pupy

Pupy is an open-source remote administration and post-exploitation framework used in authorized security testing, penetration testing, and security research. It runs on Windows, Linux, macOS, and Android, and is written primarily in Python with some C components.

The central idea is that Pupy can run entirely in memory without writing files to disk on the target system. A payload can be compiled as an executable, a DLL, a Python file, a PowerShell script, or an Android APK. Once a connection is established back to the attacker's server, the framework gives the operator an interactive shell with access to a wide range of modules.

Communication between the server and a connected target is handled through a layered transport system. Transports like SSL, HTTP, and obfs3 can be stacked on top of each other to make the traffic look like something ordinary or to conceal what protocol is being used. This is particularly relevant for research into how malicious traffic might be disguised.

The module library covers common post-exploitation tasks: running commands, transferring files, taking screenshots, recording keystrokes, opening an interactive shell, forwarding ports, running a SOCKS proxy, and gathering credentials. On Windows there are additional capabilities including process migration, in-memory execution of other programs, webcam snapshots, and microphone recording. On Android, GPS tracking and webcam access are included.

Pupy uses a library called rpyc that allows the operator to interact with Python objects on the remote system directly from the server shell, including tab completion for remote attributes.

Payloads can include embedded scripts called scriptlets that run offline, before a network session is established. These can set up persistence, start a keylogger, or check whether the environment is a sandbox.

The server is designed to run on Linux. The project is open source and documented through a wiki on GitHub.