TgRAT is a multi-client Command & Control (C2) framework that uses a Telegram group with forum topics as a communication channel between a central server and its agents. Each agent creates a dedicated thread for interaction, while the general channel allows global control of all bots.
β οΈ For educational purposes only.
- Encrypted end-to-end using AES-256-CBC
- Socket-based communication (TCP)
- Commands and responses are structured and encoded
- Optional logging system (
/logs) with dedicated forum topic - Logs include timestamp and command information
- Can be enabled/disabled at runtime
- Agents send heartbeat messages every 30 seconds
- Server updates
last_seenfield in the database for each agent - Used in
/listclientsand cleanup logic to detect inactive bots
- Built in Python using
pyTelegramBotAPI - Creates a forum topic per agent
- Stores client data in SQLite
- Handles multiple bots in parallel
- Global control commands from the main thread
- Sends system info on connect (hostname + OS)
- Captures screenshots (
screenshot) - Executes arbitrary shell commands (
shell) - Sends encrypted responses back to server
- Sends periodic heartbeats to indicate it's alive
- AES-256 with random IV for each message
- Base64 encoding for safe transmission
- Handles broken pipes, socket errors, reconnections
/statusβ Check if the client is online/shell <command>β Execute a command on the client/screenshotβ Take a screenshot and send it back/deleteβ Delete the client thread/killβ Delete the client thread/download <file path>β Download a file from the agent/upload <file path>β Upload a file to the agent/listwebcamsβ Return the index of available cameras/photo <camera index>β Take Photo from the webcam/stream <camera index> <time> <fps>β Takes a video from the webcam/dumpchromeβ Dump all the google chrome credentials
/sendall <command>β Execute command on all clients/logs- Start/Stop the logging system in a channel named Logs/listclients- List all registered clients/clean- Deletes duplicate or inactive (48h+) clients and their topics/statusallβ Check connection status for all clients/shutdownβ Gracefully shut down the C2 server/photoallβ Takes a photo from default webcam of all the clients
- Python 3.8+
- Python packages:
pyTelegramBotAPIpycryptodomemssPillowsqlite3(built-in)pillowtermcoloropencv-python
- A Telegram bot token
- A Telegram group with forum topics enabled
An spanish Set-Up guide is on My Blog
- Improve bot disconnection detection (ping-pong, heartbeat, etc.)
- Agent persistence (registry, scheduled tasks)
- Auto-update feature for agents
- Authentication system for agents (pre-shared key or signature)
- Command logging system (file or DB)
- Tagging/grouping system for bots (e.g. by OS, location)
- Basic anti-debug & evasion in agent (sandbox, VM detection)
- Cross-platform agent (Windows, Linux)
- Webcam control
- File exfiltration (
/upload,/download) - Keylogging and ransomware included on the agent
- Alternate C2 channels (Discord, HTTP over CDN, direct Telegram API)
- Optional web dashboard (clients list, commands, status, etc.)
This tool is strictly for educational and research purposes. Unauthorized use against systems you donβt own is illegal. Use responsibly in controlled environments.