Hidden Cave
Hidden Cave is an API-based command-and-control (C2) server designed to manage interactions with The Bear infostealer. It ensures secure communication between the API and the attacker by encrypting all requests and responses using AES-GCM 256 encryption. For routes documentation, please refer to the APIDOC, For the CLI commands documentation please refer to it's README.MD.
ℹ️ The C2 API can only be deployed on Linux servers, but the CLI that can be used to interact with the API can work on any OS.
Before starting the deployment, ensure you have the following prerequisites installed:
- Nginx:
sudo apt-get install nginx - Gunicorn:
sudo apt-get install gunicorn - Python Dependencies: Install the required packages using
pip3 install -r requirements.txt
After installing the prerequisites, generate the settings.json file that the API and the preload script rely on by launching the CLI:
python main.pyUse the set command to generate random cryptographic parameters and set the API IP (public IP):
ℹ️ Ensure the port you want to serve the API on is open. This depends on your hosting provider; you may need to open the port in the provider's panel.
$HiddenCave-> set key rand
$HiddenCave-> set iv rand
$HiddenCave-> set ip 112.168.1.2
$HiddenCave-> set port 1174After setting the needed parameters, save the settings to a file:
$HiddenCave-> save settings.jsonCopy the settings.json file to the API folder and transfer the API folder to the server where you plan to deploy it.
On the Linux server, after installing Nginx and Gunicorn, run the predeploy.py script to generate two files: api.conf and apiserv.service.
- apiserv.service: A service file to run the API, ensuring it starts automatically even if the server reboots.
- api.conf: The Nginx config file to route web requests to Gunicorn.
Copy the apiserv.service file to the services folder (/etc/systemd/system/) and start the service:
sudo cp apiserv.service /etc/systemd/system/
sudo systemctl start apiserv
sudo systemctl enable apiservCheck its status:
sudo systemctl status apiservIf it says Active: active (running), the service is running correctly.
Enable the Nginx config file by copying it to the sites-available directory and linking it to the sites-enabled directory:
sudo cp api.conf /etc/nginx/sites-available/
sudo ln -s /etc/nginx/sites-available/api.conf /etc/nginx/sites-enabled
sudo systemctl restart nginxNow that the API is deployed, launch the CLI again, load the settings.json file, and use the check command to ensure everything is working:
$HiddenCave-> load settings.json
$HiddenCave-> check
[+] All good.Contributions are welcome! If you would like to contribute to this project, please open an issue first to discuss your proposed changes or additions. This helps ensure that your contribution aligns with the project's goals and prevents duplication of effort. Additionally, check the TODO section for current bugs to fix and areas for improvement.
Thank you for your interest in improving this project!
- Add a route for extracting crypto wallet seeds.
- Add a route for delete a victim's data.
- Edit the API to function as a proxy so users can add a Telegram bot token or Discord webhook and automatically receive data when a new victim is available.
This repository is created for educational purposes only. The author is not responsible for any damage or misuse of the code. Users are solely responsible for their actions and any consequences that may arise from using this software. Please use this tool responsibly and ethically, and only in environments where you have explicit permission to conduct security testing.