Primary Use Case

This tool is designed for red teamers and penetration testers to establish a stealthy command and control (C2) channel using YouTube videos as the communication medium. It allows operators to send commands encoded in QR codes within video thumbnails and receive exfiltrated data via DNS queries, bypassing traditional network monitoring. It is especially useful for persistence and covert operations in environments with strict outbound network controls.

Key Features

Uses YouTube video uploads as a covert command and control channel

Decodes QR codes from video thumbnails to retrieve commands

Supports both cleartext and AES-encrypted QR code payloads

Exfiltrates command responses via base64-encoded DNS queries

Includes both binary and Windows service versions for deployment

Provides a Python script to generate malicious QR-coded videos

Configurable polling interval to check for new videos on YouTube

Optional logging and integration with Burp Collaborator for DNS testing

Insights & Recommendations

Users must obtain a valid YouTube API key and channel ID to configure the tool properly. Frequent polling may exceed YouTube API rate limits, so adjust the polling interval accordingly. The tool requires the target system to have internet access to query YouTube and perform DNS exfiltration. Ensure the logging directory exists to avoid errors. This tool is intended strictly for authorized penetration testing and red teaming engagements.

Installation

Clone the repository from GitHub: git clone https://github.com/ricardojoserf/SharpCovertTube.git
Build or download the provided binaries for the listener (regular or service binary)
Configure the listener by editing Configuration.cs to set your YouTube channel ID and Google API key
Ensure the AES key and IV are set if using encrypted QR codes (optional)
Create or verify the existence of the logging folder (default c:\temp)
Use the included Python script to generate QR-coded videos for upload
Upload the generated videos to your configured YouTube channel
Run the listener on the target Windows system to start monitoring the channel

Usage

Run the listener binary or service on Windows

Starts monitoring the configured YouTube channel for new videos containing QR-coded commands

Upload example videos like 'whoami.avi' or 'dirtemp_aes.avi' to the YouTube channel

Sends commands encoded in QR codes via video thumbnails to the listener

Configure polling interval in Configuration.cs (default 600 seconds)

Sets how often the listener checks for new videos to avoid API rate limits

Use the Python script in the c2-server folder

Generates malicious QR-coded videos, uploads them to YouTube, and monitors DNS exfiltration

Smart Usage Notes

Can be chained with Metasploit or Cobalt Strike for automated exploitation and stealthy persistence.Ideal for testing detection capabilities of DNS and web traffic monitoring solutions.Use in purple team exercises to improve detection and response to covert C2 channels.Leverage the AES encryption feature to simulate advanced adversary encryption techniques.Integrate with threat hunting workflows to identify anomalous DNS exfiltration patterns.

OpenSec Atlas

SharpCovertTube

About This Tool

Primary Use Case

Key Features

Insights & Recommendations

Installation

Usage

Smart Usage Notes

Security Capability Profile

Tags

You Might Also Like