CupcakeC2

# 🧁 New Era C2 Reverse Connection Platform (Cupcake C2) <p align="center"> <img src="server/frontend-v2/src/assets/logo.png" width="128" height="128" alt="Cupcake Logo"> </p> <p align="center"> <strong>A cross-platform high-performance Command & Control (C2) architecture system built with Rust + Go + Vue 3.</strong> </p> <p align="center"> <img src="https://img.shields.io/badge/Language-Rust-orange.svg" alt="Rust"> <img src="https://img.shields.io/badge/Server-Go-blue.svg" alt="Go"> <img src="https://img.shields.io/badge/Frontend-Vue_3-brightgreen.svg" alt="Vue 3"> <img src="https://img.shields.io/badge/Status-Beta-yellow.svg" alt="Status"> </p> --- ## 📖 Table of Contents - [🌟 Project Introduction](#-project-introduction) - [📝 Author's Note](#-author's-note) - [✨ Core Features](#-core-features) - [🏗 System Architecture](#-system-architecture) - [🛠 Technology Stack](#-technology-stack) - [🚀 Quick Start](#-quick-start) - [🤖 MCP Automated Configuration](#-mcp-automated-configuration) - [📈 Project Progress](#-project-progress) - [🛡 Anti-Virus Performance](#-anti-virus-performance) - [⚠️ Disclaimer](#-disclaimer) --- ## 🌟 Project Introduction **Cupcake** aims to provide security researchers with a modern, lightweight, and highly scalable remote control platform. The system uses Rust to write a minimal Client (Agent), combined with a high-performance Go backend and a clean Vue 3 frontend, to achieve efficient command issuance, file transfer, and complex "fileless" arsenal execution capabilities. ## 📝 Author's Note > This is a C2 platform that pursues **"Ultimate AI Empowerment"**. Although AI-assisted development was used extensively in the implementation process, its core value lies in the architectural design of **AI-assisted execution**. > > **Design Philosophy:** > 1. **Full Protocol Coverage**: Currently supports WS/TCP/DNS, and will continue to expand more covert protocols in the future. > 2. **Plug-in Arsenal**: Adopts a modular design, supports dynamic function expansion, and enables hot-swapping. > 3. **AI Co-pilot**: Deeply integrates **MCP (Model Context Protocol)**, allowing AI assistants to directly intervene in the post-penetration phase. AI is not just a chat tool, but a "on-site commander" that can help you analyze the environment, attempt privilege escalation, and assist in decision-making. > > **Original Intention:** Since AI has changed coding, it will inevitably reshape offensive and defensive confrontation. Never reinvent the wheel for things that can be handed over to AI. (Author Tiamo is bragging here, but it's actually to be lazy) --- ## ✨ Core Features - 🖥 **White Angel UI**: A minimalist indigo aesthetic design customized based on Element Plus, bid farewell to the heaviness of traditional C2 and provide a smooth operating experience. - 🦀 **Rust Agent**: The controlled end is written in Rust, with no runtime dependencies, extremely low memory usage, and supports cross-compilation of various architectures. - 🚀 **Fileless Execution**: - **Execute-Assembly**: Memory reflection loads C# .NET assemblies. - **Memfd-Exec**: Linux anonymous memory execution, avoiding file landing detection. - **Shellcode-Injection**: Supports remote thread injection and Shellcode dynamic distribution. - 📦 **Payload Arsenal**: Plug-ins are dynamically uploaded, Manifest is automatically registered, and supports rapid integration of custom weapons. - 🤖 **MCP Driven**: Built-in MCP protocol support, allowing AI (such as Claude/GPT/Cursor) to directly call C2 interfaces to execute automated tasks. --- ## 🏗 System Architecture ```mermaid graph TD A[Vue 3 Dashboard] <-->|Rest API / WS| B(Go C2 Server) B <-->|WebSocket/TCP/DNS| C[Rust Agent - Windows] B <-->|WebSocket/TCP/DNS| D[Rust Agent - Linux] M(MCP Client) <-->|MCP Protocol| B ``` --- ## 🛠 Technology Stack | Module | Technical Implementation | Function | | :--- | :--- | :--- | | **Server** | Golang (Gin / GORM) | Core scheduling, API service, task queue | | **Frontend** | Vue 3 / Vite / Element Plus | Global operation panel, real-time log monitoring | | **Agent** | Rust / Tokio | High-performance asynchronous controlled-end logic | | **Database** | SQLite | Task history and Agent status persistence | --- ## 🚀 Quick Start > **Hint**: Currently, the Windows environment only supports building EXE templates, while the Linux environment supports one-click building of full-platform templates. You can directly download the pre-compiled templates and put them in the `/server/assets` directory, and use them directly through the "binary patching" mode (Tiamo has prepared some pre-filled templates for you). ### 1. Linux Environment (Recommended) ```bash unzip Cupcake.zip chmod +x run_linux.sh ./run_linux.sh ``` ### 2. Windows Environment 1. **Build Frontend**: ```powershell cd server/frontend-v2 npm install; npm run build ``` 2. **Start Backend**: ```powershell cd .. go run . ``` --- ## 🤖 MCP Automated Configuration 1. **Get Token**: After starting the Server, the terminal prints a random 32-bit `API_TOKEN`. 2. **Configure Client**: Modify `C2_SERVER` and `API_TOKEN` in `./MCPClient/client.py`. 3. **Enable Collaboration**: Mount the MCP server to Claude or IDE to start AI command and control. --- ## 📈 Project Progress - [x] **TCP Protocol** (100%): Stable communication. - [x] **WebSocket Protocol** (100%): Supports pseudo-interactive terminal. - [ ] **DNS Protocol** (70%): Testing. - [ ] **Tunneling Technology** (50%): Socks5 basic implementation. --- ## 🛡 Anti-Virus Performance > **Anti-Virus Tips**: It has been found in actual tests that templates compiled in the native Windows environment usually have better anti-virus effects than cross-platform cross-compilation. The project integrates source code obfuscation, and it is recommended that the development environment be as consistent as possible with the target environment (i.e., Windows compiles Windows, Linux compiles Linux). - **Static Scan**: VirScan all green. - **Dynamic Monitoring**: Conventional operations do not report viruses in Huorong/360. --- ## ⚠️ Disclaimer This tool is limited to legally authorized penetration testing, security audits, and educational purposes. Users should abide by local laws and regulations. The user shall be solely responsible for any direct or indirect consequences resulting from the use of this tool, and the developer shall not be liable for any responsibility. --- <p align="center"> Made with ❤️ by <strong>Tiamo</strong> </p>