NimPlant C2 : A Position Independent Code (PIC) Beacon

NimPlant C2 is a minimal Proof-of-Concept (PoC) beacon written in C, designed to operate as truly Position Independent Code (PIC) without relying on reflective loaders.

Developed by Tijme Gommers, this project showcases a beacon that is significantly smaller in size compared to traditional NimPlant beacons with reflective loaders, weighing in at approximately 30KB versus 800KB.

Key Features

• Position Independent Code (PIC): The beacon is compiled directly to PIC, allowing it to execute without fixed addresses. This is achieved by manually resolving imports and storing required data on the stack.
• AES Encryption: Data passed via JSON is encrypted using AES, enhancing security.
• Command Support: Currently supports several implant commands, including cat, cd, cp, ls, pwd, and whoami. Future development aims to add support for additional commands like mv, shell, and others.
• Metadata Retrieval: Capable of retrieving metadata and sending it back to the NimPlant server.

1. Clone the Repository: Start by cloning the NimPlant C2 repository.
2. Install Dependencies: Ensure you have MinGW installed.
3. Modify Settings: Adjust implant settings in the main function located in ./src/main.c as needed.
4. Compile: Use the make command to compile the code.
5. Usage: Load the generated shellcode.bin using a shellcode loader of your choice. An example loader is the Kong Loader, set to be released at BlackHat Asia in April 2025.

This project is currently in its early stages and is not production-ready.

Future enhancements include adding support for all implant configuration options, implementing jitter for sleep, and improving opsec measures such as string obfuscation.

Additionally, the project aims to achieve low coupling and high cohesion in its design.

NimPlant C2 is released under the GNU General Public License, version 2.0. Contributions and feature requests can be submitted via the issue tracker.