CybserSecurity News

Tag: b3acon

  • b3acon: In-Memory C# IMAP C2 over Email

    b3acon is a mail based C2 that uses an in-memory, dynamically compiled C# IMAP client via PowerShell. It communicates entirely through standard email protocols, fetching commands from email drafts and sending execution results to the inbox.

    C2 framework, email C2

    Features

    • Command and Control via Email
    • In-memory dynamic C# compilation
    • Reads commands from email drafts
    • Sends output back to inbox via SMTP
    • Works with Yandex (other IMAP/SMTP providers may work with small adjustments)
    • Includes a Web Generator that outputs in:
      • PowerShell
      • HTA
      • VBS
      • JavaScript (WScript)
    • Optional Base64 encoding for PowerShell
    • Supports both fixed and randomized delay options

    How It Works

    1. You (the operator) create a draft email:

      • The Subject is the command ID — a number between 0 and 9999 (e.g., 101)
      • The Body contains the actual PowerShell command: 
        Get-Process

    2. The script runs on the target system and:

      • Connects to IMAP and reads the Drafts folder
      • Skips any draft IDs that have already been executed
      • Executes new commands found in draft bodies
      • Sends the result back to the same inbox via SMTP

    3. Output delivery:

      • If the command produces output (e.g., Get-Process), it will appear in the Inbox as an email with subject: 
        Output of command ID 101
      • If the command generates no output (e.g., Start-Process calc.exe), the email will still be sent with a message confirming successful execution.

    4. To issue new commands:

      • Create a new draft or modify an existing one with a new numeric subject (e.g., 102103, etc.)
      • Already-executed IDs will be skipped unless the script is restarted

    HTML Script Generator

    The project includes a self-contained HTML file that lets you generate scripts via browser.

    Generator Features

     

    • Configuration for:
      • IMAP/SMTP servers
      • Username, password, ports
      • Fixed delay (in seconds)
      • Optional randomized delay (e.g., 30–90 seconds)
    • Output options:
      • PowerShell (raw, editable, copy-paste)
      • HTA
      • VBS
      • JS (for WScript)
    • Optional:
      • Base64-encoded PowerShell payload
      • Auto-embed in HTA/VBS/JS wrappers

    Supported Output Types

    Format Base64 Execution-Ready
    PowerShell Yes Yes
    HTA Yes Yes
    VBS Yes Yes
    JS (WScript) Yes Yes

    Download