Research-Grade Steganography Command & Control Framework
"The art of concealment is the essence of strategy."
Overview • Why Chimera? • How it Works • Installation • Usage • Advanced • Architecture
Chimera is a sophisticated red-teaming and research framework designed to demonstrate the power of Steganography in covert communications. Unlike traditional C2 frameworks that rely on standard HTTP/S traffic—which is easily fingerprinted by modern EDRs and IDS/IPS systems—Chimera embeds all its command and control traffic inside legitimate-looking PNG images.
To a network analyst, the traffic appears as a user browsing a gallery or uploading profile pictures. In reality, every pixel carries encrypted instructions and exfiltrated data.
In an era of TLS inspection and sophisticated traffic analysis, hiding in plain sight is often more effective than hiding deep.
- �️♂️ True Steganography: Payloads are not just appended to files; they are mathematically woven into the pixel data (LSB).
- 🔒 Military-Grade Encryption: Every transaction is encrypted with AES-256-GCM with unique nonces, ensuring perfect forward secrecy per session key.
- 🛡️ Mutual TLS (mTLS): Zero-trust networking. The verification works both ways—the agent verifies the server, and the server verifies the agent.
- 🚫 Anti-Replay Defense: Built-in defenses against packet capture replay attacks using timestamped nonces.
- 🧠 Robust State Management: Intelligent "Task Reaper" and Listener Health Checks prevent stale data and stuck tasks.
- 🖥️ Professional TUI: A sleek, developer-friendly terminal interface for managing operations without leaving your keyboard.
The communication follows a standard C2 beaconing pattern but with a visual twist:
- Beacon: The Agent takes its identity (ID, Hostname, OS), encrypts it, and embeds it into a
beacon.png. It POSTs this image to the server. - server Response: The Server extracts the info, registers the agent, and checks for pending tasks.
- Tasking: If a task exists, the Server embeds the command into a
task.pngand returns it as the HTTP response. - Result: The Agent downloads the image, extracts the command, executes it, and embeds the output into a
result.pngto send back.
Chimera uses Sequential LSB (Least Significant Bit) encoding across the R, G, and B channels of a PNG image.
- Capacity:
(Width * Height * 3) / 8bytes. - Mechanism: The last bit of every Red, Green, and Blue byte is replaced with a bit from the encrypted payload.
- Visual Impact: Modifying the LSB changes a color value by at most 1/255, which is imperceptible to the human eye.
- Algo: AES-256-GCM (Galois/Counter Mode).
- Key: Pre-shared key (environment variable) derived into session keys.
- Identity: x509 Certificates (Client & Server) for mTLS.
- Linux/macOS is recommended for the server.
- Python 3.11+
- Go 1.21+ (for compiling agents)
The included chimera.sh script handles everything: virtual environments, dependencies, and certificate generation.
git clone https://github.com/username/chimera.git
cd chimera
chmod +x chimera.sh
./chimera.shLaunch the unified dashboard:
./chimera.shSelect Option 1. You will be guided through a wizard:
- LHOST/LPORT: The address your agent should connect to (e.g., your IP, or
0.tcp.ngrok.io). - Stego Carrier: The tool will automatically create a dummy carrier image or use
assets/carrier.png. - Output: You get a loader binary (
chimera_loader) and optionally a detached image.
Select Option 2. This spins up the Python C2 server on port 8443 (default).
- Note: The server requires mTLS. Random scanners hitting the port will be dropped immediately during the TLS handshake.
Select Option 3 to enter the interactive shell.
| Command | Description | Example |
|---|---|---|
agents / list |
Show all active and offline agents | list |
interact <ID> |
Enter the context of a specific agent | interact agent-1a2b |
results |
Show recent task outputs | results |
reset_db |
[DANGER] Wipe database and disconnect all agents | reset_db |
Once inside an interact session:
| Command | Description |
|---|---|
<shell_cmd> |
Run any shell command (e.g., ls, whoami, cat /etc/passwd) |
background <cmd> |
Run a long-running task in background |
back |
Return to main menu |
Chimera supports operations behind NAT.
Using Ngrok (TCP Mode):
Since we use mTLS, you cannot use ngrok http. You must use TCP tunneling to pass the encypted TLS handshake intact.
- Start Ngrok:
ngrok tcp 8443 - Note the forwarded address, e.g.,
0.tcp.ngrok.io:12345. - Generate Payload:
- External Access: Yes
- Domain:
0.tcp.ngrok.io - Port:
12345
If you have a VPS but want to run the C2 logic locally:
# In chimera.sh -> Option 4
Local Port: 8443
Remote Port: 8443
SSH Target: user@my-vps.comThis is safer than running the C2 directly on a VPS as the database remains on your local machine.
graph TD
subgraph Target Machine
A[Agent Binary]
L[Loader]
A <-->|IPC| L
end
subgraph "The Internet / Network"
T[Traffic: PNG Files]
end
subgraph C2 Infrastructure
S[Python Server (aiohttp)]
Q[Command Queue]
DB[(SQLite DB)]
TUI[C2 Console]
end
L -- Encrypted Beacon --> T
T --> S
S -- Check Tasks --> Q
Q -- Task ID --> S
S -- Stego Image --> T
T -- Download --> L
L -- Execute --> A
S <--> DB
TUI <--> DB
THIS SOFTWARE IS FOR EDUCATIONAL AND RESEARCH PURPOSES ONLY.
- Use this tool only on systems you own or have explicit written permission to test.
- The authors renounce all responsibility for illegal use.
- This project demonstrates how attackers use covert channels; use this knowledge to build better defenses.
We welcome pull requests!
- Fork the repo.
- Create a feature branch.
- Commit your changes.
- Open a Pull Request.
Please see CONTRIBUTING.md for style guides.
Distributed under the MIT License. See LICENSE for more information.