Darkesn Re

Extending Nighthawk with Python Modules

2026-02-05T00:00:00+00:00

Nighthawk 0.4 introduced a powerful Python module system that allows operators to extend the implant’s capabilities using pure Python without modifying the core codebase.

Python modules run within an embedded interpreter inside the agent, enabling rapid development of custom post-exploitation capabilities while maintaining the operational security guarantees of the core framework.

Usage

Modules can interact with the Nighthawk API surface to perform tasks such as credential harvesting, lateral movement, and situational awareness — all within the existing C2 channel.

import nighthawk

def run(agent):
    results = agent.shell("whoami")
    agent.log(results)

Loading Modules

Modules are loaded via the operator console using the python-load command, followed by the path to the module file.

Nighthawk 0.4 – Janus

2025-09-24T00:00:00+00:00

Introduction

If you’ve been following our trajectory over the past 12 months, you will have noticed some of the significant design and architecture changes we’ve been making. The largest of which was the full rewrite of the backend teamserver and introduction of JSON RPC APIs. One of the key drivers for these changes was to pre-position the framework for what we’re releasing in Nighthawk 0.4.

Open For Business

Red Team Operations are multi-faceted, and adaptability is a key requirement for ensuring continued success. With Nighthawk 0.4, we introduced a new feature we’re labelling “Open Agent” — another Nighthawk first for commercial C2s. Open Agent allows you to develop and integrate your own agents, whether complete agents or stage 1s, into Nighthawk.

At minimum, Open Agents must implement the following three tasking commands:

CPMT_GET_DETAILED_INFO: Allows the backend to obtain basic information about the machine.
CPMT_GET_CONFIG: Allows the backend to know the sleep and fragmentation settings.
CPMT_TERMINATE_PROCESS: Allows the operator to instruct the agent to terminate its own execution.

Taking Center Stage

Complementing our Open Agent feature, in 0.4 we introduced a suite of new staging tools dubbed the Stager Kit. This suite comprises NHStager, a Builder, Visual Studio code templates and a new OpSec-driven loader.

NHStager supports a minimal set of commands including whoami, ps, execute-bof, inject, ls, upload, download, and more. It comes with a built-in BOF loader with full support for the Cobalt Strike BOF API.

NHConfigurator

NHConfigurator is a UI-based wizard that allows operators to cherry pick which high-level OpSec configuration options they want, while automatically creating random beacon network profiles and producing nginx location rules.

Automating Operations with Nighthawk

2025-09-19T00:00:00+00:00

This post covers how operators can leverage Nighthawk’s scripting capabilities to automate repetitive tasks during red team engagements, freeing operators to focus on higher-order decision making.

Automation workflows can be triggered by events within the C2 — such as a new beacon checking in, a specific hostname matching a pattern, or a time-based schedule.

Example: Auto-enumerate on check-in

on beacon_checkin {
  if hostname matches "DC*" {
    run enumerate-dc
  }
}

Nighthawk 0.3.4 – Sivako

2025-09-02T00:00:00+00:00

Sivako is a maintenance release focusing on stability, performance improvements, and operator quality-of-life enhancements across the console and teamserver components.

Bug fixes and minor improvements are detailed in the operator changelog distributed with the release package.

Nighthawk 0.3.3 – Evanesco

2024-11-29T00:00:00+00:00

Evanesco introduces enhanced process injection techniques and improvements to the sleep masking subsystem, improving survivability against modern endpoint detection solutions.

The release also includes a number of bug fixes reported by operators during engagements.

Nighthawk 0.3 – Automate All The Things

2024-01-15T00:00:00+00:00

Nighthawk 0.3 marks a significant milestone in the framework’s automation capabilities. This release introduces a comprehensive scripting layer that allows operators to automate complex multi-step operations.

Nighthawk 0.2.6 – Three Wise Monkeys

2023-06-10T00:00:00+00:00

Three Wise Monkeys focuses on stealth — see no evil, hear no evil, speak no evil. This release brings significant improvements to Nighthawk’s ability to evade detection at the network, memory, and process levels.

Nighthawk 0.2.4 – Taking Out the Trash

2023-02-20T00:00:00+00:00

This release focuses on cleanup — removing technical debt, hardening the communication channel, and patching operator-reported bugs that had accumulated since 0.2.

Nighthawk - With Great Power Comes Great Responsibility

2022-10-05T00:00:00+00:00

With the continued growth of the offensive security tooling ecosystem, we felt it important to write about our philosophy around responsible disclosure, customer vetting, and the ethical considerations that govern how we develop and distribute Nighthawk.

Nighthawk 0.2.1 – Haunting Blue

2022-06-15T00:00:00+00:00

Haunting Blue introduces a suite of new evasion primitives and expands Nighthawk’s lateral movement capabilities, with improved support for token manipulation and credential access.