Andromeda Bytecode C2 Lab Workflow¶
Summary¶
Use this skill to evaluate or operate the Andromeda research framework in an isolated, authorized lab. Andromeda combines a controller, a target listener, and a bytecode generator for delivering position-independent payload blobs to a connected host-side runtime.
Primary source: https://github.com/vyrus001/andromeda
Use when¶
- you need to understand the trust boundaries in an agent-assisted implant / C2 proof of concept
- you are testing host-side bytecode delivery in a lab you own or are explicitly authorized to use
- you want to review how controller, listener, and generated payload artifacts interact
- you need a safe checklist before running third-party offensive tooling with committed binaries
Components¶
| Tool | Directory | Runs where | Role |
|---|---|---|---|
| Soldir | soldir/ | Controller container | FastAPI web app, graph UI, WebSocket broker, job API, Tinkr orchestration, LLM chat surface |
| Tailor listener | tailor/tools/tailor-listen.py | Target / host workstation | Checks in to Soldir, opens /ws/tailor/{instance_id}, receives execute_bytecode, writes blobs to a temp directory, invokes tailor-run |
| Tailor runner | tailor/bin/tailor-run, tailor/src/ | Target / host workstation | Native C runtime that maps a blob, builds a resolver context, marks memory executable, and calls the payload entrypoint |
| Tinkr | tinkr/ | Controller build environment | LLVM + SheLLVM-style tooling and skill fixtures that compile raw position-independent bytecode blobs |
| Artifacts | artifacts/, tinkr/*.bin | Repository / lab host | Example C sources and prebuilt bytecode blobs for deterministic smoke tests |
Trust model¶
Treat every boundary as code-execution sensitive:
- Soldir controls Tailor: a Tailor instance connected to Soldir accepts bytecode jobs from that Soldir server. In practice, the controller has code-execution authority over the connected host.
- Tailor executes untrusted blobs: delivered bytecode is written to disk and executed through the native runner. Do not connect Tailor to a controller you do not fully trust.
- The WebSocket/API plane is sensitive: unauthenticated check-in, job, graph, and Tailor WebSocket routes are acceptable only on an isolated localhost/lab network.
- LLM provider keys are high-value: Soldir can receive
OPENAI_API_KEY,ANTHROPIC_API_KEY,XAI_API_KEY, andOLLAMA_*environment variables. Avoid using real production keys in a malware-analysis or exploit-development lab. - Committed binaries need provenance checks: rebuild host-side binaries from source where practical before execution, or inspect hashes and behavior in a disposable VM.
Lab prerequisites¶
- A disposable VM or dedicated lab host. Do not use a daily-driver workstation.
- Docker for the Soldir controller container.
- The target platform expected by the payload. The included smoke workflow is documented for macOS arm64 with
/usr/bin/say. - Network isolation that keeps
127.0.0.1:8765or any Docker-published8765/tcpendpoint away from untrusted clients. - Written authorization for every host where Tailor runs.
Safe startup pattern¶
Prefer a two-terminal lab flow so the controller and target listener are easy to stop and observe.
# Terminal 1: controller only
./stop.sh
docker compose down -v
./start.sh --no-listener
# Confirm controller state
curl -fsS http://127.0.0.1:8765/health
# Terminal 2: target listener on the authorized host
make -C tailor
python3 tailor/tools/tailor-listen.py \
--soldir-url http://127.0.0.1:8765 \
--instance-id local-lab-host \
--verbose
Confirm that the health endpoint shows one checked-in Tailor client before sending any job:
Smoke-test job¶
Use the bundled deterministic smoke path only in a lab where an audible macOS say execution is acceptable.
curl -fsS -X POST http://127.0.0.1:8765/api/jobs/macos-say-smoke \
-H 'content-type: application/json' \
-d '{
"target_triple": "arm64-apple-macos",
"target_instance_id": "local-lab-host",
"message": "authorized lab smoke test"
}'
Capture job status without collecting sensitive host data:
Useful fields to record: job ID, target instance ID, target triple, status, return code, stdout/stderr shape, and the exact git commit tested.
Review checklist before running¶
- The repo URL, commit SHA, and current diff are recorded.
- No unexpected untracked binaries or payload blobs are present.
-
docker-compose.ymlport publishing is bound only to intended lab interfaces. - No production LLM/API keys are exported into the container.
- Tailor listener
--soldir-urlpoints only at a trusted controller. - The target instance ID is explicit; jobs are not relying on implicit target selection.
- The work directory is disposable and does not overlap sensitive paths.
- The lab has packet/process/file telemetry sufficient to explain what ran.
Operator best practices¶
Isolate the controller¶
- Bind Soldir to localhost or a private lab interface only.
- Add firewall rules before starting Docker if the host may publish
8765/tcpon more than loopback. - Do not expose
/api/jobs/*,/api/checkins,/ws, or/ws/tailor/*to shared networks without adding authentication and transport security first.
Minimize target authority¶
- Run Tailor as a low-privilege test user.
- Use a disposable VM snapshot and revert after each payload class.
- Keep the Tailor work directory under a temporary lab path.
- Do not run Tailor on hosts with real credentials, browser sessions, SSH agents, source code, or customer data.
Control payload scope¶
- Start with deterministic fixture payloads before prompt-generated payloads.
- Keep payloads inert and visibly bounded: write a marker, print a message, or call a harmless lab binary.
- Do not test persistence, credential access, lateral movement, destructive filesystem operations, or production network callbacks from this workflow.
- Record source, compiler command, target triple, blob hash, and runtime output for each payload.
Protect secrets¶
- Use throwaway LLM/API keys if provider-backed generation is required.
- Prefer local Ollama or a mock provider when reviewing orchestration behavior rather than payload quality.
- Do not place secrets in
.envunless the file is outside version control and scoped to the disposable lab. - Scrub logs before sharing; Tailor output and Soldir job records can reveal hostnames, instance IDs, paths, and provider configuration.
Rebuild or verify binaries¶
- Prefer rebuilding
tailor/bin/tailor-runand related libraries from source on the lab host. - Hash committed binaries and generated blobs before execution.
- If behavior matters, compare source-built and committed artifacts in a disposable VM.
- Treat any binary or blob pulled from the repo as untrusted until verified.
Detection and evidence hints¶
For authorized lab validation, useful evidence includes:
- controller HTTP and WebSocket access logs
- Tailor listener stderr/stdout
- job records from
/api/jobs - process creation showing
tailor-runand the payload effect - file writes under the Tailor work directory
- SHA-256 hashes of generated
.binblobs - network captures showing only expected localhost/lab traffic
Avoid collecting unrelated host files, credentials, tokens, browser data, or user content.
Stop and clean up¶
Revert the VM snapshot after running unknown payloads or committed binaries.
Source notes¶
Confirmed from the public repository on 2026-06-27:
- repo description identifies Andromeda as an implant / command-and-control framework
- README documents Tinkr, Tailor, and Soldir roles
- demo path sends an
execute_bytecodejob to a checked-in Tailor instance docker-compose.ymlpublishes8765:8765and passes LLM provider variables into Soldirtailor/tools/tailor-listen.pyreceives base64 bytecode and invokestailor/bin/tailor-runtailor/src/tailor_run.cmaps delivered blobs and marks memory executable before execution