Hybrid C/S Remote Access Trojan & Stealth Framework
❗ Notice: This project is under active development and may contain bugs.❗
(주의: 제작 중이라 많은 버그가 포함되어 있을 수 있습니다.)
Snaky is a Windows Remote Access Trojan (RAT) and Command & Control (C2) framework developed for PoC (Proof of Concept) purposes.
Built with a hybrid architecture combining a high-performance Rust loader and a heavily obfuscated Nim stealth engine, it is designed to bypass modern EDR and AV solutions( Making it more perfect...). This project integrates various attack techniques, fileless execution concepts, and real-time remote administration features.
This project was developed out of personal interest in cyber security research and EDR evasion techniques. Do not use this software for any illegal activities. The developer assumes no liability and is not responsible for any misuse or damage caused by this program. Use it only in authorized environments.
Antivirus software or EDRs may detect certain components and automatically block or delete them during the build process or execution. This is normal and expected behavior for offensive security tools.
For a deep dive into how the Rust implant, Cloudflare Worker, and Nim Stealth Engine interact, refer to the technical guide.
The Discord C2 interface mirrors a traditional terminal experience. Here is the full breakdown of supported commands categorized by their internal module routing. Prefix all commands with . (configurable).
root/
├── core/
│ ├── auth - C2 authentication & registration.
│ ├── help - List commands and detailed usage.
│ ├── info - Target recon (OS, hardware, perms).
│ ├── ping - Measure C2/Implant latency.
│ ├── shell - Execute direct CMD/PowerShell.
│ ├── exit - Shutdown the implant process.
│ ├── uninstall - Remove persistence and self-delete.
│ └── refresh - Restart the implant instance.
│
├── filesystem/
│ ├── ls & cd - Directory listing and navigation.
│ ├── mkdir & rm - Create or delete files/folders.
│ ├── cp & mv - Copy, move, or rename paths.
│ ├── cat - Read and display file contents.
│ ├── size - Calculate path size recursively.
│ ├── pwd - Print current working directory.
│ ├── search - Find files using glob patterns.
│ ├── upload - Drop files to target via Discord.
│ ├── download - Exfiltrate files from target to C2.
│ └── zip & unzip - Compress or extract archives.
│
├── system/
│ ├── process - Enum, kill, hollow, inject, or stomp.
│ ├── monitor - Real-time CPU, RAM, Disk telemetry.
│ ├── visible - Set executable window visibility.
│ ├── bsod - Trigger instant Blue Screen of Death.
│ ├── crashps - Crash target via PowerShell bomb.
│ ├── screen - Control brightness or turn off panels.
│ ├── remote - Live WebRTC-based screen share.
│ ├── record - Record desktop to MP4 video.
│ ├── stealer - Extract passes, tokens, and sessions.
│ ├── update - OTA binary update (attachment/URL).
│ ├── volume - Control system audio levels.
│ ├── windowops - Manage active windows (min/max/close).
│ └── kctshell - Silent execution via KCT hijacking.
│
├── utility/
│ ├── clipper - Crypto-wallet address swapper.
│ ├── clipboard - Get or set system clipboard text.
│ ├── jumpscare - Fullscreen image + max volume audio.
│ ├── screenshot - Capture multiple monitor displays.
│ ├── webcam - Stealthy camera frame capture.
│ ├── foreground - Sniff active window activity log.
│ └── openurl - Launch URLs in the default browser.
│
└── crypto_net/
├── netinfo - Public/Private IP & ISP metadata.
└── nslookup - Perform forward/reverse DNS queries.
The deployment follows a logical sequence: Infrastructure Setup -> Client Configuration -> Final Compilation. Requires Rust (Windows GNU/MSVC) and Nim environments.
Before building the agent, you must have your C2 listener active to obtain your endpoint URLs.
- Install Wrangler CLI.
- Deploy the proxy handlers:
cd worker && wrangler deploy cd ../screen-share-worker && wrangler deploy
- Copy the generated
.workers.devURLs
- Ensure Node.js 18+ is installed on your VPS.
- Setup and start:
cd worker && npm install && npm run start
Now, inject your infrastructure details into the agent's source code.
- C2 Endpoints: Edit
snaky_rust_win/src/settings.rs- Paste your Cloudflare/VPS URLs into
C2_PRIMARYandC2_BACKUP. - Set a strong
SHARED_SECRET(must match the secret in your Worker/Server config).
- Paste your Cloudflare/VPS URLs into
- Stealth Identity: Edit
snaky_rust_win/stego_strings.json- Customize command names and descriptions to evade pattern-based detection.
- Visual Branding: Replace
snaky_rust_win/assets/setting.ico- Simply overwrite this file with your desired
.icofile to change the executable icon.
- Simply overwrite this file with your desired
This generates the core evasion module.
cd nim_stealth
nim c -d:release --app:lib --cpu:amd64 --opt:size --out:../snaky_rust_win/stealth.dll libstealth.nimTransform the DLL into a polymorphic blob using the XOR wrapper.
cd ../snaky_rust_win
python encrypt_stealth.pyThe Rust compiler will bundle the encrypted Nim engine and the steganographic assets.
cargo build --releaseThe final, ready-to-use agent is located at: target/release/snaky.exe.
- Quality Assurance (Refactoring & Bug Fixes)
- Linux Support (Cross-Platform Implementation)
- Additional Plugin Support
- Deep DNS Tunneling & C2 over DNS
- Advanced Rootkit Capabilities
This project is licensed under the MIT License - see the LICENSE file for details.
Salute to all cyber security professionals, malware researchers, and offensive tool developers who share their knowledge with the community!