Centipede: Best Red Team Tooling for Security Researchers in 2026

What Is Centipede?

Centipede is a Go-based Linux worm published by ekomsSavior, and Centipede is one of the best Red Team Tooling tools for security researchers and red teamers with explicit authorization. It self-replicates across SSH, SMB, HTTP, Wi-Fi, USB, and CVE-driven privilege escalation paths, and the repository documents a 13-payload post-exploitation suite plus four encrypted C2 fallback layers.

Quick Overview

Who Should Use Centipede?

• Malware analysts building a controlled sandbox to study worm propagation, encrypted command channels, and kernel-exploit chaining.
• Red team operators who need to understand how a Linux-only self-replicating implant would behave across mixed-host networks under strict authorization.
• Detection engineers writing rules for lateral movement, DNS tunneling, Discord-based C2, suspicious systemd persistence, and log wiping patterns.
• Incident responders who need a reference sample for triage of unknown Linux persistence, privilege escalation, and post-exploitation payload clusters.

Not ideal for:

• Production Linux hosts where any self-replication or destructive payload would be unacceptable.
• Teams that want a normal C2 without worm behavior, exploit chaining, or ransomware code paths.
• Environments without isolation where kernel exploits, credential harvesting, or network spreading could create real damage.

Key Features of Centipede

• Four-layer C2 stack — Centipede uses WebSocket, DNS TXT tunneling, Discord bot relay, and ICMP tunneling in that order of preference. Each layer is wrapped with AES-GCM encryption, so the operator can keep command traffic intact even when HTTP-style inspection is present.
• Self-replication engine — The replicator targets SSH, Wi-Fi, USB, HTTP PUT, FTP anonymous write, and SMB shares. That gives Centipede multiple entry and spread paths, which is why it behaves more like a worm than a conventional implant.
• Kernel exploit chaining — The exploiter auto-detects architecture and kernel range before trying multiple local privilege escalation paths such as DirtyFrag, Fragnesia, Copy-Fail, Dirty Pipe, PwnKit, GameOverlay, and OverlayFS. The repo claims support for both x86_64 and AARCH64, which matters for cloud nodes, ARM servers, and embedded Linux systems.
• Payload suite with 13 actions — Centipede includes shells, persistence, credential harvesters, pivoting, keylogging, sniffing, enumeration, exfiltration, log wiping, self-destruct, and ransomware. That breadth makes the sample interesting for reverse engineering because it bundles operator workflow, not just initial access.
• Environmental sensing — The sensor module fingerprints kernel, users, network state, container presence, cloud metadata, and sandbox conditions before escalating or spreading. That means Centipede is designed to change behavior based on host context instead of using a single static execution path.
• C2 dashboard and queueing — The c2d daemon includes a real-time dashboard, bot grouping, command queues, and execution tracking. If you are analyzing server-side behavior, the control plane matters as much as the implant because it shows how state is synchronized across infected nodes.
• Cross-subnet propagation logic — The scanner does ARP sweeps and TCP connect scans, then the replicator tries delivery over open services. This turns one foothold into a network discovery and distribution loop rather than a one-shot backdoor.

Centipede vs Alternatives

Pick Metasploit when you want reproducible exploit testing and do not want autonomous spread behavior. Pick Sliver when you need a cleaner C2 workflow for implants and tasking without a worm payload. Pick Cobalt Strike when a commercial team server and established red-team workflows matter more than source availability. For telemetry around suspicious east-west traffic, pair analysis with OpenTrace; for testing endpoint resilience instead of studying worm logic, AV Chaos Monkey is the closer fit; for broader reference browsing, use browse all offensive security tools.

How Centipede Works

Centipede is organized as a staged pipeline rather than a monolithic script, with cmd/centipede for the implant, cmd/c2d for the server, and internal packages for scanning, exploitation, replication, C2, payloads, sensing, and crypto. That layout makes the control flow easy to reason about: the scanner finds reachable hosts, the exploiter tries local privilege escalation, the replicator delivers the binary, and the C2 client exchanges commands through encrypted fallbacks.

The design choice that stands out is transport redundancy. A WebSocket channel is the primary path, but Centipede can fall back to DNS TXT records, Discord bot messages, or ICMP payloads when normal egress is blocked, which is the kind of behavior defenders usually only see in higher-end malware families. The repo also separates host profiling from action execution, so the implant can decide whether to spread, persist, exfiltrate, or self-destruct based on environment signals.

git clone https://github.com/ekomsSavior/Centipede
cd Centipede
rg -n 'WebSocket|DNS|Discord|ICMP|AES-GCM|CVE-' .

The command above does not execute the implant; it inventories the code paths and threat surface in place. Expect matches in the C2, exploiter, and README sections because the repository documents transport layers, CVE references, and payload behavior directly in source and docs.

Pros and Cons of Centipede

Pros:

• Multiple C2 fallbacks make transport analysis richer because WebSocket, DNS, Discord, and ICMP all expose different detection surfaces.
• Architecture-aware exploit chaining reduces the chance that a single failed kernel path stops the entire workflow.
• Clear module separation in scanner, exploiter, replicator, c2, and payloads makes static analysis and code review faster.
• Large payload surface lets defenders study persistence, exfiltration, wiping, and ransomware logic in one repository.
• Linux-first design matches the infrastructure many incident responders actually see in cloud, container, and server fleets.

Cons:

• Highly destructive by design because the repo includes self-replication, ransomware, credential harvesting, and log wiping.
• Linux-only scope limits usefulness if your research target is Windows, macOS, or mobile malware behavior.
• Operational noise is high because lateral spread, scanning, and multi-channel C2 are easier to detect than a quiet single-host implant.
• Exploit dependence is brittle when kernel versions, patches, or hardened configurations break the chains.
• Safe evaluation requires isolation because running the sample on a real network could create collateral impact fast.

Getting Started with Centipede

git clone https://github.com/ekomsSavior/Centipede
cd Centipede
make build

This build step compiles the Go binaries into bin/ for isolated inspection. After that, keep the repository in a segregated VM and review internal/ and web/ rather than connecting any C2 component to a live network. If you need a baseline for detection work, capture file hashes, imported libraries, and network indicators before any execution attempt.

Verdict

Centipede is the strongest option for malware analysis and red-team research when you need to study Linux worm behavior, exploit chaining, and multi-layer C2 in one codebase. Its biggest strength is breadth of attack surface; its biggest caveat is obvious destructiveness and propagation risk. Use it only in isolated, authorized environments, and prefer safer frameworks for ordinary C2 testing.