Phoenix-Framework is a post-exploitation tool designed to maintain persistence and execute commands on compromised Windows systems using trusted public platforms as covert command-and-control (C2) channels. It routes traffic through services like Discord and Telegram, leveraging their APIs to blend malicious activity with normal user behavior. This approach helps evade network-based detection that might flag traditional C2 infrastructure—such as custom domains or VPS-hosted listeners—while relying on platforms already allowed through most firewalls and proxies. The framework is built in C++, targets x64 Windows, and emphasizes asynchronous operations for responsiveness during long-running tasks like live streaming or keylogging.
What it does
Phoenix provides a wide range of post-exploitation capabilities, organized around remote host interaction, data exfiltration, and environmental reconnaissance. Its design centers on usability over stealth depth: features are explicit, modular, and intended for rapid execution in controlled environments. Key functions include:
- Live desktop and webcam streaming, tunneled via Ngrok to relay video over Discord or Telegram messages
- Browser data harvesting from Chrome, Edge, Brave, and Firefox—capturing history, cookies, autofill entries, and credit card details (though Firefox password decryption is not supported)
- Keylogging with window title capture, allowing operators to correlate typed input with active applications
- Automatic download of attachments sent in supported chat platforms, enabling one-click delivery of payloads or configuration updates
- Self-destruction and UAC bypass routines, including
/self_del,/bypass_uac, and/persistfor maintaining access across reboots
The framework also includes standard system enumeration commands (/sysinfo, /net, /hw, /sw), process manipulation (/ps, /pkill, /inject), and file operations (/upload, /search, /dir). Notably, all commands are issued via chat interfaces—no separate control panel or GUI is involved.
Getting it running
The project does not provide prebuilt binaries or automated installers. Setup requires building from source on a Windows development machine with a C++ toolchain compatible with Visual Studio (the README implies MSVC usage, though no explicit build instructions are given). There is no Dockerfile, no npm or pip package, and no CI/CD artifacts published to GitHub Releases. Users must clone the repository, resolve dependencies manually, and compile the binary. The README notes that Phoenix uses XOR obfuscation for basic string protection—tokens (like API keys or bot IDs) remain hardcoded and recoverable via static analysis. For live streaming to work, Ngrok must be installed and running locally, as Phoenix depends on it to expose local streams to the internet. Without Ngrok, /stream_desktop and /stream_webcam will fail. No configuration files or environment variables are documented; setup appears to rely on inline token assignment during compilation or runtime argument injection (not specified in the README).
Who this is for
Phoenix-Framework is intended for red team operators and penetration testers who need a lightweight, API-driven C2 option for Windows targets where traditional beaconing is likely to be blocked or logged. It suits scenarios where Discord or Telegram access is guaranteed—such as corporate environments with permissive egress rules—or where social engineering has already established a foothold via shared chat groups. Because it supports no Linux or macOS clients, and offers no encryption beyond basic XOR, it is not suitable for high-security engagements requiring strong opsec guarantees. It also lacks modular plugin architecture or encrypted channel negotiation—features found in mature frameworks like Covenant or Sliver—so teams needing extensibility or TLS-wrapped traffic may find it limiting.
How it compares
Compared to other open-source post-exploitation tools, Phoenix occupies a narrow niche: it is lighter than Cobalt Strike (no Java runtime, no GUI, no Malleable C2), but also far less mature. It does not implement domain fronting, steganography, or DNS tunneling—unlike tools such as dnscat2 or PoshC2. Its reliance on public chat APIs puts it closer to projects like Sliver’s Discord C2 module, though Sliver supports cross-platform implants and proper TLS. Phoenix also differs from Covenant, which offers a full web UI and .NET-based implants, by focusing exclusively on C++ and Windows. With only 62 GitHub stars, it has minimal community validation or third-party auditing—unlike well-established alternatives like Metasploit’s post modules, which integrate natively with broader exploitation workflows. Its feature set overlaps with SharpHound or Mimikatz only in credential harvesting scope; it does not perform AD enumeration or LSASS dumping directly.
Phoenix-Framework is hosted at https://github.com/xM0kht4r/Phoenix-Framework and remains a Windows-only, C++-based project with no published release binaries or installation documentation beyond its README.
Comments