands:

    • Create a new draft or modify an existing one with a new numeric subject (e.g., 102103, etc.)
    • Already-executed IDs will be skipped unless the script is restarted

HTML Script Generator

The project includes a self-contained HTML file that lets you generate scripts via browser.

Generator Features

 

  • Configuration for:
    • IMAP/SMTP servers
    • Username, password, ports
    • Fixed delay (in seconds)
    • Optional randomized delay (e.g., 30–90 seconds)
  • Output options:
    • PowerShell (raw, editable, copy-paste)
    • HTA
    • VBS
    • JS (for WScript)
  • Optional:
    • Base64-encoded PowerShell payload
    • Auto-embed in HTA/VBS/JS wrappers

Supported Output Types

Format Base64 Execution-Ready
PowerShell Yes Yes
HTA Yes Yes
VBS Yes Yes
JS (WScript) Yes Yes

Download

Tags: b3aconC# IMAPC2 frameworkemail command and controlPowerShellthreat intelligence