Nimbo-C2: simple and lightweight C2 framework written in Nim

by ddos · September 23, 2025

Nimbo-C2 agent supports x64 Windows & Linux. It’s written in Nim, with some usage of .NET on Windows (by dynamically loading the CLR to the process). Nim is powerful, but interacting with Windows is much easier and robust using Powershell, hence this combination is made. The Linux agent is slimier and capable only of basic commands, including ELF loading using the memfd technique.

All server components are written in Python:

HTTP listener that manages the agents.
Builder that generates the agent payloads.
Nimbo-C2 is the interactive C2 component that rule’em all!

Features

Build EXE, DLL, ELF payloads.
Encrypted implant configuration and strings using NimProtect.
Packing payloads using UPX and obfuscate the PE section names (UPX0, UPX1) to make detection and unpacking harder.
Encrypted HTTP communication (AES in CBC mode, key hardcoded in the agent and configurable by the config.jsonc).
Auto-completion in the C2 Console for convenient interaction.
File & Registry commands.
In-memory Powershell commands execution.
File download and upload commands.
Built-in discovery commands.
Screenshot taking, clipboard stealing, audio recording, and keylogger.
ETW & AMSI patching using indirect syscalls.
LSASS and SAM hashes dumping.
Shellcode injection using indirect syscalls.
Inline .NET assemblies execution.
Persistence capabilities.
UAC bypass methods.
Token impersonation and getsystem.
Setting implant process as critical (BSOD on termination).
(Linux) ELF loading using memfd in 2 modes.
And more !

Install & Use

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal