FalkonC2 is Getting Ridiculously Stealthy

By Tammy Harper, Senior Threat Intelligence Researcher

If you haven’t seen this hitting your feeds yet, it’s time to put FalkonC2 on your radar. This isn’t your standard open-source repackage; it’s a highly tailored, commercial C2 framework written completely from scratch in C++ and MASM64.

The developers designed this thing with two main goals: making the stubs as tiny as possible and ensuring they run entirely in memory without ever touching the disk. They are actively targeting enterprise environments, and the evasion tactics they’re pulling off are definitely worth a closer look.

Mentions of FalkonC2 are increasing in Flare over the last few weeks

The Core Threat: Rotemelli1 vs. Rotemelli2

The framework relies on two distinct, stripped-down stubs (DLL, EXE, or raw shellcode) that completely ditch standard runtime libraries to stay under the radar.

• Rotemelli1 (Consumer): Weighs in at a tiny 24 KB–27 KB. It targets consumer endpoints, utilizing 15 shared C2 servers and rotating domains weekly to dodge reputation blocks. (Word on the street is the devs are phasing this out to hyper-focus on enterprise targets).
• Rotemelli2 (Enterprise): This is the dangerous one. It’s a 23 KB–35 KB stub built specifically to bypass corporate EDR and XDR agents. It jumps across 17 private C2 servers, with domains getting completely burned and refreshed every 72 hours to break network tracking.

For communications, it doesn’t just stick to standard web traffic. It switches between HTTP/HTTPS (using a custom encryption mix of MM4 on the host and ChaCha20 on the server), DNS tunneling, and even drops back to ICMP beacons on older legacy servers (like pre-2016 environments).

Actionable Capabilities amp; Live DemosLooking at the latest platform telemetry (specifically what was captured in Demo 285 and 286), a few modules stand out as major headaches for defenders:

1. The ScreenConnect Chain

In Demo 285, we get a clear look at their primary Mechanism of Execution (MoE) on a Windows 11 Enterprise box protected by Microsoft Defender. The actors drop a legitimate ConnectWise ScreenConnect instance into the environment, rename the client binary to mask its identity, and launch it silently.

Demo 285

FalkonC2 uses a built-in “RMM Loader Nohost” mechanism that wraps around tools like ScreenConnect, Datto, and SimpleHelp. This allows them to cleanly bypass Windows Defender detection, drop their stealthy memory stubs, and rapidly elevate privileges straight to NT AUTHORITY\SYSTEM without alerting the user.

2. Blinding Responders with the BSOD Disrupter

If you want to see how aggressive this framework gets once it has domain admin access, Demo 286 highlights their specialized “BSOD Screen Disrupter” module.

Demo 286

When operating through an HVNC (Hidden Virtual Network Computing) session, if an analyst or automated system starts tracking the operator’s movements, the malware fires off a native Ring0 kernel exploit. This forces a Blue Screen of Death or completely scrambles the user-mode screen display. It effectively blinds incident responders and monitoring tools on the local machine, giving the operator a window to finish their objective or wipe tracks without being watched.

3. Financial Target Profiling

FalkonC2 isn’t just looking for random files; it’s hunting for money. The stubs specifically audit the endpoint environment to check for installations of Intuit QuickBooks and Sage50 Accounting data, prioritizing these for fast, automated exfiltration.

Global Target Footprint (Leaked Dashboard Telemetry)

A closer look at the developer’s private Tor CDN portal reveals a live dashboard tracking active compromises across multiple regions. The telemetry confirms successful, ongoing infections bypassing premier defensive suites in real-time:

As shown above, the framework is actively managing elevated stubs within high-value enterprise networks globally, explicitly highlighting successful bypasses against fully updated Microsoft Defender for Endpoint installations alongside several unlisted EDR platforms. The targets span critical infrastructure across the United States, Australia, the Netherlands, and Poland, with timestamped logs showing a massive spike in active, unmitigated access over the last 48 to 72 hours.

Recommendations for Security Teams

Given FalkonC2’s focus on memory-only execution and legitimate tool abuse, traditional signature-based detection is unlikely to catch it. Here are practical steps security teams can take to reduce exposure:

Monitor and Restrict RMM Tool Usage

FalkonC2’s primary execution chain abuses legitimate remote management tools like ScreenConnect, Datto, and SimpleHelp. Security teams can audit which RMM tools are authorized in their environment and flag any renamed or unsigned RMM binaries appearing on endpoints for a more effective approach to catching this initial access technique. Allowlisting approved RMM installations by hash and alerting on deviations is one of the highest-value detections here.

Detect Anomalous Network Patterns

The framework’s use of DNS tunneling, ICMP beacons on legacy systems, and 72-hour domain rotation creates opportunities for network-level detection. Security teams can look for:

• Unusually high volumes of DNS queries to newly registered or low-reputation domains
• ICMP traffic patterns inconsistent with normal network behavior, particularly on older servers
• HTTP/HTTPS connections to domains less than 72 hours old with no prior organizational history

Harden Against Memory-Only Payloads

With zero disk footprint and no CRT dependencies, file-based scanning won’t catch Rotemelli2 stubs. Security teams can enable memory integrity scanning, credential guard, and behavioral detection rules focused on anomalous process injection patterns for a more effective approach to catching fileless threats. Monitoring for processes loading unsigned DLLs under 35 KB that initiate outbound connections is also worth testing.

Protect Financial Software Targets

FalkonC2 specifically profiles endpoints for QuickBooks and Sage50 installations. Security teams can implement additional monitoring around these applications — alerting on bulk file access to accounting databases or unusual export activity provides an early warning before exfiltration completes.

Plan for Responder-Blinding Tactics

The BSOD Disrupter module is designed to crash or scramble screens when analysts investigate. Security teams can ensure forensic telemetry ships to a centralized, off-host location (SIEM, EDR cloud console) in real-time so that local disruption doesn’t eliminate the investigation trail. If an endpoint unexpectedly blue-screens during an active investigation, treating it as a potential counter-IR tactic rather than a routine crash is a worthwhile operational adjustment.

Monitor for Credential and Token Theft

FalkonC2 includes native Chrome token theft capabilities. Security teams can enforce short-lived session tokens, implement conditional access policies that re-evaluate device posture mid-session, and monitor for mass cookie or token access events across browser credential stores.

FalkonC2 is Worth Watching

FalkonC2 represents exactly the kind of threat that makes enterprise security teams lose sleep: purpose-built for corporate environments, actively maintained by developers who clearly understand what EDR looks for, and already running live against real targets. The combination of sub-35 KB memory-only stubs, legitimate RMM tool abuse, and counter-IR tactics like the BSOD Disrupter makes this more than just another C2 framework announcement on a dark web forum. It’s a mature, commercially motivated toolset that’s getting stealthier with every release cycle. We’ll continue tracking FalkonC2’s development and infrastructure changes as they evolve. especially if the developers follow through on sunsetting consumer targets and going all-in on enterprise.