Experimenting with Out-of-Band Command and Control Infrastructure through Sub-GHz Radio Frequencies

"Can't scream? then whisper."

TL;DR: I built a covert hardware implant that can control airgapped machines using Sub-GHz radio, without touching any network stack, Wifi, or Bluetooth

It is common in the red team/adversary simulation areas of practice to use widely known frameworks for Command and Control (C2/CNC) for post-exploitation such as Cobalt Strike, Sliver, Villain/HoaxShell, and many more.

While effective, such infrastructure introduces possible detectable telemetry, network dependencies, and centralized risk due to the fact that they operate in the typical TCP/IP stack. In addition to those mentioned issues, There is also a specific simulation scenario that has led me to conducting months of research, and building my own proof of concept from scratch:

"What if the target has no internet, and no way out? No WiFi, no USB drives, no sneaky SD cards past the guards?"

I have envisioned the imaginary target in scope as an infrastructure where internet connection is airgapped from the public (similar to what happened in STUXNET), and where data cannot just be easily exfiltrated due to tight physical security. In response to this, I have been experimenting through an uncommon way of communicating covertly through an airgapped network through Sub-Ghz Radio, specifically LoRa.

What's LoRa?

A LoRa module contains a LoRa transceiver chip and microcontroller, giving it all the elements needed for long-range communication. It serves as a building block to connect sensors, actuators and all kinds of IoT edge devices through a LoRa-based network

To simply put, LoRa is what IoT nerds use to check if their garage doors are working properly, or if their succulents are thirsty. We've weaponized it to whisper in a forbidden language.

Why LoRa?

LoRa in a way, is stealthy by design. You cannot accidentally "tune" into it like how you would do in a standard FM/AM radios, as you would need specialized tools such as SDR's and the right knowledge to tune into it and actually read the data. It also has a less noise floor unlike higher frequency modes such as 2.4GHz/5GHz; LoRa is realistically used only in devices such as sensors, automatic garage doors, and LoRaWAN. No one would expect a LoRa device to be sending out a malicious message. In addition, it's digitally modulated. Meaning, it can be expand it to include features later on such as encryption.

Unlike WiFi or Bluetooth, which are noisy, and heavily scanned, LoRa offers long-range communication (in visible area of range) with low signature in noisy urban spaces, and can typically work through urban environments well. Though advertised as a device that can reach up to 10km, it realistically does less from the tests conducted. It's most effective in a <20m range (with a LOT of obstructions, otherwise you can go as far as 250m if unobstructed - https://ieeexplore.ieee.org/document/9259364) in a standard residential environment where natural occurring interferences happen. In real-world terms, you could sit in a cafe across the street while your implant talks back from next door.

Case Study: SILENTWHISPER

Introducing SILENTWHISPER, a covert hardware implant I built from scratch with no funding, no lab, just insomnia, header pin injuries, and an unhealthy obsession with the kind of tooling you only hear about in redacted PDFs (hi ANT catalogue).

The key objective of the development of this project is to maintain stealth and control over high-security environments where conventional access is restricted and/or heavily monitored.

SILENTWHISPER’s framework lies on 4 key principles:

• Execute and control payloads in air-gapped environments
• Conceal malicious behavior within Human Interface Devices
• Maintain low-power, long-range communication via LoRa
• Avoid detection via common security tools (EDRs, SOCs, NOCs, etc.)

Housed inside a standard mouse shell, SILENTWHISPER operates without TCP/IP, WIFI or Bluetooth. It communicates exclusively through low-frequency LoRa, designed for tailored access ops, and adversary simulation in hostile environments where traditional C2 tooling might fail.

SILENTWHISPER is composed of several key components (yes, they're NSA-coded):

• SILENTWHISPER (Internally called WHISPERIMPLANT) - The hardware embedded inside a mouse shell for physical stealth, it listens over long-range LoRa and whispers through COM.
• CHIMERADUST – A covert dropper that delivers payloads silently from within the implant to disk, leveraging native tooling and minimal indicators.
• SILENTFANG - A lightweight DLL runner for command execution. < 9KB when compressed, leverages LOLBAS, plays nice with EDRs/SOCs/NOCs by playing invisible.
• ANGRYFERRET - Mobile CNC/Operator channel ran by the operator outside the airgapped network, used to give commands to WHISPERIMPLANT

Inspired by publicly known NSA-grade implants like FIREWALK, HOWLERMONKEY and COTTONMOUTH-I, SILENTWHISPER reimagines nation-state tooling with off-the-shelf parts and "Two 8 piece buckets of Jollibee Chickenjoy" budget. Think like dumpster diving outside a blacksite then buying the parts off of Shopee

One of the core principles of SILENTWHISPER revolves around accessibility and rapid deployment in mind. It favors off-the-shelf hardware and minimalist design to support adversary simulations within environments where conventional command and control channels aren’t feasible. The components listed below support a basic single-target to operator communication setup:

• 2x ESP32-S3 N16R8 – Main microcontroller for both implant and CNC node
• 2x LoRa SX1278 Modules with Antennas – Long-range RF communication
• 1x USB Mouse Shell – Physical enclosure for deception and covert deployment
• Jumper wires – Connectivity between modules

Estimated Cost
As of writing, the total hardware cost for this setup is approximately ₱1,500 PHP, excluding the mouse shell (~$26 USD/~20 GBP for my US/UK readers), making it an accessible option for red team operators, researchers, or educational use.

The implant can simulate human input to trigger native OS interpreters, enabling payload delivery to disk under constrained conditions. Technical specifics are intentionally withheld to avoid disclosing sensitive tradecraft. The internal command execution happens through LOLBAS, then STDIN/STDOUT is piped through COM as an internal communication layer between WHISPERIMPLANT and SILENTFANG before being sent back through to ANGRYFERRET.

Payload Execution Sequence:

1. Operator sends a command through ANGRYFERRET
2. ANGRYFERRET sends out the command through LoRa
3. WHISPERIMPLANT catches the command through a special descriptor
4. WHISPERIMPLANT sends the command to SILENTFANG through COM
5. SILENTFANG executes the data provided, sends back result in the same COM channel
6. WHISPERIMPLANT catches the result, sends it back to ANGRYFERRET
7. ANGRYFERRET receives back the result

Limitations

SILENTWHISPER is not a one-off, finished project - it serves as a stepping stone for future research in adversary simulations, covert access and stealthy bi-directional communications using unconventional means such as Sub-GHz radio frequencies. With this in mind, there are still limitations that needs improving in the future variations. These issues were first noticed during testing and implementation, and can be improved/implemented in future designs such as notably its' range, as at the moment it can only operate effectively around roughly 20 meters using moderate power and other customized settings for covert C2 operations.

Another obvious trade off is both the requirement for physical access, which can be detected if the EDR is specifically targeting SILENTWHISPER activities within the airgapped environment.

The mouse shell integrated to implant is at the time of implementation is non-operational. Meaning, it only serves as a physical cover to aid in social engineering and physical bypass within secure environments

Lastly, there is also the possibility of signal degradation or total signal loss in environments where High levels of EMI or heavily shielded buildings are present.

Future Work

• Implementing a "Team Server" where other operators can collaborate between nodes and control compromised machines
• Encrypted communications during transport, such as AES/HMAC - At the moment it's transporting data unencrypted in both base64 and non-base64 formats
• Improved LOLBAS chaining, sandbox detection, PPID spoofing, and more evasive behaviors while keeping the payload size minimal
• Co-existence with a functional mouse, where operators can trigger payload drops while the mouse controls remains functional
• Testing in stricter environments, such as enterprise grade EDR suites
• Full-duplex communications to allow both inbound and outbound streams of data

Conclusion

SILENTWHISPER is a reminder that in environments where no signals are expected, even whispers can be deafening. It demonstrates that covert command and control without TCP/IP is not just possible, it’s dangerously plausible with off the shelf hardware.

Full research paper: https://github.com/pwnpwnpur1n/SILENTWHISPER