Building a C2 Infrastructure Over LoRa Mesh Networks

TLDR: This research demonstrates how to build a resilient, off-grid command and control (C2) framework using Meshtastic and LoRa radio hardware. By leveraging low-power mesh networking, operators can maintain persistent, encrypted communication with compromised systems in environments where traditional network access is blocked or monitored. This technique provides a stealthy alternative to standard TCP/IP-based C2 channels, making it a critical consideration for both red team operations and defensive network monitoring.

Standard C2 channels rely on the assumption that the target has a stable, observable path to the internet. When you are operating in a hardened environment, or when you need to maintain persistence without triggering egress traffic alerts, those assumptions fall apart. The research presented at DEF CON 2025 on Meshtastic Command & Control shifts the paradigm by moving C2 traffic off the primary network entirely and onto the 900 MHz ISM band.

The Mechanics of LoRa-Based C2

LoRa, or Long Range radio, is designed for low-power, low-bandwidth telemetry. It uses chirp spread spectrum modulation, which allows signals to be recovered even when the noise floor is high. By wrapping this protocol in the Meshtastic firmware, you get a self-healing, decentralized mesh network that requires zero configuration from the target environment.

The framework, dubbed MeshC2, functions as a systemd service on a Linux host. It communicates with a local LoRa radio via a Unix socket. When you issue a command, the C2 server breaks the payload into chunks, sequences them, and broadcasts them across the mesh. Because the network is a mesh, the command doesn't need to be in direct line-of-sight of the target. It hops through other nodes until it reaches the destination.

The technical implementation is straightforward. You flash the Meshtastic firmware onto an ESP32-based board, such as the RAK WisBlock, which is ideal for this because it supports solar charging and has a rugged form factor. Once the hardware is in place, you interact with the target using simple CLI commands:

# List available nodes on the mesh
meshc2 -list-devices

# Create an encrypted channel for C2 traffic
meshc2 -real-device -create-channel "MeshC2"

Why This Matters for Red Teams

During a physical penetration test or a red team engagement, you often encounter air-gapped systems or networks with strict egress filtering. Traditional C2 tools like Cobalt Strike or Sliver are easily detected by EDR or network traffic analysis because they generate recognizable patterns in HTTP/S or DNS traffic.

MeshC2 bypasses this entirely. The traffic is not traversing the corporate firewall. It is not hitting a C2 domain that can be sinkholed. It is radio frequency energy propagating through the air. For a pentester, this means you can drop a small, battery-powered node behind a printer or in a drop ceiling, and maintain a shell for weeks without ever touching the local network.

The encryption is handled end-to-end using AES-256. Even if an adversary captures the radio traffic, they cannot decrypt the commands or the system status updates without the specific key shared between your controller and the target node. This provides a level of operational security that is difficult to achieve with standard network-based C2.

Operational Limitations

This technique is not a silver bullet. The primary constraint is bandwidth. You are not going to be exfiltrating large databases or streaming video over a LoRa mesh. The protocol is optimized for small payloads, such as shell commands, system status heartbeats, or small configuration files. If you try to push a large binary, the message queuing and retry logic will throttle the transmission, making the operation painfully slow.

Furthermore, you need physical access to place the node. This is a tool for the "boots on the ground" phase of an engagement. You must also consider the physical environment. While LoRa is excellent at penetrating obstacles, a massive concrete and steel structure will still attenuate the signal. You need to plan your node placement carefully, ensuring that your mesh has enough hops to reach your extraction point.

Defensive Considerations

Defenders need to recognize that the threat is no longer limited to the network stack. If you are responsible for securing a facility, you should be aware of the potential for unauthorized radio devices. While standard Wi-Fi and cellular jammers are common, they do not necessarily account for low-power, frequency-hopping mesh networks operating in the ISM bands.

Monitoring for anomalous RF activity is the only way to detect this. If you have a high-security environment, consider using spectrum analyzers to baseline the RF environment. Any persistent, low-power signal that appears in the 900 MHz band should be investigated. Additionally, ensure that your physical security policies include regular sweeps for unauthorized hardware, especially in areas where sensitive equipment is housed.

MeshC2 is a brilliant example of how researchers are finding new ways to maintain access in restricted environments. It forces us to rethink the boundaries of our security perimeters. If you are a researcher, the code is available on GitHub. Spend some time with it, understand the limitations of the LoRa protocol, and consider how this might change your approach to persistence in your next engagement. The air is part of the network, and it is time we started treating it that way.