AzaleaControl

Advanced C2 / remote admin tool with a clean modern UI supporting Win7-11 / Server 2008-2025.

HVNC, Keylogger, Credentials Dumping, AD Enumeration, Lateral Movement, Privesc, and more.

Earn commissions on sales. Get 15% back in BTC/XMR to your specified wallet any time a purchase is made using your referral code.

Download Archive Download Installer

Highlights

HVNCUses unique technique to achieve near 60 FPS on good hardware — Support for latest Chrome, Firefox, Opera, and others
StealerFull Chrome v20 bypass + Windows credentials dumping from SAM, CredentialManager, Domain Controllers, …
Windows Defender DisablerSilently disables Windows Defender without alerting user — Full Tamper Protection bypass
BuilderOutput support for Win+R, .lnk, .bat, .scr, .pif, shellcode, .dll, …
Windows Event Log hookBlocks events from reaching Windows Event Log based on keywords, supports events generated by Sysmon
Windows forensics logs wipingWipes recently access file, event, process execution, and various other logs
Interesting Files FinderSearches for files including financial & corporate documents, database files, virtual disks, etc. locally and in a network
Privilege escalationMultiple techniques, including searching for configuration issues leading to exploitation
Active Directory & local network enumerationIncludes network shares on computers, as well as computer info like name, domain, OS version
Indirect syscallsUsed to bypass AV/EDR product detections at runtime
Defence AnalysisDetection of TLS MITM/TLS decrypting firewall, running AV/EDR products, injected modules including EDR hooks and rootkits

Undetected by Windows Defender & other top AV/EDR products

Kleenscan static: https://www.kleenscan.biz/scan_result/9980c09d617137a41c5d6ed9241ed87de07d432dd1cb9a9af9b6096f698f37af

Kleenscan runtime: https://www.kleenscan.biz/runtime/scan_result/6e44797f8aea35fccbefa3be1abdb40097e01f33609183b2e0cf351362785052

Main Interface
Main Interface
Interesting Files Heatmap
Interesting Files Heatmap
File Manager
File Manager
HVNC
HVNC
Process Manager
Process Manager

Full Feature List

Interact & Execute

InteractIssue console commands to Agent — All commands like whoami, net, etc. are implemented natively, so no "net.exe" or similar is executed
Remote ShellCMD & Powershell
ExecuteDownload and Execute to disk & memory
Inject ShellcodeIndirect syscalls, threadless injection, driploading
Inject Agent to remote process

Discovery & Access

NetworkScan from Active Directory and LAN — Remote computer info including network share content, computer name, domain, and OS version
Lateral MovementPsExec
Active Directory ExplorerBrowse AD object hierarchy
Windows CredentialsDump from Credential Manager, SAM, DPAPI + DCSync & fake login prompt phishing
Interesting Files HeatmapFind interesting files to exfiltrate such as corporate documents, database files, virtual disks, etc. locally and in a network
TCP TunnelsCreate TCP tunnel to any target through the Agent

Privilege Escalation

UAC BypassICMLuaUtil
Local Service to SystemBadPotato
Kernel exploitsCVE-2024-26229, CVE-2024-30088, CVE-2024-35250
OtherRedSun
GetSystemElevate to SYSTEM integrity using a Service or Task Scheduler
Privilege Escalation FinderSearch for configuration issues possibly leading to privilege escalation

Persistence

Task Scheduler
Registry Run

Evasion

Wipe LogsRecent Files, Eventlogs, Prefetch, Shellbags, SRU, RunMRU, etc.
Eventlog HookFilters out events from reaching EventLog caused by the Agent or by custom keyword — Supports logs generated by Sysmon
RootkitRing3 rootkit coded from scratch in C++ — Not based on anything public — Hides the agent file and process & protects it against termination
Windows Defender DisablerSilently disables Windows Defender while the UI will show status as still running — Full Tamper Protection bypass
Windows Defender Exclusions ManagementAdd and remove exclusions

System

Resource MonitorMonitor usage of CPU, GPU, RAM, network, disks
System InformationFull info from OS, BIOS, CPU, GPU, RAM, Displays, Software, Network Adapters, Disks
Network ConnectionsTCP and UDP connections by application
Event Log BrowserView all windows event logs
File ExplorerBrowse, create, rename, copy, delete files & directories — Preview files — View recent locations
Process ExplorerView all running processes and windows — Terminate/Suspend/Unsuspend — Inject shellcode — Steal token
Registry EditorBrowse, create, rename, edit, delete registry keys and values
Shutdown
Restart

Surveillance & Control

HVNCUses unique technique to achieve near 60 FPS on good hardware — Full support of latest Chrome, Firefox, Brave, Opera, and others — Clone profile
HRDPSupports creating hidden sessions & allows hijacking any user sessions including locked ones and bypassing the lockscreen
KeyloggerOnline & Offline support
AnyDesk managerInstall AnyDesk and configure to allow unattended access
Remote Desktop
Webcam capture

Clipper & Stealer

Crypto ClipperBTC, ETH, XMR, BCH, ATOM, ADA, XLM, XRP, LTC, DASH, DOGE, DOT — Any custom address pattern
Stealer
  • Chrome 147 support with full ABE (V20) bypass without admin privileges
  • 42 browsers including: Chrome, Firefox, Edge, Opera, Brave, DuckDuckGo, Chromium, Vivaldi
  • 24 Crypto wallet apps including: Zcash, Armory, Bytecoin, Jaxx, Exodus, Electrum, Atomic, Guarda, Coinomi, MyMonero, Wasabi, Monero GUI Wallet, Binance, Bitcoin Core, Dogecoin, Raven Core, Blockstream Green
  • 83 Crypto wallet extensions including: Metamask, Cake, Binance, Tron, CoinBase Wallet, Guarda, Jaxx, Bitapp, Coin98, Equal, Guild, Iconex, Math, Mobox, Phantom, XinPay, Ton, Sollet, Slope, Starcoin, Swash
  • Messangers such as Discord, Telegram, Outlook, Skype, Element, Tox, ICQ, Pidgin
  • Others including RDCMan, WinSCP, Outlook, Foxmail, Tox, Element, FileZilla, ProtonVPN, OpenVPN

Agent Management

Dashboard
  • Network traffic bandwidth tracking
  • Computer active hours analyzer
  • TLS MITM/TLS decrypting firewall detection
  • Running AV/EDR products
  • Suspicious injected modules detection including EDR hooks and rootkits

Other

Various payload optionsWin+R, .lnk, .bat, shellcode, .dll, exe, ...
Anti AnalysisAnti VM, Anti Sandbox, Anti Debug
CrypterUndetected by Windows Defender & other top AV/EDR products
Build obfuscation
Mutex (Single Instance)
Customizable stealthy install
Auto & Group commands
Chat
MessageBox
Open website
Show/Hide taskbar
Show/Hide desktop
Enable/Disable task manager

Pricing

Basic
$30 / month
$180 / year (-50%)
$360 LIFETIME
  • Interact
  • Remote Shell
  • Execute
  • UAC Bypass
  • Resource Monitor
  • System Information
  • Network Connections
  • Event Log Browser
  • File Explorer
  • Process Explorer
  • Registry Editor
  • Shutdown/restart
  • Remote desktop
  • Persistence
  • Auto commands
  • Group commands
  • Webcam capture
  • Agent dashboard
Purchase
Pro
$100 / month
$600 / year (-50%)
$1200 LIFETIME
  • All from Basic +
  • HVNC
  • HRDP
  • Rootkit
  • TCP Tunnels
  • Clipboard logger
  • Keylogger
  • Anydesk Manager
  • Stealer
  • Build obfuscation
  • Private stubs
Purchase
Advanced
$300 / month
$1800 / year (-50%)
$3600 LIFETIME
  • All from Pro +
  • Windows Defender disabler
  • Windows Defender Exclusions Management
  • Wipe Logs
  • Eventlog Hook
  • Interesting Files Finder
  • Windows Credentials Dumper
  • Active Directory Explorer
  • Network Scanner
  • Local Service to System LPE
  • All kernel & other LPE
  • High integrity -> System elevation
  • Privilege Escalation Finder
  • Shellcode injection
  • Inject Agent to remote process
  • Steal token
  • Lateral movement
  • Crypter
  • Priority support
Purchase