FireC2 is a proof-of-concept (PoC) project that demonstrates Command and Control (C2) communication using Firebase Realtime Database as a backend.
The goal of this project is to study how legitimate cloud services can be abused as communication channels when monitoring and security controls are insufficient.
This project is intended strictly for educational, research, and defensive security purposes.
It is designed to support:
- threat research
- detection engineering
- blue team and red team training
Any misuse of this software is the sole responsibility of the user.
Traditional C2 infrastructures usually rely on custom servers, domains, and network protocols, which are increasingly easy to detect and block.
FireC2 explores an alternative approach by using a widely trusted cloud service as the communication layer.
Firebase Realtime Database is used as:
- a simple message exchange mechanism
- a task queue
- a storage layer for command output
No dedicated C2 server is required.
- Remote command tasking and result collection
- File transfer via structured database entries
- Simple operator console
- Near real-time bidirectional communication
This project is intended to be used in a controlled lab environment.
- Create a Firebase project.
- Enable Firebase Realtime Database.
- Configure database access rules for the PoC.
Example database rules (lab use only):
{
"rules": {
".read": true,
".write": true
}
}
⚠️ These rules are intentionally insecure and must only be used in an isolated testing environment.
- Note the database name (for example: firec2-lab).
python3 console.py firec2-lab (your database name from *.firebaseio.com URL)You need to configure the following values in both console.py and agent.py:
-
FIREBASE — base64-encoded Realtime Database URL
-
SECRET — shared secret used for HMAC signing
python3 agent.pyThis version does not include additional security layers such as redirectors or advanced cryptography and should only be used in lab or adversary emulation environments.
This project was intentionally kept minimal.
The current version does not implement:
- persistence mechanisms
- redirectors or traffic forwarding infrastructure
- operational security (OPSEC) features
These aspects were intentionally out of scope, as the project was developed purely as a PoC for research and educational purposes.
This project was written as a learning exercise to better understand:
- cloud-based C2 techniques
- abuse of legitimate services
- detection challenges related to trusted infrastructure
It is not intended for operational use.
- CYFIRMA — Inside FireScam: An Information Stealer with Spyware Capabilities
https://www.cyfirma.com/research/inside-firescam-an-information-stealer-with-spyware-capabilities/