From a defender's perspective, the agent looks like a spectator connected to a game lobby. Every command, every response, every file transfer rides inside NMT_CHAT packets — the same packets sent when a player types in the in-game chat. The C2 data is encoded in the sender field, which is never displayed in the game UI. The visible chat text is drawn from a pool of natural messages.
Architecture in brief
Transport
ENet UDP/20595 — the exact port and protocol of every real 0 A.D. client. No custom port, no raw sockets.
Encryption
X25519 ECDH for session key exchange. XSalsa20-Poly1305 (libsodium secretbox) for all payloads. Ephemeral keys per session.
eBPF Rootkit
Hooks getdents64 to hide the PID from /proc. Patches /proc/net/udp reads to remove the C2 port from netstat.
In-Memory Staging
A ~14 KB stager downloads the agent over ECDH-encrypted TCP into a memfd and runs it via fexecve — nothing touches disk.