{
	"id": "931284e9-7ee7-4074-8c34-296cea0faa96",
	"created_at": "2026-04-06T00:06:59.77274Z",
	"updated_at": "2026-04-10T13:12:41.838985Z",
	"deleted_at": null,
	"sha1_hash": "0b1e61da7595b47cb2298ef7d45c05e11142c566",
	"title": "GitHub - itaymigdal/Nimbo-C2: Nimbo-C2 is yet another (simple and lightweight) C2 framework",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 198561,
	"plain_text": "GitHub - itaymigdal/Nimbo-C2: Nimbo-C2 is yet another (simple\r\nand lightweight) C2 framework\r\nBy itaymigdal\r\nArchived: 2026-04-05 15:40:07 UTC\r\nNimbo-C2\r\nAbout\r\nFeatures\r\nInstallation\r\nEasy Way\r\nEasier Way\r\nUsage\r\nLimitations, Warnings, Notes\r\nContribution\r\nAbout\r\nNimbo-C2 is yet another (simple and lightweight) C2 framework.\r\nhttps://github.com/itaymigdal/Nimbo-C2\r\nPage 1 of 4\n\nNimbo-C2 agent supports x64 Windows \u0026 Linux. It's written in Nim, with some usage of .NET on Windows (by\r\ndynamically loading the CLR to the process). Nim is powerful, but interacting with Windows is much easier and\r\nrobust using Powershell, hence this combination is made. The Linux agent is slimier and capable only of basic\r\ncommands, including ELF loading using the memfd technique.\r\nAll server components are written in Python:\r\nHTTP listener that manages the agents.\r\nBuilder that generates the agent payloads.\r\nNimbo-C2 is the interactive C2 component that rule'em all!\r\nMy work wouldn't be possible without the previous great work done by others, listed under credits.\r\nFeatures\r\nBuild EXE, DLL, ELF payloads.\r\nEncrypted implant configuration and strings using NimProtect.\r\nPacking payloads using UPX and obfuscate the PE section names ( UPX0 , UPX1 ) to make detection and\r\nunpacking harder.\r\nEncrypted HTTP communication (AES in CBC mode, key hardcoded in the agent and configurable by the\r\nconfig.jsonc ).\r\nAuto-completion in the C2 Console for convenient interaction.\r\nFile \u0026 Registry commands.\r\nIn-memory Powershell commands execution.\r\nFile download and upload commands.\r\nBuilt-in discovery commands.\r\nhttps://github.com/itaymigdal/Nimbo-C2\r\nPage 2 of 4\n\nScreenshot taking, clipboard stealing, audio recording, and keylogger.\r\nETW \u0026 AMSI patching using indirect syscalls.\r\nLSASS and SAM hashes dumping.\r\nShellcode injection using indirect syscalls.\r\nInline .NET assemblies execution.\r\nPersistence capabilities.\r\nUAC bypass methods.\r\nToken impersonation and getsystem.\r\nSetting implant process as critical (BSOD on termination).\r\n(Linux) ELF loading using memfd in 2 modes.\r\nAnd more !\r\nInstallation\r\nWarning: Nimbo-C2 is meant to be run only within the provided Docker container\r\nEasy Way\r\nNote that installing this way may cause problems or incompatibility in the future as the Docker image\r\nnow doesn't enforces languages and libraries versions, so consider skipping to the next method.\r\n1. Clone the repository and cd in\r\ngit clone https://github.com/itaymigdal/Nimbo-C2\r\ncd Nimbo-C2\r\n2. Build the docker image\r\ndocker build -t nimbo-dependencies .\r\n3. cd again into the source files and run the docker image interactively, expose port 80 and mount Nimbo-C2 directory to the container (so you can easily access all project files, modify config.jsonc , download\r\nand upload files from agents, etc.). For Linux replace ${pwd} with $(pwd) .\r\ncd Nimbo-C2\r\ndocker run -it --rm -p 80:80 -v ${pwd}:/Nimbo-C2 -w /Nimbo-C2 nimbo-dependencies\r\nEasier Way\r\nHere we're using the already built, tested and stored Docker image - recommended.\r\ngit clone https://github.com/itaymigdal/Nimbo-C2\r\ncd Nimbo-C2/Nimbo-C2\r\nhttps://github.com/itaymigdal/Nimbo-C2\r\nPage 3 of 4\n\ndocker run -it --rm -p 80:80 -v ${pwd}:/Nimbo-C2 -w /Nimbo-C2 itaymigdal/nimbo-dependencies\r\nFor Linux replace ${pwd} with $(pwd) .\r\nUsage\r\nFirst, edit config.jsonc for your needs.\r\nThen run with: python3 Nimbo-C2.py\r\nUse the help command for each screen, and tab completion.\r\nLimitations, Warnings, Notes\r\nEven though the HTTP communication is encrypted, the 'user-agent' header is in plain text and it carries the\r\nreal agent id, which some products may flag it suspicious.\r\nWrap paths or arguments with spaces with double quoutes.\r\nCLR works with primary access token so impersonate / getsys don't affect iex / assembly .\r\naudio , lsass (except the Evil Lsass Twin method) commands temporarily save artifacts to disk before\r\nexfiltrate and delete them.\r\nIf you tunnel the Nimbo server (e.g. if you expose it via Pinggy), use TCP, not HTTP.\r\nContribution\r\nThis software may be buggy or unstable in some use cases as it not being fully and constantly tested. Feel free to\r\nopen issues, PR's, and contact me for any reason at (Gmail | Linkedin)\r\nSource: https://github.com/itaymigdal/Nimbo-C2\r\nhttps://github.com/itaymigdal/Nimbo-C2\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/itaymigdal/Nimbo-C2"
	],
	"report_names": [
		"Nimbo-C2"
	],
	"threat_actors": [],
	"ts_created_at": 1775434019,
	"ts_updated_at": 1775826761,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0b1e61da7595b47cb2298ef7d45c05e11142c566.pdf",
		"text": "https://archive.orkl.eu/0b1e61da7595b47cb2298ef7d45c05e11142c566.txt",
		"img": "https://archive.orkl.eu/0b1e61da7595b47cb2298ef7d45c05e11142c566.jpg"
	}
}