Weeping Angel is an Initial Access and Post-Exploitation framework designed for adversary emulation and ethical penetration testing. As a Linux-based tool built for cybersecurity research and authorized red team operations, Weeping Angel leverages Google Calendar as a stealthy Command and Control (C2) server to manage connections with targets through event-based communication.
The framework provides two core capabilities:
Initial Access: Weeping Angel generates sophisticated, polymorphic droppers that can bypass common security controls, delivering the payload to target systems through various vectors including phishing campaigns, supply chain attacks, or direct deployment during authorized assessments. The framework can also generate PDF format payloads, embedding malicious code within seemingly legitimate PDF documents to evade detection and execute initial access vectors through document-based social engineering attacks.
Post-Exploitation: Once access is established, the framework enables comprehensive system reconnaissance, privilege escalation, lateral movement, persistence mechanisms, and data exfiltration — all while maintaining stealth through Google Calendar-based C2 communication.
The tool injects a polymorphic dropper into regular Python code, ensuring each instance is unique by modifying variables, functions, and signatures to evade detection. This adaptive approach means every build incorporates fresh code changes, making it difficult for security tools to identify static patterns. Inspired by APT41 tradecraft, advanced evasion strategies, and modern initial access brokers (IAB) techniques, Weeping Angel provides a robust framework for exploring complete attack lifecycles in controlled, ethical environments.
-
Polymorphic Injection: Automatically modifies code (e.g., variables and functions) in each build to create unique signatures, making it harder for antivirus tools to detect.
-
Junk Code Injection: Injects randomized code blocks and redundant logic into payloads during generation, creating unique structural signatures while preserving original functionality to evade static analysis and signature-based detection.
-
Per-Machine Unique Signatures: Each payload deployed to a victim machine receives a unique ELF binary signature by modifying padding bytes in the executable header, ensuring every instance has a different cryptographic fingerprint.
-
Google Calendar C2: Uses Google Calendar events as a covert channel for backdoor communication, allowing remote command execution on Linux targets.
-
Dropper Builder: Injects a custom dropper into any legitimate Python script, transforming it into a backdoor payload.
-
Linux Backdoor Deployment: Focuses on Linux systems, with features for persistent execution and event-based polling.
-
Signature Evasion: Changes ELF file signatures on-the-fly during deployment, making hash-based detection ineffective across different infected machines.
-
Customizable Beacon Interval: Features configurable, randomized check-in intervals (with adjustable minimum and maximum in seconds) to disrupt predictable timing patterns and make detection by network monitoring systems more difficult.
-
File & Payload Management: Commands to download files from the C2 server to the victim machine and update payloads in memory.
-
Dynamic Script Execution: Execute arbitrary Python scripts delivered from the attacker's C2 on the victim machine.
-
Extensible Payload Framework: Load custom Python exploit modules from a community-driven repository or local library. Users can create, import, and execute third-party payloads (e.g., privilege escalation, data exfiltration, persistence mechanisms) on target machines without modifying the core backdoor code. Supports hot-swappable modules via the C2 channel.
-
PDF Vector Exploitation: Generates a malicious PDF file that auto-executes the backdoor payload upon opening. When the victim clicks or opens the file, the embedded trigger mechanism activates and deploys the payload without requiring additional user interaction or explicit execution permissions.
-
Comprehensive Data Exfiltration Suite:
- dump_browser: Extracts browser data including saved passwords, cookies, and browsing history.
- dump_token: Extracts Discord, Chrome, and other application authentication tokens.
- dump_camera : Takes 1-20 photos using the victim's webcam.
- dump_audio : Records audio from the microphone for 1-60 seconds.
- dump_wifi: Extracts saved WiFi credentials (SSIDs and passwords).
- dump_history: Extracts command history from terminal shells (Bash, Zsh, Fish).
- keylog <start|stop|dump|status>: Full control of a keystroke logger.
-
Google Drive Data Exfiltration:
- Structured folder hierarchy for different data types
- Automatic file organization by victim machine ID
- Timestamped filenames for forensic tracking
- Covert channel blending with legitimate Google Drive traffic
Follow the steps below to configure your Google Cloud project and enable Google Calendar API for C2 communication.
- From the top bar, click the project dropdown → New Project
- Project name: rat-calendar-c2
- Click Create
- Sidebar: IAM & Admin → Service Accounts
- Click + Create Service Account
- Name: c2-server
- Click Create and Continue
- Role: Owner
- Click Continue → Done
-
Click your new service account
-
Go to Keys tab → Add Key → Create New Key
- Select JSON → Create
- Save file as: c2_creds.json in your C2 directory
- Search: Google Calendar API
- Select it → Click Enable
-
Visit: https://calendar.google.com
-
On the left, find your calendar → click 3-dot menu → Settings and sharing
- Click + Add people and groups
- Paste your Service Account email
- Looks like: test-c2@your-project-id.iam.gserviceaccount.com
- Set permission to: Make changes and manage sharing
- Click Send
- Search: Google Drive API → Enable
- Sidebar: APIs & Services → OAuth consent screen
- click: Get started
- App name: c2-server
- User support email: your Gmail -> Next
- Audience: External -> Next
- Contact Info: your Gmail -> Next
- Audience → Add users → enter your Gmail address → Save
- Sidebar: APIs & Services → Credentials
- Click + Create Credentials → OAuth Client ID
- Application type: Desktop app
- Name: data exfiltration config
- Click Create
- Download the JSON file → rename to data_exfil.json
- Place it in your Dedsec directory
After completing all steps, your directory should contain:
DEDSEC_WEEPING_ANGLE/
├── c2_creds.json # Service account key for Calendar C2
├── data_exfil.json # OAuth credentials for Drive exfiltration
└── dedsec_weeping_angle # dedsec tool
- Create organization (org, personal)
- enable (Enable Data API) and (Automatically expose new tables)
- Copy Product URL and Publishable Key
- Go to Project Settings
- select API Keys
- Copy Service role secret
- Go to Storage
- click New bucket
- Put "data" as the bucket name, enable public bucket, and click Create.
and update your config.json file with your Project URL, Publishable key, service role secret
{
"SUPABASE_URL": "https://gqbdetbewhevkksclbfu.supabase.co",
"SUPABASE_KEY": "sb_publishable_TvQ2jFqzrPfsKC-krVrwqA_g_xjy9GM",
"SUPABASE_SERVICE_KEY": "eyJHbgcrOeJIUsI2NiIsInR3cCI6IkpXcCJ9.eyJpc311OilzeXBhymFrZSIsInJlZiI6ImdxYmR5dGJld2hpdmtrZWNsYmd14iwicm9sZSI6InNlcnZpY2Vfcm9sZSIs3mlhdCI2MTc3NzkyMDk4OCwiZXhwIjoyMDkzNDk2OTg4fQ.L4wdbD3QgDv2NHlP6ZU53wpI2jlLZ0TQXfq6vy7VB_A"
}git clone https://github.com/0xbitx/DEDSEC_WEEPING_ANGLE.git
cd DEDSEC_WEEPING_ANGLE
chmod +x dedsec_weeping_angle
sudo ./dedsec_weeping_angle
- Kali Linux
- Parrot OS
This tool is intended for educational and security research purposes only. Unauthorized usage may be illegal in your jurisdiction. The author is not responsible for any misuse of this tool.