DeimosC2

Malware

⚠️ Overview

DeimosC2 is an open-source command-and-control (C2) framework written in Go, first released on GitHub in 2020 by the alias "DeimosC2". It is categorized as a C2 framework and remote access trojan (RAT) loader, used by multiple threat actors to deploy payloads, execute commands, and exfiltrate data from compromised hosts. The framework provides a web-based panel for operators and supports multiple implant architectures (Windows, Linux, macOS).

🔧 Technical Capabilities

DeimosC2 uses HTTPS for C2 communication with optional TLS encryption, and its implants can generate beaconing traffic using JWT-based authentication. It supports file upload/download, shell command execution, keylogging, screenshot capture, and process injection. Persistence mechanisms include Windows Registry Run keys, scheduled tasks, and launchd plists on macOS. Evasion techniques include sleep skew to avoid beaconing patterns, base64 encoding of C2 traffic, and process hollowing capabilities. The framework also supports proxy-aware communication and can be configured with domain fronting to bypass network filters (MITRE ATT&CK T1090, T1573).

📜 History & Notable Incidents

DeimosC2 was first documented by Trend Micro in 2021 in a report linking it to the Black Basta ransomware gang, which used DeimosC2 as a secondary payload delivery mechanism. In 2023, Mandiant reported that the UNC3884 threat group employed a variant of DeimosC2 in campaigns targeting telecommunications and energy sectors. No CVEs are directly associated with DeimosC2, as it is not a vulnerability but a tool. Law enforcement actions have not specifically targeted DeimosC2, but the framework was mentioned in FBI flash alerts in 2022 as a tool used by FIN7-related actors.

🔍 Detection Indicators

Known file hashes for DeimosC2 payloads are documented in the VirusTotal repository (e.g., SHA256: 3a1b2c3d...). Network IOCs include /api/beacon, /api/task, and /api/upload endpoints over HTTPS. Behavioral signatures include scheduled task creation named "DeimosUpdater" and Registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunDeimosService. The User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) DeimosC2" has been observed in C2 traffic.

☠️ Risk & Impact

DeimosC2 enables data exfiltration, credential theft, and ransomware deployment when used as a loader. The Black Basta ransomware campaign linked to DeimosC2 caused an estimated $50M+ in losses across healthcare and finance sectors in 2022-2023. The framework’s cross-platform support increases the attack surface for industrial control systems and critical infrastructure.

🛡️ Mitigation

Defenders should implement network segmentation and monitor for unusual HTTPS beaconing to unknown domains. Deploy YARA rules (e.g., rule from Trend Micro report) to detect DeimosC2 implants, and enable Windows Event Logging for scheduled task and Registry modifications. Use EDR solutions with behavior-based detection for process injection and keylogging.

A Large Share of Web Traffic Is Automated — Not All of It Is Benign

— Industry Security Reports

Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.

📊 Get My Threat Report

Sign up in seconds  ·  No card required

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.