Bear C2 is a command and control (C2) framework designed for simulating attacks by Russian APT groups. It features a variety of encryption methods, including AES, XOR, DES, TLS, RC4, RSA, and ChaCha, to secure communication between the payload and the operator machine. This C2 framework is intended for simulation purposes only and is currently under development.
Key features include:
- Multiple Encryption Methods: Supports AES, XOR, DES, TLS, RC4, RSA, and ChaCha.
- Customizable Profiles: Allows users to customize connection encryption based on real-world attack scenarios.
- Payload Execution Techniques: Includes Шахимат / Checkmate and Кинжал / Kinzhal payloads with distinct functionalities.
- SmartScreen Bypass: Attempts to disable SmartScreen by modifying registry settings.
- UAC Bypass: Includes methods to bypass User Account Control.
- Log Clearing: Clears system and security event logs to evade detection.
- Process Hollowing: Uses process hollowing to inject payloads into legitimate system processes.
- Cloud Exfiltration: Capable of exfiltrating data to OneDrive, Google Drive, Dropbox, or AWS.
Use cases:
- Red team operations
- Security research
- Training and education
