Coley v1.0 C2 StealthRansomware Builder: Control panel + Builder

[Remio]

Coley C2 Ransomware Builder Suite: Deployable Control panel + Builder

Core Components: Includes customizable Desktop Encryptor/Decryptor Builder & Optional Web Control Panel

Key Features:
- Multi-threaded file encryption engine (ChaCha20 per-file keys, RSA-secured)
- Partial file encryption (first 256KB or 50%) + header-only mode
- VSS deletion via VSS API and WMI
- Compile-time string obfuscation (binaries generated form source templates)
- APIGuard-style anti-hooking (userland patch detection/restoration)
- Lightweight output: ~148KBish binaries;
- Efficient I/O pipeline: 5000+ files with 4MB buffers, retry logic, and load balancing, smart exclusions, heap buffers, per-file timeouts. Runs smooth basically;
- GUI Decryptor supports batch files, key import, and integrity verification
-  Filters out system shares and validates ≥100MB free space. Fast, quiet, and time-limited scan.
- Optional local subnet scanner: auto-discovery for SMB shares on local subnets, including cross-drive paths. Finds reachable hosts, lists non-system shares, checks for ≥100MB space. Caps time, hosts, and share count to stay low-noise.
- Win 10/11/win server 2019-2025

Screenshots:
Builder GUI: https://files.catbox.moe/z2fg37.png
C2 config GUI: https://files.catbox.moe/t9bwgu.png
C2 Panel: https://files.catbox.moe/qkvmdb.png
C2 Panel Deployments: https://files.catbox.moe/yqxjop.png
C2 login: https://files.catbox.moe/eix8qe.png
GUI help: https://files.catbox.moe/almxjs.png

Included Obfuscation:
- Randomized API call patterns and probing order & timing jitter and random delays
- Manual PE parsing fallback to avoid GetProcAddress
- Userland antihook file (I have tried this with several variants, specifically parsing / patching IAT of modules and replace imports via IMAGE_IMPORT_DESCRIPTOR - works fine)
- Lazy decryption (on first access only)
Template metaprogramming with LCG and modular math, swap out whatever you want/need.
- Unique keys per string using __TIME__ macro seed
- ANSI & Unicode support via OBF_STR / OBF_WSTR macros;

Userland antihook mechanism:  
This mechanism I develop is kind of similar to Recycled Gate in its goal of evading hooks but uses a completely different approach in many regards. While RecycledGate reuses clean syscall stubs from unhooked memory regions (like other system DLLs or memory clones), our technique does not rely on recycling syscall stubs. Instead, we record the original prologue bytes of key API functions (e.g., CreateFileW, ReadFile), Compare them later against the current in-memory versions and then restore the original bytes if modifications (e.g., inline hooks) are detected. Basically we detect and removes userland hooks by capturing and verifying the prologue bytes of functions in kernel32, ntdll, and bcrypt. Also uses checksum validation to identify tampering and restores the original bytes if modifications are found.

- Note that although this obfuscation is very effective as it comes, it does not work against kernel-level or hardware breakpoints etc. This is something to think about when improving the payloads.

Optional Features:
- Ready: Improved antihook & string obfuscation can be provided, binaries may also be crypted with crypter of your choice. 

- In-Dev / comingsoon:
  - Kernel-mode evasion
  - Hardware breakpoint manipulation (debug registers)
  - ETW threat detection bypass
  - More payloads (dll / pure C versions ready, just need to add it into the builder)

Disclaimer:
⚠️ For educational and research purposes only. Licensing info available upon request. ⚠️

Contact: PM or check signature for more info.
Pricing: $350 including builder + template sources.

[arian372]

tyyyyyyyyyyyyyyyyyyyyyyy

[anjjimdeadeded]

thanks bruhh

[Remio]

Project Abandoned