alyssavv/soone

Soone is a security research project written mostly in Chinese. The README calls it a "pre-access platform" (前置准入平台), meaning a piece of software that sits in front of a command and control framework and prepares the first stage of a connection. The authors say they do not build or copy any command and control framework themselves. Instead they want Soone to act as a partner for existing ones, handling stager generation and anti-sandbox work so that each framework can focus on its own core code. The project supports two kinds of clients. For Windows it produces shellcode that can be embedded in another loader, since the team says compiled PE files have been unstable in their tests. For Linux it produces ELF binaries for amd64 or arm64, and the build step needs a static musl toolchain such as zig or musl-gcc. The README lists install commands for Debian, Ubuntu, CentOS, RHEL, Rocky and Alpine. Soone started as a small Python service, was restructured in Python, and has now been rewritten in Go. The README says the rewrite covers more platforms and that the Windows client has been tested from Windows 7 through Windows 11. Running the Soone binary starts two services. A web admin panel listens on port 58888 with the user admin and a random thirteen character password printed at startup. A separate command and control endpoint listens on port 3208 over HTTPS. The admin session lasts three hours. Stated features include sandbox detection, a UUID based allow list, and long polling task delivery. The README ends with a strong disclaimer. The authors say the tool is for security learning and research only, that users take full legal responsibility for how they use it, and that it should not be used for any commercial purpose. They also link to two outside projects, Convert2Shellcode and a chainreactors wiki page on SRDI, as recommended ways to turn a PE file into shellcode.