Field-ready offensive toolkit for Android (Termux) and Linux — multi-stage payload delivery, covert exfil, and post-exploitation.
bad_BANANA is a field offensive toolkit built for Termux on Android and Debian-based Linux. It runs a multi-stage dropper chain, manages covert exfiltration over DNS/HTTPS/WebSocket, extracts Chromium session data, and deploys persistence — all from a mobile device with no root required.
Built as part of the badBANANA research collective. Designed for authorized red team operations and controlled lab environments only.
bad_BANANA/
├── stage_1_dropper.py multi-stage dropper chain entry
├── stage_2_loader.py in-memory payload staging
├── stage_3_implant.py implant deployment
├── launcher.py EDR-aware field launcher
├── edr_aware_launcher.py sandbox/EDR detection before exec
├── encrypted_loader.py AES-encrypted payload loader
├── dynamic_dns_exfil.py dynamic DNS exfiltration
├── apk_injection_stub.py Android APK injection stub
│
├── exfil/ exfiltration suite
│ ├── exfil_dns.py DNS channel
│ ├── exfil_https.py HTTPS channel
│ ├── exfil_ws.py WebSocket channel
│ ├── exfil_ngrok.py ngrok tunnel exfil
│ ├── exfil_autopilot.py automated exfil orchestrator
│ ├── self_destruct_loader.py post-exfil cleanup
│ ├── stage_1/2/3_*.py staged dropper chain
│ └── token_guard.py token validation + protection
│
├── chrome_ops/ Chromium session ops
│ ├── cookie_extractor.py session cookie extraction
│ ├── cookie_injector.py session cookie injection
│ └── chromium_profile.py profile enumeration
│
├── modules/
│ ├── chromium_cookie_grabber/ cookie grab module
│ ├── jwt_looter.py JWT token extraction
│ ├── recon_ops.py host recon
│ └── exfil_banana.py modular exfil interface
│
├── badBANANA/
│ ├── c2_server.py C2 server
│ ├── bad_BANANA_addons/
│ │ ├── discord_exfil.py Discord-based exfil channel
│ │ ├── telegram_exfil_c2.py Telegram C2 integration
│ │ └── ghost_clip.py clipboard monitoring
│ ├── memory_only_polymorphic_loader.py
│ ├── opsec_linter.py pre-op OPSEC checker
│ ├── coldtrace_killer.py forensic trace suppression
│ └── termux_launcher.py Termux entry point
│
└── web/ web-based operator interface
├── launcher/termux_launcher.py
├── docs/MANUAL.md
└── docs/LEGAL_NOTICE.md
git clone https://github.com/GnomeMan4201/bad_BANANA.git
cd bad_BANANA
pip install -r requirements.txt
./quickstart.shTermux (Android):
pkg install python git
git clone https://github.com/GnomeMan4201/bad_BANANA.git
cd bad_BANANA/badBANANA
python termux_launcher.py- Multi-stage dropper/loader/implant chain
- Covert exfil: DNS, HTTPS, WebSocket, ngrok tunnel, Discord, Telegram
- Chromium cookie extraction and injection
- JWT and session token looting
- EDR/sandbox detection before execution
- AES-encrypted in-memory payload loading
- Dynamic DNS exfiltration
- Android APK injection stub
- Forensic noise generation and trace suppression
- OPSEC pre-flight linter
- No-root Android operation via Termux
For authorized security research and controlled lab environments only. Unauthorized use against systems you do not own or have explicit permission to test is illegal. You are solely responsible for compliance with all applicable laws.
bad_BANANA // badBANANA research // GnomeMan4201