#deimos

Open-source Go-based C2 framework with cross-platform implants (Windows, Linux, macOS)


#deimos

Open-source Go C2 framework, cross-platform implants

IOCs by window

Today

0

IOCs tagged #deimos

Week

0

IOCs tagged #deimos

Month

0

IOCs tagged #deimos

Year

1,474

IOCs tagged #deimos

Counts as of 2026-04-29. Regenerated daily.

About #deimos

  • Type: open-source Go-based C2 framework with a web UI, multi-operator support, and cross-platform implants (Windows, Linux, macOS). Designed for collaborative red-team engagements; lower profile than Cobalt Strike, Sliver or Mythic.
  • Abuse pattern: less common in mass campaigns than CobaltStrike or AsyncRAT. Appears in targeted intrusions where the operator wants a flexible, undocumented-by-default agent that blends in with legitimate Go binaries.
  • Detection signals: Go-compiled implant binaries with embedded HTTPS C2 strings, distinctive default certificate fingerprints, web-UI default ports on the listener side.
  • References: DeimosC2/DeimosC2 on GitHub · Malpedia.

Recent IOCs tagged #deimos

No IOCs tagged #deimos in the past 30 days. Year aggregate: 1,474. For longer-window data, query api.tweetfeed.live/v1/year/deimos.

Related tags

Tags that frequently co-occur with #deimos.

See all tags on the Dashboard or browse the full IOC feed.

Frequently asked questions

What is Deimos C2?

Deimos C2 (also written DeimosC2) is an open-source Go-based command-and-control framework with a web UI, multi-operator support and cross-platform implants for Windows, Linux and macOS. It is designed for collaborative red-team engagements and has a lower public profile than its peers (Cobalt Strike, Sliver, Mythic), which makes it attractive to operators looking to avoid signatured tooling.

How does Deimos C2 compare to Sliver or Mythic?

All three are open-source post-CobaltStrike alternatives with cross-platform implants. Sliver has the largest user base and the most defender coverage. Mythic emphasises modularity (operators can plug in different agent and C2 profiles). Deimos is the smallest of the three but offers similar core capabilities and tends to slip past signatures that target the more popular frameworks.

How is this list updated?

Every 15 minutes. The TweetFeed pipeline scrapes RSS feeds from public Twitter/X security researcher accounts and lists, extracts IOCs, tags them with the relevant malware family or threat actor, and republishes the result in CSV, JSON and RSS. Deimos-tagged IOCs are surfaced on this page within the next 15-minute tick. The page itself is regenerated daily by a GitHub Action.

What is the license? Can I use this commercially?

All TweetFeed IOC data, including this Deimos subset, is released under CC0 1.0 Universal (Public Domain Dedication). No attribution required, no warranty. Commercial use is allowed. The TweetFeed website code and branding are not covered by CC0.

License

Deimos IOC data: CC0 1.0 Public Domain. No attribution required, no warranty. Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).