The Nim Shadow: Conquest C2 Redefines Stealth for 2026 Red Teams
Conquest is a feature-rich, extensible and malleable command & control/post-exploitation framework developed for penetration testing and adversary simulation. Conquest’s team server, operator client and agent have all been developed from scratch using the Nim programming language and are designed with modularity and flexibility in mind. It features custom C2 communication via binary packets over HTTP, a client GUI developed using Dear ImGui and the Monarch agent, a modular C2 implant aimed at Windows targets.
Features
- Flexible operator GUI client developed using Dear ImGui
- HTTP listeners with support for callback hosts (Redirectors)
- Support for malleable C2 profiles (TOML)
- Customizable payload generation
- Encrypted C2 communication leveraging AES256-GCM and X25519 key exchange
- Sleep obfuscation via Ekko, Zilean or Foliage with support for call stack spoofing
- In-memory execution of COFF/BOF files
- In-memory execution of .NET assemblies
- Token impersonation
- AMSI/ETW patching using hardware breakpoints
- Compile-time string obfuscation
- Wide selection of built-in post-exploitation modules
- Looting and loot management (downloads & screenshots)
- Logging of all operator activity
- Self-destruct functionality
- Agent kill date & working hours
- Fully written in Nim
The Conquest command & control framework consist of three major components that interact with each other in different ways. Together, they enable penetration tester and red teamers to remotely control systems, transfer files and more. The diagram below shows Conquests’s overall architecture.
The Conquest team server is the core of the framework, as it’s main responsibility is serving the HTTP listeners with which the C2 agents communicate and queuing the tasks that are issued by the operator client. The team server further manages data about agents, listeners and loot in the Conquest database and records all agent and operator activity in log files. The team server exposes a WebSocket interface on port 37573 by default, which is used by the operator client to connect to the team server. This port can be changed in the C2 profile in the [team-server] section.
[team-server]
port = 37573
bin/server -p data/profile.toml
Operator Client
The Conquest client is used by the operator to conduct the engagement. It is used for starting and stopping listeners, generating Monarch payloads and interacting with active agent sessions. The agent console is used to send commands to the agent and display the output. Currently, only one client can connect to the Conquest team server. By default, the client connects to localhost:37573, but the address and port can be specified in the command-line as shown below.
bin/client -i <team-server-ip> -p <team-server-port>
More information about the user interface can be found here
The agent/implant/payload/beacon in Conquest is called Monarch. It is exclusively built to target Windows systems and can be equipped with different modules or commands during the generation. An agent is compiled to connect to a specific listener and has it’s configuration embedded during the generation process. When it connects back to the team server, it can be tasked to execute the commands that have been built into it. As most other C2 agents, the Monarch uses beaconing to check-in with the team server periodically to poll for new tasks or to post the results of completed tasks. This is done over HTTP using a custom binary communication protocol, which is explained in more detail in subsequent sections.
Install & Use
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
