Nightmangle is post-exploitation Telegram Command and Control (C2/C&C) Agent, created by @1N73LL1G3NC3.
It was developed as Proof of Concept (POC), that Telegram API can be used by threat actors for post-exploitation and to control their agents..
Nightmangle uses Telegram as a C2 server to communicate between the attacker and the client. However, it can only set one Telegram bot API per payload. This means that if you want to infect another machine, you need to build a new payload with a new Telegram bot API.
Please keep in mind that these Agent has been developed and shared for educational purposes only! Any misuse of this info will not be the responsibility of the author.
0123456789:XXXXxXXxxxXxX3x3x-3X-XxxxX3XXXXxx3X
.Bot::new("0123456789:XXXXxXXxxxXxX3x3x-3X-XxxxX3XXXXxx3X")
.9876543210
.ConfigParameters {bot_maintainer: UserId(9876543210)}
.$ rustup update nightly
$ rustup override set nightly
# Windows PowerShell
$ cargo build --release
Fully written in Rust
Help - Display help info. /help
ShowDir - Show content of specified directory. /showdir {dirname}
SendFile - Get specified file from victim. /sendfile {filepath}
Task - Execute specified shell commnd. /task cmd.exe /c {command}
Imperun - Impersonate and run (Token Duplication UAC Bypass) /imperun {list/exec} {pid} {cmd.exe /c whoami}
Screenshot - Take screenshot. /screenshot
St3al3r - Steal saved credentials from browsers (Firefox, Edge, Chromium, Chrome, Brave) /st3al3r
Coffee is a custom implementation of the original Cobalt Strike’s beacon_inline_execute. It supports most of the features of the Cobalt Strike compatibility layer, based on Coffee. To use these module, select BOF file with name ends with ‘.o’ like whoami.x64.o
to send.
Arguments for the BOF can be passed as caption to the message. Each argument must be prefixed with the type of the argument followed by a colon (:). The following types are supported:
str - A null-terminated string
wstr - A wide null-terminated string
int - A signed 32-bit integer
short - A signed 16-bit integer
Based on ClrOxide, it will load the CLR in the current process, resolve mscorlib, run your executable and return output back to the Telegram chat.
Imperun uses a token, stolen from an elevated process, to launch an elevated process of the attacker’s choosing, based on Impersonate-RS.
Just select file to send and add caption with destination directory, to the message.
The files required to build and run Malcolm are available on its [GitHub page]({{ site.github.repository_url…
The versatile capabilities of Androguard, a powerful tool for reverse engineering Android applications. This guide…
Netis Cloud Probe (Packet Agent, name used before)is an open source project to deal with…
The RdpStrike is basically a mini project I built to dive deep into Positional Independent Code (PIC)…
According to Veeam official advisory, all the versions BEFORE Veeam Backup Enterprise Manager 12.1.2.172 are vulnerable Usage…
delve into CVE-2024-26229, a critical security vulnerability identified within the csc.sys driver, pivotal in handling…