Mythic
Mythic is an open-source, collaborative, multi-platform post-exploitation and command-and-control (C2) framework from SpecterOps. It is agent-agnostic and supports agents in multiple languages and for multiple platforms. Reported Mythic agents include Apfell (JXA for macOS), Apollo (.NET for Windows), Poseidon (Go-based, including macOS support), and a Rust-based "coffee" agent. Mythic supports multiple C2 protocols including HTTP, TCP, DNS, and SMB, as well as HTTP-based profiles, SSL-encrypted C2, modified SOCKS5 proxy tunneling for egress traffic, scripting of file downloads from agents, and custom chunk sizes for file upload/download operations.
Although designed for red teaming, the framework is repeatedly described as commonly abused by threat actors in the wild. Content provided links Mythic infrastructure or payloads to multiple malicious operations. Researchers identified Go binaries built on Mythic in a malicious Rust crate supply-chain campaign ("CrateDepression") targeting GitLab CI environments; the second-stage payloads were Poseidon agents for Linux and macOS communicating with api.kakn[.]li (64.227.12[.]57) and supporting persistence, keylogging, screen capture, file upload/download, and remote administration. A private Mythic-compatible backdoor named Loki (Backdoor.Win64.MLoki), derived from a Havoc agent, was used in targeted attacks against more than a dozen Russian companies in engineering and healthcare; associated C2s included y[.]nsitelecom[.]ru/certcenter, document[.]info-cloud[.]ru/data, and ui[.]telecomz[.]ru/data. ESET reported that RomCom exploited CVE-2025-8088 in WinRAR spearphishing campaigns targeting financial, manufacturing, defense, and logistics organizations in Europe and Canada, with successful exploitation delivering a Mythic agent alongside SnipBot and RustyClaw. Breakglass Intelligence recovered a Rust-based Mythic "coffee" agent DLL (xolehlp.dll, SHA256 67d7f993304c211f727ac8e25ece366f345f349e38ec62316d66c173943bd244) and encrypted loader (svchost_icewrap.exe, SHA256 c6210ba0144d8a2c502398aa591b8b6053c186d6b72146e14d09018fe35663c1) from malicious MSC-based delivery chains; the coffee agent used a hardcoded AES-256-HMAC pre-shared key and supported commands including coffee, upload, c2_update, download, continued_task, sleep, and exit. Additional reporting describes a custom-built Mythic implant delivered via loaders and obfuscated shellcode from search.bin, communicating with zeccecard[.]com/grain/duke, performing RSA-4096 key exchange, and sending host metadata such as username, hostname, domain, OS, architecture, local IPs, executable path, integrity level, and PID.
Observed infrastructure indicators include a Mythic C2 server on 194.163.175[.]135:7443, FOFA fingerprints using HTML title "Mythic" and favicon hash -859291042, and reporting that one Mythic C2 instance had 1,330 sightings. Recorded Future reported Mythic usage increased by 33% in 2022 compared with 2021. Overall, the content supports characterizing Mythic as a legitimate offensive security framework that is also actively repurposed by threat actors for backdoor deployment, persistence, remote command execution, credential and data theft, tunneling, and broader post-exploitation across Windows, Linux, and macOS environments.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
ESET researchers have discovered a previously unknown zero-day vulnerability in WinRAR being exploited in the wild by Russia-aligned group RomCom... now assigned CVE-2025-8088: a path traversal vulnerability, made possible with the use of alternate data streams. | Successful exploitation attempts delivered various backdoors used by the RomCom group, specifically a SnipBot variant, RustyClaw, and the Mythic agent.
Three Attack Variants Observed GrimResource (CVE-2025-26633): XSS via apds.dll res:// protocol handler
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Successful exploitation attempts delivered various backdoors used by the RomCom group, specifically a SnipBot variant, RustyClaw, and the Mythic agent.
"Three minutes prior to the delivery of RomCom’s shellcode loader, the operator tests the connection to Mythic C2."
ShadowSyndicate continues to be associated with toolkits including Cobalt Strike, Metasploit, Havoc, Mythic, Sliver, AsyncRAT, MeshAgent, and Brute Ratel.
Techniques & procedures
29 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
SentinelLabs has investigated a supply-chain attack against the Rust development community... the malicious crate typosquats against the well known rust_decimal package... the intended targeting could lead to subsequent larger scale supply-chain attacks depending on the GitLab CI pipelines infected.
Execution
6 techniques
Execution
This script generates an Office macro which uses osascript to download and execute the Mythic JXA .js payload.
Рабочее решение — apfell-агент, который работает через osascript (AppleScript, T1059.002, Execution) и не зависит от архитектуры процессора. Callback через osascript проходит на arm64 без проблем.
The agent currently employs three commands that imitate standard Jamf policy instructions... execute_command execute_command Executes a bash command on the target device with root privileges.
This script generates an Office macro which uses osascript to download and execute the Mythic JXA .js payload.
Persistence
2 techniques
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Mythic does have the ability to add Login Item persistence even from the App Sandbox.
The typhon agent utilises functionality provided by the Jamf binary. As such no additional code needs to be introduced to the compromised device for this agent to operate... execute_command execute_command Executes a bash command on the target device with root privileges.
Stealth
4 techniques
Stealth
This post is about that loader, which we call WasmForge ... You point it at a Go project and you get back a Windows or macOS binary that runs your tool but doesn’t look anything like it ... The third generates an outer Go binary containing a Wazero runtime, embeds the encrypted WASM module into the binary’s PE sections.
Remove the first line of the Mythic JXA .js launcher... Some static A/V signatures have been known to check for this static string.
Defense Impairment
3 techniques
Defense Impairment
Discovery
2 techniques
Discovery
Lateral Movement
2 techniques
Lateral Movement
“CVE-2020-1472, also known as ZeroLogon, allows for compromising a vulnerable operating system and executing commands as a privileged user.” | “CVE-2021-34527, also known as PrintNightmare… enabling remote access to a vulnerable OS and high-privilege command execution.”
Collection
1 technique
Collection
Agrius used a custom tool, sql.net4.exe, to query SQL databases and then identify and extract personally identifiable information... AppleSeed has automatically collected data from USB drives, keystrokes, and screen images before exfiltration... Ember Bear engages in mass collection from compromised systems during intrusions.
Command and Control
6 techniques
Command and Control
Hunting C2/Adversaries Infrastructure with Shodan and Censys ... My research Cobalt Strike C2 Metasploit/MSF Covenant C2 Deimos C2 Posh C2 Brute Ratel C4 Mythic C2 Sliver C2 ... Night Hawk C2 NimPlant C2 ShadowPad C2 Infrastructure Async Rat C2 Infrastructure Meterpreter C2 Infrastructure
The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."
It supports several protocols for C2 including HTTP, WireGuard, and DNS... Mythic is an open source post-exploitation framework... and supports multiple protocols for C2 including TCP, HTTPM, DNS, and SMB.
APT28 used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims.
Exfiltration
1 technique
Exfiltration
IOCs tracked for this family
53 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
45 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Mentioned as a Linux-capable HTTP-based C2 framework whose traffic characteristics may be manipulated to evade ML-based IDS classifiers.
An adversary command-and-control framework observed hosted on infrastructure associated with post-compromise activity.
A custom-built Mythic implant delivered as obfuscated shellcode and executed by Python/C++ loaders. It creates a mutex, dynamically resolves APIs, performs RSA/AES key exchange with its C2, sends host profiling data, supports execution scheduling restrictions, and waits for commands from the C2 server.
Referenced as an open-source C2/offensive framework that adversaries can readily adopt.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.