Realm

Structured data at the click of a button! 🤩

New file hosting feature! 📁 Host files and share them for a duration or with a specific number of downloads. Or use them directly in the imix agent.

New bandwidth benchmark - wheels on the bus cocomelon.

RDP over new socks proxy! 😤 Next step playing counter strike 🎮

😤

### Top-Line Findings 1. **The C2 ecosystem is far less diverse than it appears.** While there are 30+ "different" frameworks, the underlying technique implementations converge on a small number of canonical code patterns, many traceable to specific open-source authors or blog posts. 2. **Three source projects account for the majority of reused code:** - **TrustedSec's COFFLoader** — the ancestor of nearly every open-source BOF loader - **PowerSploit** (by @harmj0y, @mattifestation, @obscuresec) — Get-Keystrokes, Invoke-Mimikatz, PowerView, and persistence modules are shipped verbatim by Empire, PoshC2, PowerHub, Amnesiac, and Shad0w - **Kevin Robertson's Invoke-WMIExec/Invoke-SMBExec** — the dominant PowerShell implementations for WMI and SMB lateral movement, bundled by Empire, PoshC2, PowerHub, and SilentTrinity 3. **A single detection rule can catch multiple frameworks.** Because many C2s share identical implementation code: - One detection for the PowerSploit `Get-Keystrokes` GetAsyncKeyState polling loop catches Empire, PoshC2, and any framework that bundles PowerSploit - One detection for the TrustedSec COFFLoader relocation pattern catches Apollo, Loki, Sliver (extension), and derivatives - One detection for the .NET `ManagementScope` WMI pattern catches Apollo, Covenant, NimboC2, SilentTrinity, and DeimoC2 4. **Genuinely novel frameworks are rare.** Of the 30 analyzed: - **4 frameworks** (Sliver, Havoc, Realm, TripleCross) demonstrate significant code originality - **6 frameworks** show moderate originality (Wyrm, AdaptixC2, Emp3r0r, Merlin, NimPlant, GC2) - **20 frameworks** rely heavily on shared code from the three source projects above, or implement techniques using the same well-known recipes 5. **HTTP C2 communications show the most behavioral convergence.** Three jitter formula families, shared User-Agent strings (the IE11 UA appears in Empire, Nuages, and Covenant), and common URL path patterns create fingerprinting opportunities.

@C2Workbench Hey! That’s us 🙂👋 The install instructions look a little complicated - we usually recommend the steps in the README to get started locally or terraform apply for production.

@Realm_C2's Imix agents execute tasks as Eldritch scripts sent from the server (Tavern), no recompilation needed. Operators write Python-like code for post-ex and pivoting that runs in-memory on demand. Script-first C2 = rapid iteration. Full analysis: c2workbench.com/framework/realm

Excited to share a sneak peek of Eldritch v2! We’ve been rebuilding our automation language from scratch to make it stealthier and more modular. Try it out now! blog.realm.pub/2025-11-29-eld…

Realm now has global filters! Filters can be applied to most views and stick with you throughout the experience making it easier to work with the same set of beacons or tasks.

And TLS will be available eventually... 😓

blog.realm.pub/2025-11-16-red… We've started a blog to document some of the design decisions we make throughout the development process! 🙌 Our first posts highlights the new redirectors features and the challenges that app layer crypto posed.

Realm app layer crypto is here! 🔒 Agents can be built with a server public key. Transports leverage an ephemeral diffie-hellman key-exchange and xchacha for message encryption. It's been a long time coming but it's finally here! github.com/spellshift/rea…

Vibe coding @Realm_C2 from inside the metaverse - too much hype 🤯 RIP my movie in the background.

@badsectorlabs For you? Of course! 🙂 discord.gg/uJF4EKFpjh

@Realm_C2 Invite is invalid. Have a new one?

We’re now on Discord! Join the cult 🙌 discord.gg/UgwB3YHm

I had the privilege to red team @NationalCCDC this weekend. I had a great time and got to let AI control @Realm_C2 for the first ever AI powered service take down. 🙌

Realm MCP connector!

We had so many actions at South East CCDC across Linux, Windows, BSD and MacOS the dashboard graphs started timing out 🫠 It was a great event in a massive environment and great blue teams. It clearly put us to the test 😄

@joe_abbate19 Hacking from the metaverse. Poor blue team never saw it coming.

Baby Vecna grinding some last minute ISTS deploy @ritsecclub here we come

✨Realm - powered by Gemini ✨ Added graphql tools and a gemini prompt for natural language queries against the API. Even caught an actual implant running 🤯