Go-DiscordC2: A Mini BackDoor for Red Team & DFIR Training

This repository contains the source code for a proof-of-concept (PoC) Command and Control (C2) framework that leverages the Discord platform for communication. The agent is written in Go, making it cross-platform compatible and difficult to reverse-engineer due to its obfuscated nature.

This project is intended for educational purposes, security research, and professional training only. It serves as a practical example for both offensive (Red Team) and defensive (DFIR/Blue Team) security professionals.

---

⚠️ Disclaimer

This tool is for authorized testing and educational purposes only. The author is not responsible for any misuse or damage caused by this program. Do not use it on any system you do not own or have explicit permission to test. Unauthorized use of this software is illegal.

---

Core Features

• Discord-Based C2: Utilizes Discord bots and webhooks for covert command dispatch and data exfiltration, blending in with legitimate traffic.
• Layered Encryption: C2 traffic is encrypted with AES-GCM. The AES key is derived from a secondary key that is protected using an RC4 stream cipher, adding complexity for forensic analysis.
• Full-Featured Agent: Supports remote command execution, file/folder upload and download, and chunked transfers for large files.
• Windows Persistence: Implements a persistence mechanism via registry modification.
• Stealth: Runs silently on Windows by hiding the console window and obfuscating its source code.

Project Structure

.
├── go-agent/
│   ├── exec_secure.go      # Main agent logic & C2 loop
│   ├── crypto.go           # Encryption/decryption functions (AES, RC4)
│   ├── utils.go            # Helper functions (command execution, file ops)
│   ├── Normal.txt          # C2 Config: BotToken|ChannelID|WebhookURL
│   ├── Default.txt         # Crypto Config: Key1|EncryptedKey2
│   └── Registry.txt        # Persistence Config: EncHive|EncFilePath|EncKeyName
|   |__ go.mod
|   |__ go.sum
├── analysis-tools/
│   ├── extractDiscord.py   # Python script to pull evidence from Discord
│   └── dec.py              # Python script to decrypt exfiltrated data
└── README.md

For Red Team Operators

This tool provides a lightweight, adaptable agent for initial access and post-exploitation.

Operational Advantages

• Low-Fidelity C2 Channel: Using Discord makes detection harder, as all traffic is directed towards a legitimate, high-reputation domain (discord.com).
• Encrypted & Obfuscated: The combination of AES-GCM encrypted payloads and obfuscated Go binaries makes static and dynamic analysis challenging for defenders.
• Simple Configuration: The agent is configured via embedded text files, allowing for easy modification of tokens, keys, and persistence settings before compilation.

Command Structure

• Shell Command: any command not matching below
• Download: download:|<URL>|<destination_filepath>
• Upload File: UPLOAD|<filepath>
• Upload Folder: UPLOADFOLDER|<alias> (Supported aliases: DESKTOP, DOCUMENTS, DOWNLOADS)
• Persistence: persist

For DFIR / Blue Team Professionals

This agent simulates a real-world threat and provides an excellent opportunity to test and enhance detection and response capabilities.

Indicators of Compromise (IOCs)

Network-Based

• DNS & HTTP/S Traffic: Monitor for persistent connections to discord.com and cdn.discordapp.com from non-browser processes. The default Go http-client/1.1 user-agent is a strong indicator.
• API Endpoints: Look for POST requests to /api/v10/webhooks/... and GET requests to /api/v10/channels/.../messages.
• Data Exfiltration Pattern: Data is sent as multipart/form-data POST requests containing a .txt file attachment to a Discord webhook URL.

Host-Based

• Process Spawning: The agent may spawn cmd.exe /C or powershell.exe -WindowStyle Hidden. Monitor for unusual parent-child process relationships.
• Persistence Artifacts: A new value is appended to a registry key (e.g., HKCU\...\Run, HKLM\...\Userinit) to execute a copied payload on startup.
• File System Artifacts: Creation of the agent binary in an unusual location (e.g., %APPDATA%, %TEMP%) or downloaded files from C2 commands.

Forensic Analysis Tools

A suite of Python tools is provided to collect and analyze evidence from the C2 channels.

1. Evidence Collection (extractDiscord.py)

This script connects to the Discord API to download all messages and attachments from the C2 channels.

Setup:

pip install requests tqdm pycryptodome

Execution: You need the Bot Token, Command Channel ID, and Webhook URL, which can be extracted from the malware's embedded configuration files.

# Provide all three values in a single string
python analysis-tools/extractDiscord.py --combo "BOT_TOKEN|CHANNEL_ID|WEBHOOK_URL"

The script will create an evidence_discord_<TIMESTAMP> directory containing all collected messages, attachments, and metadata.

2. Data Decryption (dec.py)

This script decrypts the exfiltrated files downloaded by extractDiscord.py.

Setup: You need the Default.txt file (containing key1 and encrypted_key2) from the malware configuration. Place it in the analysis-tools directory.

Execution:

# Decrypt a file from the evidence directory
python analysis-tools/dec.py path/to/evidence_discord_.../attachments/123_cmd_output_....txt

The decrypted content will be printed to the console. You can redirect the output to a file:

python analysis-tools/dec.py <input_file> > decrypted_content.txt