TitanC2 is an advanced Command & Control (C2) framework designed for Cybersecurity Education and Red Team Training. It simulates real-world APT scenarios including initial access, deep persistence (Systemd), and anti-forensics.
Warning
DISCLAIMER: This tool is developed for educational purposes and authorized testing only. Usage of this tool for attacking targets without prior mutual consent is illegal. The developer assumes no liability and is not responsible for any misuse or damage caused by this program.
- Systemd Service: Installs a camouflaged Linux service (
linux-system-health.service) that runs as a background daemon. - Auto-Healing: Uses
Restart=alwayslogic to automatically revive the shell if the process is killed by admins. - Crontab Backdoor: Classic persistence method included as a reliable fallback.
- Domain/DNS C2: Supports connecting via Domain Names (e.g.,
update.microsoft-services.com) instead of raw IPs to evade basic firewall blocks and hide the C2 IP. - HTTPS Simulation: Defaults to port 443 to blend in with legitimate web traffic.
- Surgical Wiper: Instead of
rm -rf(which is suspicious), it usessedto surgically remove only the attacker's traces (base64,titan, C2 domains) from~/.bash_historyand system logs.
- Stabilized Shell: Automatically upgrades dumb shells to interactive PTY shells (Python PTY spawning).
- Auto-Recon: Identifies the victim's true identity (User | Hostname | Public IP) immediately upon connection.
- Real-Time Streaming: Async I/O allows running commands like
pingortopwith real-time output.
# 1. Clone the repository git clone https://github.com/fadelegend/Titan-C2.git # 2. Enter directory cd Titan-C2 # 3. Install dependencies pip install requests rich # 4. Run the framework (Root recommended for binding port 443) sudo python3 titan_c2.py 
When you start TitanC2, it will ask for listener details. For a real-world scenario (VDS):
- C2 Domain/IP: Enter your VDS Public IP or a Domain pointing to it (e.g.,
c2.my-lab.com). Using a domain is recommended for OPSEC. - Listener Port: Recommended 443 (HTTPS) or 4444.
Create a targets.txt file in the same directory. Add your target URLs line by line
Inside the TitanC2 console, use the following commands:
run: Launches the mass-exploiter module. It sends the Next.js RCE payload to all targets intargets.txt.sessions: Lists all active reverse shell connections along with the victim's identity.interact <id>: Enters the interactive shell for the specified session ID.
Once inside a session (after running interact <id>), use these special "dot commands" to manage the victim:
| Command | Type | Description |
|---|---|---|
.persist_service | 🔥 Pro | Installs hidden Systemd Persistence (linux-system-health). Requires Root. |
.persist_cron | Installs Crontab Persistence (runs every minute). | |
.unpersist | 🧹 Clean | Removes all backdoors (Systemd & Cron) from the victim. |
.wipe | 🧽 Stealth | Anti-Forensics: Surgically removes attacker traces from logs and history using sed. |
.back | 🔙 | Backgrounds the current session and returns to the main menu. |
TitanC2 separates the Listener logic from the Payload logic to simulate professional C2 infrastructure:
- Listener: Multi-threaded socket server that handles incoming connections, upgrades PTY, and manages session state.
- Payload Generator: Creates a polyglot payload (Bash -> Base64 -> Node.js) compatible with CVE-2025-55182.
- Recon Module: Automatically runs
whoami,hostname, andcurl ifconfig.meupon connection to identify NAT'ed victims immediately.
This project is licensed under the MIT License - see the LICENSE file for details.
Developed for Cyber Security Education
"The quieter you become, the more you are able to hear."