Ghost-C2 v3.6.3 — "DNS Domain Rotation & Protocol Hardening"

Ghost-C2 v3.6.3 — "DNS Domain Rotation & Protocol Hardening"

DNS Module — Client (master console)

• Domain rotation: Removed user input flow and _translate_dns_name
  Replaced with fixed 5-entry pool: github, microsoft, cloudflare, google, windows
• Per-packet rotation: Each command uses a different domain via domain_idx (BSS)
• QTYPE: TXT 0x01001000 → A record 0x01000100
• Encoding: Added Base32 RFC 4648 lowercase

DNS Module — Agent (sniff.asm)

• Domain rotation: Removed static fake_domain reference
  Replaced with 5-entry domain_pool + [rbp+0x3020] anchor index
• QTYPE: A record
• Base32: Added b32_alpha + b32_char_cnt lookup tables
• Decode fix: cmp al, '2' → cmp al, 'a'
  Silent command corruption bug caused by incorrect base32 decode threshold

Bug Fixes

• Verified all domain_pool entries at exactly 20 bytes
• Boundary wrap: cmp al/rax, 6 → 5 (OOB read on index rollover)
• Beacon size check: cmp rax, 32 → 28

Removed

• raw_domain, dns_domain, _translate_dns_name, msg_domain_name
• Static fake_domain reference (sniff.asm)
• ICMP decoy send logic (_icmp_recv)

Evasion Status

Surface	Status	Risk
DNS QTYPE	A record	✅ Low
Domain rotation	5-domain per-packet	✅ Low
Base32 encoding	RFC 4648 lowercase	✅ Low
LCG jitter	100–1000ms adaptive	✅ Low
ICMP decoy pattern	Removed	✅ Low
Chunk size variance	Fixed 35B	⚠️ Medium
ICMP payload size	Fixed 80B	⚠️ Medium
DNS response simulation	Not implemented	⚠️ High (ML-based NDR only)

Rule-based NDR systems (Snort, Suricata, Zeek signatures) are bypassed
in current state. The remaining medium/high risk surfaces are relevant
only against ML-based behavioral analysis (Darktrace, ExtraHop).

Planned

• v3.6.4: DNS response simulation — master and agent will return
  synthetic A record responses (QR=1, RCODE=0) to eliminate
  the unanswered query anomaly detected by ML-based NDR (Darktrace)