DEV.co
Open-Source Security · DeimosC2

DeimosC2

DeimosC2 is a deprecated Golang-based command-and-control framework designed for post-exploitation red team operations. The project is no longer maintained and contains a known critical XSS vulnerability (CVE-2025-26244), making it unsuitable for production use.

Source: GitHub — github.com/DeimosC2/DeimosC2
1.2k
GitHub stars
167
Forks
Vue
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
RepositoryDeimosC2/DeimosC2
OwnerDeimosC2
Primary languageVue
LicenseMIT — OSI-approved
Stars1.2k
Forks167
Open issues25
Latest release1.1.0 (2020-08-10)
Last updated2025-04-17
Sourcehttps://github.com/DeimosC2/DeimosC2

What DeimosC2 is

DeimosC2 is a C2 server written in Golang with a Vue.js frontend, supporting multiple agent communication channels (TCP, HTTPS, DoH, QUIC, and TCP pivot). It features multi-user roles, 2FA via Google Authenticator, RSA-wrapped agent communications, and a WebSocket API; however, it is unmaintained since the final release in August 2020 and has a documented XSS vulnerability.

Quickstart

Get the DeimosC2 source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/DeimosC2/DeimosC2.gitcd DeimosC2# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Historical reference for red team C2 design

Studying DeimosC2's architecture, multi-channel communication patterns, and agent obfuscation techniques for educational purposes or designing improved C2 frameworks.

Isolated lab environments with explicit authorization

Controlled security research or internal penetration testing in air-gapped networks where the XSS vulnerability poses minimal risk and no internet-facing exposure is required.

Forked derivative development

Creating a maintained fork with security patches and modern dependencies as a basis for a custom, internally-managed C2 tool for authorized security operations.

Implementation considerations

  • XSS vulnerability (CVE-2025-26244) must be patched before any deployment; review the JaRm222 writeup and apply input sanitization fixes.
  • Requires Golang build environment and Node.js/Vue.js toolchain for frontend compilation; deployment assumes Linux/Windows/macOS capability.
  • Multi-user and 2FA setup requires external Google Authenticator configuration and credential management discipline.
  • Agent communications use RSA encryption per-listener; key rotation and secure key storage are manual and operator-dependent.
  • No containerization or Kubernetes manifests provided; deployment is ad-hoc binary execution or manual orchestration.

When to avoid it — and what to weigh

  • Production or operational red team use — The project is deprecated, no longer maintained, and contains CVE-2025-26244 (XSS). Active exploitation risk and no vendor support or patch availability.
  • Internet-facing or multi-tenant deployments — The known XSS vulnerability creates credential theft and lateral movement risk. No security audit or maintenance roadmap exists.
  • Compliance or regulated environments — Deprecated software with known vulnerabilities fails compliance requirements (SOC 2, ISO 27001, etc.). No vendor guarantees or liability protection for security incidents.
  • Dependency on ongoing vendor support — No active maintainers, no response to issues (25 open), and last commit was April 2025 but no releases or patches since August 2020. Community support is unreliable.

License & commercial use

DeimosC2 is licensed under the MIT License, which is a permissive, OSI-approved open-source license. MIT allows use, modification, and distribution with minimal restrictions.

The MIT License permits commercial use, including in proprietary or closed-source derivatives. However, no warranty or liability indemnification is provided by the authors. For production security tool deployment, explicit legal review is strongly recommended, particularly given the known vulnerability and lack of maintenance. Vendor support for commercial incidents is unavailable.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceStale
DocumentationLimited
License clarityClear
Deployment complexityHigh
DEV.co fitPossible
Assessment confidenceHigh
Security considerations

DeimosC2 contains CVE-2025-26244, a reflected XSS vulnerability in the frontend that allows attacker input to be rendered without sanitization, enabling session hijacking, credential theft, and malware injection. The codebase uses RSA key wrapping for agent communications (reasonable for confidentiality), but no authenticated encryption (AEAD) is mentioned, and no integrity verification details are provided. Multi-user access controls and role-based permissions are mentioned but not audited. The project has not undergone independent security review. Use only in isolated, non-production environments pending a comprehensive security audit and patching.

Alternatives to consider

Sliver (BishopFox)

Modern, actively maintained Golang C2 framework with similar multi-platform agent support, cleaner architecture, and no known critical vulnerabilities. Strong community and commercial backing.

Merlin (Russel Van Tuyl)

Lightweight, actively maintained HTTP/HTTPS C2 with reflective DLL support, better documentation, and regular updates. Smaller attack surface than DeimosC2.

Havoc (C5pider)

Modern, community-driven C2 framework written in C/C++ with improved OPSEC, modular agent design, and active maintenance. Stronger default security posture.

Software development agency

Build on DeimosC2 with DEV.co software developers

DeimosC2 is deprecated and contains a critical XSS vulnerability. Evaluate actively maintained alternatives like Sliver or Merlin, or contact us to build a secure, custom C2 framework tailored to your red team requirements.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

DeimosC2 FAQ

Is DeimosC2 safe to deploy in production?
No. The project is deprecated, contains CVE-2025-26244 (XSS), and is no longer maintained. Only use in isolated lab or research environments with explicit authorization and after applying security patches.
Can I fork DeimosC2 and fix the XSS vulnerability?
Yes. The MIT License permits forking and modification. However, you assume all responsibility for security patches, maintenance, and liability. Consider using an actively maintained alternative (e.g., Sliver, Merlin) instead.
What agent communication methods does DeimosC2 support?
TCP, HTTPS, DoH (DNS over HTTPS), QUIC, and TCP pivot. Each listener has its own RSA keypair for wrapped communications, though no AEAD integrity verification is documented.
How is the frontend secured?
Multi-user roles (admin/user), Google Authenticator 2FA, and WebSocket API. However, the frontend has a known XSS vulnerability (CVE-2025-26244) that can bypass authentication controls.

Software development & web development with DEV.co

Need help beyond evaluating DeimosC2? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.

Don't deploy unmaintained C2 infrastructure

DeimosC2 is deprecated and contains a critical XSS vulnerability. Evaluate actively maintained alternatives like Sliver or Merlin, or contact us to build a secure, custom C2 framework tailored to your red team requirements.