A proof-of-concept that turns plain HTTP into a full-fledged C2 infrastructure, built entirely in C++.

Revenant is a powerful demonstration of how even a simple HTTP request-response cycle can be adapted to create a stealthy, remote reverse shell infrastructure. This C++-based Command and Control (C2) framework is lightweight, fast, very easy to use, and incredibly flexible — designed to operate across platforms and networks.

• Reverse Shell over HTTP
  Leverages HTTP GET/POST for a reliable command channel between victim and server.
• Cloudflared Tunnel Integration
  Automatically spins up a public tunnel for attacker server access — no port forwarding needed.
• Fully in C++
  No Python, no external frameworks. Raw, compiled performance.
• Multi-Victim Management
  Track and control multiple client sessions independently.
• Command Logging
  Every shell session and command output is logged — command, result, status, and timestamp.

• Location Agnostic
  Revenant works regardless of where the victim device is located — even if it’s behind firewalls or NAT. This is made possible by using a public Cloudflared tunnel, allowing remote access from anywhere in the world.
• Encrypted Transport Ready
  The framework can communicate over secure HTTPS connections using tunneling. This makes the traffic blend in with regular web traffic, reducing the chance of detection.
• Smart Client Mapping
  Each victim is identified by their device name. This allows the C2 server to manage multiple victims efficiently.
• Persistent Logging
  Revenant logs every command executed on each victim. These logs include the command, its result, whether it succeeded or failed, and the exact timestamp — making it easy to track activity.
• Threaded Shell
  Each shell session runs in its own C++ thread. This means you can interact with multiple victims simultaneously without blocking or slowing down the main server.

The C2 server creates a Cloudflared tunnel on either a random port or a user-specified one. It then generates payloads targeting:

• Windows systems
• Linux systems

Each payload is embedded with the public tunnel URL, allowing it to control the victim device from anywhere — even behind firewalls or NAT.

Here’s the basic logic of each generated payload:

1. Initiates a loop to send regular HTTP requests to the attacker server.
2. Waits for response — if a command is sent back, the payload:

• Executes it on the victim device.
• Sends the command output back to the server in a POST request.

If no command is sent, the victim simply retries after a short interval.

This simple loop creates a persistent reverse shell, cloaked inside standard HTTP. Revenant supports concurrent sessions with multiple victims. Each victim is uniquely identified using their device name

This interaction looks just like a regular web client talking to a server — making it hard to detect.

To launch the server:

./revenant_server -p 8080

To generate payloads:

generate os=linux
generate os=windows

Once deployed on victim systems, they connect back and await instructions.

Revenant is a minimalist, efficient, and stealthy reverse shell C2 framework. It shows how with just HTTP, C++, and some creativity — you can build a flexible infrastructure for red team simulations, malware analysis labs, or controlled testing.

You can find the full source code and documentation here:
🔗 https://github.com/dharineeshj/Revenant

This project is strictly for educational and research purposes only.
Unauthorized use of this tool to access systems without explicit permission is illegal.
The author does not condone or take responsibility for any misuse.