← Back to Projects

Out-of-Band Network Implant Project

February 21, 2026
hardwarered-teamgolangc2

My plans for a hardware implant that uses a Pi Zero 2 W and 4G LTE to build a covert C2 tunnel, bypassing perimeter firewalls completely. Everything here can and will probably be changed.

The Concept

Basic reverse shells can be unreliable and easily detected (not always), but a physical out-of-bound (OOB) implant can be a game-changer in evasion.

My goal with this project is to learn how to bypass and evade security techiques at a higher level. The idea is to build a physical drop box disguised as something boring, like a generic power strip under a desk. Instead of fighting the firewall to get traffic out through the target’s ISP, the implant does this:

  1. Hooks into the internal network via physical Ethernet.
  2. Brings up its own independent 4G/LTE cellular connection.
  3. Tunnels all C2 traffic over the cell link, acting as a proxy directly into the internal environment.

Proposed Hardware Build

┌────────────────────────────────────────────────────────┐
│       Boring Enclosure (hidden in plain sight)         │
│                                                        │
│  ┌────────────────┐       ┌─────────────────────────┐  │
│  │Target Network  │       │  Waveshare SIM7600A-H   │  │
│  │(RJ45 to USB)   │─────▶│  (4G LTE Modem HAT)     │  │
│  └────────────────┘       └───────────┬─────────────┘  │
│                                       │ SPI/USB        │
│  ┌────────────────┐       ┌───────────▼─────────────┐  │
│  │Internal Power  │─────▶│  Raspberry Pi Zero 2 W  │  │
│  │(5V Step-Down)  │       │  (Logic & Go Agent)     │  │
│  └────────────────┘       └─────────────────────────┘  │
│                                                        │
└────────────────────────────────────────────────────────┘

The Parts List

I am going with the Pi Zero 2 W mostly because it is small and very cheap, and if i can make it work, than that would be pretty cool.

  • Raspberry Pi Zero 2 W: Core logic board.
  • Waveshare SIM7600A-H: For the 4G LTE connection.
  • Micro-USB to RJ45 adapter: To interface with the target network.
  • High Endurance MicroSD: For 24/7 read/write operations.
  • Fake Enclosure: Something that would be seen in an office environment, like a power strip or air purifier.

Agent Architecture

I am writing the implant agent in Go to guarantee a lightweight, cross-compiled binary with zero dependencies (and honestly, because I am trying to get better with Go). I am planning to have it hook into a custom C2 framework I am currently developing.

The most critical part of the code is the routing logic. The agent has to ensure that beaconing strictly uses the cellular interface and never accidentally leaks data over the target’s internal interface.

How to Defend Against This

If you are on the blue team, catching an out-of-band implant is tough because you can’t rely on your firewall logs. You have to look elsewhere:

  • Implement strict 802.1X Network Access Control (NAC) so random devices cannot just grab an IP address.
  • Do actual physical sweeps of conference rooms, closets, and empty desks.
  • Look for weird internal network behavior, like unexpected DHCP requests or internal IP addresses scanning other internal segments.
  • In high-security environments, you might actually need to use frequency analysis to catch the unauthorized cellular transmissions.