Building a C2 Framework in Go with Faan Rossouw

We will develop a server, an agent, and a client API, equipping our agent with practical functions like a reverse shell, system enumeration, and shellcode injection via a reflective loader.

By the end of this course, you will not only have a working C2 framework but also the foundational knowledge and resources to expand on the project. You’ll gain core skills in malware development, offensive tooling, project management, and idiomatic Go design patterns.

WHO SHOULD ATTEND

This course is ideal for network security professionals or enthusiasts who have completed a basic introductory programming course and possess foundational networking knowledge. If you’re eager to apply your skills in a hands-on project, this is the perfect opportunity. For those without prior experience in programming or networking, I’ll provide a curated list of resources (both free and paid) and clear guidance on the exact foundational knowledge needed to get started, ensuring everyone can join in on the fun.

Given the broad range of topics we’ll cover, I don’t expect everyone to grasp everything immediately. That’s why I’ll offer detailed notes, extensive references, and additional resources for each class. I’ll also be personally available outside of class times (via Discord) to help anyone who gets stuck and is genuinely committed to learning.

The most important thing is to come with a sincere desire to learn, a willingness to embrace challenges, and the confidence that staying the course will open up a whole new world of knowledge and understanding.

---

This course is perfect for security beginners with basic programming and networking experience who want to solidify their skills in a practical context. You will explore both offensive and defensive insights into C2, one of the most critical aspects of modern compromises. Let’s turn theory into action and create something impactful together!

KEY TAKEAWAYS

• Project Development:
  • Transition from writing “bits of code” to building structured, maintainable projects, including version control, documentation, and other auxiliary considerations. 
• Client-Server Applications:
  • Develop a fully functional client-server application, focusing on network programming and communication. Learn about basic API and backend communication patterns.
• Network Programming Fundamentals:
  • Master core concepts like servers, listeners, connections, handlers, routers, and the differences between synchronous and asynchronous communication. 
• Compositional Go Programming:
  • Learn the heart of Go programming—using structs, interfaces, constructor methods, and receiver methods to write clean, modular code. 
• Design Patterns:
  • Get introduced to foundational design patterns like Factory and Adaptor, and learn how to apply them in real-world projects. 
• Concurrency:
  • Learn how to use Go’s powerful concurrency system including: goroutines, channels, select statements, and mutexes.
• Malware Development:
  • Learn the basics of malware development in Go by integrating numerous functions into our agent..
• Deepen Core Protocol Knowledge:
  • Dive into HTTP/1.1, HTTP/2, and HTTP/3, Websockets, along with TLS versions, and gain confidence working with secure communication protocols. 
• Data Serialization, Encryption, Encoding, and Handling:
  • Learn how to handle, transport, secure, and manage data between multiple nodes.
• Authentication:
  • Implement authentication mechanisms to secure your applications. 

APPLICABLE BUSINESS SKILLS

You cannot defend against that which you don’t understand.

Post-exploitation communication malware such as Command and Control (C2) frameworks and Remote Access Tools (RATs) are core components of modern threat campaigns, which often culminate in extortion attempts like ransomware attacks. By understanding how these applications are designed and how they behave on compromised systems, you will develop a much deeper insight into detection signals and patterns. The ability to detect the presence of C2 frameworks is a critical defensive capability, as it allows us to identify and stop attacks before they reach their destructive final stages.

Custom offensive security tooling is a legitimate + growing discipline

Tools like C2 frameworks aren’t exclusive to threat actors – they’re also essential for legitimate cyber offensive services like penetration testing and red teaming. Before modern EDR and NDR solutions, many firms could simply purchase and immediately use C2s “off the shelf”. Since modern detection systems quickly flag these standard tools, security firms now typically either extensively modify existing software or develop and maintain their own proprietary C2 frameworks. This is an exciting and growing field within offensive cybersecurity, and this course offers a direct path into understanding and working with these essential tools.

You can use these same skills just about anywhere

Beyond the specifics of what we’ll be creating,  the core development concepts and technical skills you’ll gain from this course are directly applicable to virtually any security development project. Whether it’s implementing client-server models more broadly, developing APIs, backend engineering, implementing encryption and authentication, using idiomatic Go design patterns, or mastering abstraction more broadly – these fundamental skills extend far beyond the specifics of developing a C2 framework. Think of this course as an engaging project that helps you build a robust technical foundation, developing capabilities you can then apply to almost any area of security engineering that interests you. The architectural principles and development practices you’ll learn here will serve you well across the broader security landscape.

Syllabus

Section 01: Course Introduction (1 hr)

• General course introduction LECTURE
• What is C2? LECTURE
• C2 Architecture Primer LECTURE
• What we will focus on in this course LECTURE

Section 02: Server Foundation (2.5 hrs)

• Setting up our project LAB
• Create basic server foundation – router, listener, handler LAB
• Add signal handling LAB
• Crash course: Go’s concurrency system LECTURE
• Adding goroutines, channels, and select statements to server LAB
• Abstraction, interfaces, and factory functions LECTURE
• Integrating interface + factory function for multi-protocol listener LAB
• Add HTTP/2 + TLS communication option LAB

Section 03: Agent Foundation (2.5 hrs)

• Overview: C2 agent foundation design LECTURE
• Create agent config LAB
• Create agent communicator interface LAB
• Create agent communicator factory function LAB
• Create agent communicator protocol implementation LAB
• The heart of a C2 agent – runloop, check-in endpoint, results endpoint LECTURE
• Create agent core logic LAB
• Create agent entrypoint LAB

Section 04: Agent Refinement (1.25 hrs)

• Overview: Refining agent behaviour LECTURE
• Implement beaconing, delay, jitter LAB
• Implement YAML agent config system LAB

Section 05: Agent Command Handling System (3.5 hrs)

• Overview: C2 agent command handling system LECTURE
• Implement agent task data structures LAB
• Implement command dispatcher LAB
• Overview: reverse shell logic LECTURE
• Implement reverse shell LAB
• Overview: reflective loader logic LECTURE
• Implement reflective loader LAB
• Overview: enumerate function logic LECTURE
• Implement enumerate LAB

Section 06: Go Build System (0.75 hrs)

• Overview: Go build system LECTURE
• Create Go build system LAB

Section 07: Client API (3.5 hrs)

• Overview: Client API implementation LECTURE
• Websocket message + data structures implementation LAB
• WebSocket API, endpoint, and connection management LAB
• API + endpoints for Listener Management LAB
• API + endpoints for Agent Management LAB
• API + endpoints for Agent Commands LAB
• Implement tasking queue LAB
• Client simulation tool LAB

Section 08: Conclusion (1 hr)

• Where To From Here? Ideas + Inspiration for Further Development LECTURE
• Conclusion + Final Thoughts LECTURE

FAQ

Will we be learning extensive AV/EDR evasion techniques?

While AV/EDR evasion is indeed a crucial part of C2 agent development, this course primarily focuses on the more fundamental aspects – creation of the overall framework architecture, communication protocols and data flow, and basic offensive actions on the endpoint like command execution and shellcode injection.

The course is designed to give you a solid foundation in building the infrastructure of a C2 framework using Go, for those specifically interested in endpoint-based evasion techniques, I recommend checking out “Malware Development Academy” which specializes in those areas.

That said, the knowledge you gain in this course will provide the necessary foundation to later explore more advanced agent capabilities, including evasion techniques.

Do I need prior experience with Go programming to take this course?

You don’t need specific Go experience, but having some basic programming knowledge in any language is ideal. The fundamentals you should understand include:

• What is a variable?
• What are data types?
• What is a declaration?
• What is a function/method?
• What are arguments/parameters?
• What is a struct (or custom data types more broadly)?
• What is a library/package/dependency?

It’s not necessary to know how to build complete applications—that’s precisely what we’ll be learning together. You just need some basic comfort with programming syntax and basic concepts.

If you have no programming experience at all, don’t worry! I’ll provide a comprehensive guide with references and resources covering the minimum knowledge you’ll need. Since the course launches in February 2026, you’ll have plenty of time to prepare and get comfortable with these concepts beforehand.

What specific networking concepts should I understand before taking the course?

You should have a basic understanding of networking protocols, especially HTTP. Key concepts include:

• The client-server model
• HTTP request and response cycle
• TCP 3-way handshake
• TLS handshake process
• TCP vs UDP
• Basic understanding of encryption, encoding, and authentication

As far as the OSI model goes, you don’t really need to know the entire model, but it is important that you are familiar with the networking layer, and it’s important that you have a clear understanding of the transport and application layers, and the difference between them. Many aspects of our application will touch on these layers, and I really recommend being very comfortable knowing what occurs where, and when we need to transition from one to the other.

As with programming prerequisites, I’ll provide a detailed guide with resources covering these networking fundamentals. You don’t need to be a networking expert, but familiarity with these concepts will help you get the most out of the course content as we build our C2 framework.

Is this course suitable for complete beginners in cybersecurity?

In general I feel strictly categorizing courses as beginner/intermediate/advanced is a little bit too low resolution. So allow me to add a few more conceptual pixels. I like to distinguish between a beginner, and an introductory course. This is a beginner’s course, not an introductory course. Let me explain the distinction.

An introductory course assumes you have no prior exposure to cybersecurity concepts and serves as your first encounter with the field – i.e. it is an introduction.

A beginner’s course (like this one) assumes you have some familiarity with the underlying concepts, even if only vaguely, and now desire to synthesize those separate ideas through practical application. You may not feel comfortable with the material yet, but you are ready to “take the next step”.

Are there any recommended resources I should review before the first class?

Yes, I’ll provide two different resource guides before the course begins:

1. Essential Knowledge Guide: This covers concepts you should understand before the course starts. I won’t be covering these topics during class and will assume you already have this foundation. If you don’t know these you’ll feel lost pretty quickly, so really they are, as the title suggests, essential.
2. Recommended Preparation Guide: This includes topics that, while not strictly required, are so foundational to the course material that familiarizing yourself with them beforehand would significantly enhance your learning experience. I will cover these concepts in class, but having prior exposure will help you get more out of our sessions.

Note that both guides will be bifurcated into both Programming and Networking sections, as well as providing references to free and paid references. I only ever recommend paid references if I completed it myself, and I really think it’s worth the money. But to reiterate – there will be NO requirement to use paid resources, the free ones will suffice.

Both guides will be made available well before the course starts to give you ample time to prepare at your own pace.

How hands-on is this course? What’s the balance between lectures and practical exercises?

The course is heavily practical with approximately 25% lecture and 75% hands-on lab work. I’m a strong believer in learning by doing, so we’ll be spending most of our time actively building the C2 framework.

That said, I never jump into practical exercises without proper context. The lectures are strategically placed to provide foundational concepts and explain both the “what” and “why” before we get to the “how”. I find this approach gives you both the practical skills and the deeper understanding needed to apply these concepts beyond the course.

The theoretical portions are kept concise and directly relevant to our upcoming hands-on work. You won’t sit through long lectures – instead, we’ll maintain a rhythm of brief theory followed by extended practical application.

Do you provide all the necessary code resources, or will we need to write everything from scratch?

We’ll be coding most of the C2 framework, however in order to be able to cover the ground we intend to in 16 hours we will, from time-to-time, start a practical lab with templates where some boilerplate is provided. This will allow us to focus on implementing the essential logic, and not spend time writing repetitive stock logic.

Developing a 16-hour course like this requires careful balancing of breadth and depth. My aim is to provide enough detail for genuine understanding while covering sufficient ground to have a functioning C2 framework by the end. I’ve planned a balance between providing specific logic, and writing the rest ourselves, to ensure we meet both goals.

Also note that I will provide the complete final codebase/solution to all participants.

Are there any legal considerations when developing and testing a C2 framework?

ABSO-FRIGGIN-LUTELY – you should only ever test the framework on machines that you either own yourself or have explicit permission to use. Nothing about a C2 framework is inherently illegal, but like many tools in cybersecurity, improper use can lead to serious legal consequences.

The same framework can be used legitimately for red team exercises or maliciously for unauthorized access. The difference comes down to permission and intent. Ensure common sense prevails at all times when working with these tools.

This course is designed to help you understand both offensive and defensive aspects of C2 frameworks, but the responsibility for ethical application of this knowledge rests with you.

How can defenders use the knowledge from this course to improve detection capabilities?

As stated in the course description: “You cannot defend against that which you don’t understand.” By learning how C2 frameworks are designed and operate, defenders can develop more effective detection strategies focused on communication patterns, protocol anomalies, and behavioral indicators. This knowledge helps security teams identify compromises earlier in the attack chain, before destructive stages like ransomware deployment occur.

Further, the broader skills developed in this course—project creation, network programming, authentication, encryption, client-server architecture, idiomatic Go design etc—are all universally applicable and could just as easily be applied to projects with defensive goals in mind. Though we create an offensive tool, the core foundational skills we use are valuable across both offensive and defensive security domains.

Are there follow-up courses or learning paths you recommend after completing this one?

Emphatic yes! I will dedicate an entire session at the end of the course to exploring ways you can continue this learning journey. This will include specific ideas, tips, references, resources, and methods for staying in touch with me as you develop further. This will also be available as a guide with extensive breadcrumb trails you can follow to journey as deep into this world as you desire.

I view this course as both self-contained and complete, while simultaneously planting a seed from which something awesome can grow for those who wish to continue. The course provides a solid foundation on its own, but for those with deeper interest, it creates numerous pathways for further exploration and development.

Why did you choose Go instead of other languages for this course?

Go is an awesome choice for backend development, created by Google specifically for distributed systems and backend engineering. Taking a language-agnostic perspective, Go is simply the right tool for this specific job – it’s fast, efficient, and specializes in exactly what we need to accomplish.

Go is low-level enough that we don’t need to concern ourselves with higher-order abstractions like those present in OOP, while at the same time giving us a very effective garbage collector so we don’t need to think about memory management. This balance makes it perfect for our course context.

Go also features a great package (dependency) management system and an excellent standard library which provides the vast majority of functions we need. This minimizes runtime dependency errors, eliminates the need for virtual environments, and reduces reliance on third-party libraries, overall leading to a more stable application and streamlined development process.

Go’s syntax and concepts are remarkably simple and straightforward. The creators actually stated that one of their goals was that code written by beginners and experts would look very similar. This makes it ideal for a course where participants come with varying levels of programming experience.

Finally, Go has excellent cross-compilation built directly into the compiler. This means regardless of which OS you work on or want your agent to run on, it’s very simple to compile with just a single command. This feature is particularly valuable when developing a C2 framework that might need to target multiple platforms.

SYSTEM REQUIREMENTS

This course is designed to be accessible without requiring high-end hardware. Here’s what you’ll need to participate fully:

Hardware Requirements

CPU: A modern dual-core processor is the minimum requirement, though a quad-core processor will provide a smoother experience when running multiple applications simultaneously (IDE, server, agent, and other tools).

RAM: 8GB of RAM is the recommended minimum. This will comfortably support our development environment without excessive slowdowns.

Storage: Please ensure you have at least 50GB of free disk space. This will accommodate the operating system, development tools, our project files, and allow room for additional resources and documentation.

GPU: No specialized graphics hardware is required for this course. The standard integrated graphics in most computers will be entirely sufficient.

Software Environment

Operating System: The course materials work across Windows, macOS, and Linux. For Windows users, I recommend enabling WSL2 (Windows Subsystem for Linux) or, even better, setting up an Ubuntu desktop virtual machine for the most seamless experience. I’ll be demonstrating primarily with terminal commands that work best in a Unix-like environment.

Integrated Development Environment (IDE): You’re welcome to use any IDE or text editor you’re comfortable with, as long as it has support for Go development. I’ll be using GoLand throughout the course, I’m currently working with JetBrains to hopefully provide free trial licenses for participants. If you prefer a free alternative, Visual Studio Code with Go extensions is pretty good (most of the time), and I’ll provide a setup guide for it. Other options like Helix, Neovim, or Sublime Text are perfectly fine if you’re already familiar with them.

Required Software:

• Go programming language (latest stable version)
• Git version control
• curl command-line tool
• Yaak API Client (free)
• A GitHub account for version control and sharing code – if you don’t yet have an account, please create one

I’ll provide comprehensive, step-by-step installation guides for all required software across Windows, macOS, and Linux before the course begins.