Mythic
Mythic is a modern, open-source, multi-platform command-and-control (C2) and red-teaming framework written in Python 3 with a web-based UI, multi-user support, and a microservice architecture. It is commonly referred to as Mythic or Mythic C2 and supports multiple C2 profiles, including HTTP, WebSocket, and TCP, as well as SSL-encrypted communications and peer-to-peer C2 between agents. Mythic can also leverage a modified SOCKS5 proxy to tunnel egress C2 traffic, and reporting referenced a Mythic Azure Blob Storage profile designed to use Azure Blob Storage for C2 over whitelisted cloud-service egress paths.
Although developed as a legitimate red-team framework and publicly available on GitHub, the content states that it is often abused by threat actors. Recorded Future reported Mythic usage increased by 33% in 2022 compared with 2021. The framework has been observed in multiple intrusion chains and malware delivery operations. ESET reported that the Russia-aligned RomCom group exploited CVE-2025-8088, a WinRAR path traversal zero-day, in targeted spearphishing campaigns against financial, manufacturing, defense, and logistics organizations in Europe and Canada, with successful exploitation delivering RomCom-associated backdoors including a Mythic agent. Elastic Security Labs reported BLISTER loader campaigns deploying a MYTHIC implant, including execution inside an injected WerFault process. Breakglass Intelligence recovered a Rust-based Mythic "coffee" agent DLL (xolehlp.dll) delivered via DLL sideloading through msdtc.exe in malicious MSC-based campaigns; the recovered agent supported commands including coffee, upload, c2_update, download, continued_task, sleep, and exit, and used a hardcoded AES-256-HMAC pre-shared key. Additional reporting described a custom-built Mythic implant delivered through Python and C++ loaders that executed obfuscated shellcode from search.bin, created mutex 5df098b7-efe6-4c1d-a7d1-dbc6519a66c2, performed RSA-4096 key exchange with its C2, initially used a Base64-encoded AES key embedded in the stealer body, communicated with zeccecard[.]com/grain/duke using a staging_rsa JSON object, and sent host metadata including username, hostname, domain, OS, architecture, local IPs, executable path, integrity level, and PID before awaiting commands. The same reporting noted optional time-based execution restrictions.
The content also includes infrastructure and hunting artifacts associated with Mythic. A Mythic C2 server was reported hosted at 194.163.175.135 on port 7443 as of March 28, 2026, and Talos observed that same IP hosting additional offensive tooling. FOFA hunting guidance identified a default Mythic favicon hash of -859291042 and HTML title "Mythic" as useful fingerprints. Other references note sightings of Mythic C2 infrastructure and its use alongside frameworks such as Sliver and Havoc. Overall, the content supports that Mythic is a widely used open-source C2 framework that is regularly repurposed by threat actors across espionage and intrusion operations.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
ESET researchers have discovered a previously unknown zero-day vulnerability in WinRAR being exploited in the wild by Russia-aligned group RomCom... now assigned CVE-2025-8088: a path traversal vulnerability, made possible with the use of alternate data streams. | Successful exploitation attempts delivered various backdoors used by the RomCom group, specifically a SnipBot variant, RustyClaw, and the Mythic agent.
Three Attack Variants Observed GrimResource (CVE-2025-26633): XSS via apds.dll res:// protocol handler
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Successful exploitation attempts delivered various backdoors used by the RomCom group, specifically a SnipBot variant, RustyClaw, and the Mythic agent.
"Three minutes prior to the delivery of RomCom’s shellcode loader, the operator tests the connection to Mythic C2."
ShadowSyndicate continues to be associated with toolkits including Cobalt Strike, Metasploit, Havoc, Mythic, Sliver, AsyncRAT, MeshAgent, and Brute Ratel.
Techniques & procedures
22 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique"CVE-2025-8088 was exploited by RomCom in an email spearphishing campaign... A malicious archive, disguised as a job applicant’s curriculum vitae or resume, was attached to the emails"
Execution
4 techniquesThe agent currently employs three commands that imitate standard Jamf policy instructions... execute_command execute_command Executes a bash command on the target device with root privileges.
"A WinRAR zero-day vulnerability was exploited in the wild... CVE-2025-8088... enables attackers to misuse alternate data streams (ADSs) to achieve path traversal on Windows."
"A malicious LNK file Updater.lnk... Another LNK file runs... A third malicious LNK file executes..."
Annotations ID Technique Tactic T1204.003 Malicious Image Execution Default Configuration
Persistence
2 techniquesPrivilege Escalation
2 techniques"adds a registry value... using Component Object Model (COM) hijacking to execute the malicious msedge.dll"
The typhon agent utilises functionality provided by the Jamf binary. As such no additional code needs to be introduced to the compromised device for this agent to operate... execute_command execute_command Executes a bash command on the target device with root privileges.
Stealth
4 techniquesThis post is about that loader, which we call WasmForge ... You point it at a Go project and you get back a Windows or macOS binary that runs your tool but doesn’t look anything like it ... The third generates an outer Go binary containing a Wazero runtime, embeds the encrypted WASM module into the binary’s PE sections.
"msedge.dll exits before deploying the Mythic agent if the target machine’s domain name does not match a hardcoded company name"
"through the use of alternate data streams, malicious files were hidden and deployed when the PDF was extracted and opened"
Defense Impairment
1 techniqueDiscovery
2 techniquesLateral Movement
2 techniques“CVE-2020-1472, also known as ZeroLogon, allows for compromising a vulnerable operating system and executing commands as a privileged user.” | “CVE-2021-34527, also known as PrintNightmare… enabling remote access to a vulnerable OS and high-privilege command execution.”
If your goal is simply to execute a C2 payload, you can include the binary in the project directory and then execute it.
Command and Control
6 techniquesT1071 Application Layer Protocol — Мимикрия C2 под HTTP/HTTPS/DNS
The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
APT28 used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims.
The whole pipeline exists to solve one specific problem: take an existing offensive security tool, change zero lines of its source code, and produce a binary you can actually drop on a hardened endpoint.
The content repeatedly describes malware and threat actors using SSL, TLS, HTTPS, RSA, AES, Blowfish, RC4, ECIES, Diffie-Hellman, OpenSSL, WolfSSL, and mutual TLS to protect command and control traffic.
Multiple malware families and intrusion sets are described as encrypting C2 traffic using SSL/TLS/HTTPS (e.g., "used HTTPS for command and control", "encrypts C2 communications with TLS", "uses SSL for encrypting C2 communications", "TLS-encrypted WebSocket Protocol (WSS) for C2").
IOCs tracked for this family
39 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
37 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Mentioned as a Linux-capable HTTP-based C2 framework whose traffic characteristics may be manipulated to evade ML-based IDS classifiers.
An adversary command-and-control framework observed hosted on infrastructure associated with post-compromise activity.
A custom-built Mythic implant delivered as obfuscated shellcode and executed by Python/C++ loaders. It creates a mutex, dynamically resolves APIs, performs RSA/AES key exchange with its C2, sends host profiling data, supports execution scheduling restrictions, and waits for commands from the C2 server.
Referenced as an open-source C2/offensive framework that adversaries can readily adopt.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.