Introduction to 0xC2

What is 0xC2?

0xC2 AB is a Swedish company committed to providing an advanced cross-platform, in-depth user customization, Command and Control (C2) framework utilizing Position-Independent Code (PIC) tradecraft that is specialized for monitored environments. All sales by 0xC2 are regulated under EU export controls for dual-use items. Additionally, we have implemented multiple controls that restrict who can purchase our products. We only sell to larger established teams with a minimum of 5+ years of experience in threat simulation. This ensures our products are used by professionals and allows us to delegate our company resources to continuous development rather than excessive training.

Why Choose 0xC2?

While most C2s on the market rely on a reflective loader (RDLL) to execute, 0xC2 agents are written as PIC in C, which makes them more opsec safe by nature and provides more flexibility to the operator when designing payloads by being able to execute independently from memory without doing any relocation, additional virtual memory allocation or thread creation.

Another drawback of existing commercial C2s has been the lack of Linux and MacOS agents. Both operating systems are widely adopted and are often overlooked from a security perspective. To fill this gap, we have expanded the framework with PIC agents for both operating systems, running x86_64 and ARM64 CPU. The agents have been tailored for their respective operating systems and their real-world usage, the features of the Linux agent are more designed for servers and run with just glibc/musl dependencies (without specifying SSL traffic) and the MacOS agent is more designed for desktops with additional support for multiple proxy authentication schemes and user monitoring.

Another core issue we address is the lack of either user-defined customization or built-in capabilities. We believe both problems are equally important to solve, to prevent clients from committing to endless agent customization just to get an agent running while also ensuring that the agents can be tailored to fit unique operational needs without disrupting the agents opsec profile. The user customization for 0xC2 agents is called UDVT(User-Defined Virtual Table), which is a PIC program written by the operator from our template, attached when generating shellcode, and can provide extended capability to injection methods, exit, sleep, adding custom protocol for p2p and external communication(built-in C3 client, and built-in C3 server for p2p), or adding internal commands that will execute in the agent’s memory allocation. From the UDVT, you can access a limited set of internal agent functions similar to BOF, that can be used to send output to the C2 server or proxy API calls through the agents opsec profile. The distribution of the 0xC2 software comes with boilerplates and example use cases for how the UDVT can be used, including but not limited to P2P C3 communication via SSH for *nix agents, sleep obfuscation, and external C3 communication. This approach also allows us to push features more rapidly as we can update the UDVT template with more code without having to compile and push another release build of the entire framework, and we can provide older but still effective techniques without adding more and more size to the default shellcode.

The 0xC2 UI and API server is designed with a focus on simplicity, efficiency, and flexibility to allow operators to organize complex engagements with customizable features by offering a highly malleable profile that is set per listener. Additionally, the UI client and API server have an embedded LUA engine that provides scripting capabilities for automation and dynamic tasking. The server-side LUA runs in an isolated environment, allowing for automated actions at check-in or timer-based, and custom callback parsing of data sent from dynamic execution or UDVT. On the client side, LUA can be used for command scripting and for scripting object file execution, which works similarly to other C2 frameworks.

A number of Key Features of 0xC2 agents

  • UDVT customization
  • Built-in evasion techniques for user and kernel mode monitoring
  • Support for static and dynamic proxies
  • P2P communication
  • Reverse and reverse port-forward SOCKS5 proxy that is sleep-aware
  • Host and network reconnaissance
  • Dynamic code execution
  • Kill date and working hours based operation
  • Malleable profiles with full control over traffic (including packet size)
  • Hot-swappable runtime features, including agent profiles and listeners, enable operators to switch between P2P/external modes dynamically.

Contact us for more information.