ArachneC2
Decentralized C2 framework built on libp2p
Arachne C2 is a Go-based command-and-control framework for authorized red-team testing that routes implant communications over a decentralized peer-to-peer network (IPFS/DHT) instead of a fixed server, making traffic harder to block or attribute.
Arachne C2 is a command-and-control framework written in Go for red-team security testing. A command-and-control framework is a tool that security professionals use during authorized penetration tests to remotely manage software agents (called implants) installed on target machines. Arachne's distinguishing feature is that it uses a decentralized peer-to-peer network rather than a traditional central server.
Instead of a fixed server IP or domain that could be blocked or taken down, Arachne routes communications through the same peer-to-peer network that powers IPFS, a distributed file system. The implants and the operator's console are all treated as equal peers in that network, discovered via a distributed hash table. Messages are encrypted and signed with Ed25519 keys, so implants will only accept commands from the operator who built them. Each implant has a unique keypair embedded at build time, giving it a persistent identity across restarts.
The operator console is a command-line interface that lists connected implants and lets you select one to work with. Available commands include running arbitrary shell commands, listing files and processes, changing directories, opening an interactive shell session, forwarding local ports through the implant, and uploading or downloading files. The interactive shell uses a proper terminal session (PTY) on Linux and macOS, and a hidden ConPTY session on Windows.
Implants are compiled from a single operator binary that embeds the implant source and can cross-compile for Linux, macOS, and Windows. Build options include code obfuscation (which strips function names, package paths, and string literals), binary compression, a quiet mode that hides the process on the target, and a VM detection mode that runs over 65 detection techniques and exits cleanly if the binary appears to be running inside a virtual machine analysis environment. Cover traffic is also generated to obscure the regular beacon timing from network observers.
The project is inspired by Sliver, another open-source red-team framework. It is licensed under GPLv3.
Where it fits
- Run authorized penetration tests where a resilient, censorship-resistant C2 channel is needed to simulate advanced threat actors.
- Practice red-team tradecraft in a lab environment, experimenting with obfuscated implants and evasion techniques against defensive tooling.
- Research peer-to-peer C2 architectures and study how decentralized networks can be used for covert communications in security exercises.
- Evaluate blue-team detection capabilities against beaconing implants that generate cover traffic and hide behind IPFS network activity.