b3acon: In-Memory C# IMAP C2 over Email
b3acon is a mail based C2 that uses an in-memory, dynamically compiled C# IMAP client via PowerShell. It communicates entirely through standard email protocols, fetching commands from email drafts and sending execution results to the inbox.
Features
- Command and Control via Email
- In-memory dynamic C# compilation
- Reads commands from email drafts
- Sends output back to inbox via SMTP
- Works with Yandex (other IMAP/SMTP providers may work with small adjustments)
- Includes a Web Generator that outputs in:
- PowerShell
- HTA
- VBS
- JavaScript (WScript)
- Optional Base64 encoding for PowerShell
- Supports both fixed and randomized delay options
How It Works
-
You (the operator) create a draft email:
- The Subject is the command ID — a number between
0and9999(e.g.,101) - The Body contains the actual PowerShell command:
Get-Process
- The Subject is the command ID — a number between
-
The script runs on the target system and:
- Connects to IMAP and reads the
Draftsfolder - Skips any draft IDs that have already been executed
- Executes new commands found in draft bodies
- Sends the result back to the same inbox via SMTP
- Connects to IMAP and reads the
-
Output delivery:
- If the command produces output (e.g.,
Get-Process), it will appear in the Inbox as an email with subject:Output of command ID 101 - If the command generates no output (e.g.,
Start-Process calc.exe), the email will still be sent with a message confirming successful execution.
- If the command produces output (e.g.,
-
To issue new commands:
- Create a new draft or modify an existing one with a new numeric subject (e.g.,
102,103, etc.) - Already-executed IDs will be skipped unless the script is restarted
- Create a new draft or modify an existing one with a new numeric subject (e.g.,
HTML Script Generator
The project includes a self-contained HTML file that lets you generate scripts via browser.
Generator Features
- Configuration for:
- IMAP/SMTP servers
- Username, password, ports
- Fixed delay (in seconds)
- Optional randomized delay (e.g., 30–90 seconds)
- Output options:
- PowerShell (raw, editable, copy-paste)
- HTA
- VBS
- JS (for WScript)
- Optional:
- Base64-encoded PowerShell payload
- Auto-embed in HTA/VBS/JS wrappers
Supported Output Types
| Format | Base64 | Execution-Ready |
|---|---|---|
| PowerShell | Yes | Yes |
| HTA | Yes | Yes |
| VBS | Yes | Yes |
| JS (WScript) | Yes | Yes |
