Command & Control

A botnet replaces its central server with a peer-to-peer overlay, so nodes relay commands to each other with no single C2 address to seize.

Malware hides commands and payloads inside the pixels or metadata of image and media files, so C2 rides in objects that look like harmless media.

Operator-supplied profiles let a C2 framework reshape its beacon traffic to mimic legitimate web services, controlling URIs, headers, and how data is encoded and hidden in requests.

Malware tunnels its DNS-based C2 through DoH resolvers, wrapping resolution in HTTPS so on-network DNS inspection and sinkholing never see the queries.

Malware hides the true C2 destination behind a high-reputation CDN by putting an innocuous domain in the TLS SNI while the encrypted HTTP Host header points to the real backend.

Malware uses a legitimate web service like GitHub, Pastebin, or a cloud API as its C2 channel, hiding tasking inside trusted, encrypted traffic.

A C2 resilience technique that rapidly rotates the IP addresses behind a domain through a large pool of compromised proxy hosts, keeping the real backend hidden and takedown-resistant.

Malware reaches its C2 through a Tor onion service, hiding the operator's real address behind the Tor network's multi-hop, encrypted relay circuits.

Malware smuggles C2 commands and data inside ICMP echo payloads, riding a non-application-layer protocol many networks pass without inspection.

Malware reads its real C2 address from content stashed on a legitimate website or social profile, hiding the live infrastructure behind a trusted host.

Malware randomizes callback intervals and obfuscates its sleeping memory to defeat the periodicity heuristics defenders rely on to spot beacons.

Malware algorithmically generates large numbers of candidate C2 domains from a seed so that takedowns cannot keep pace, while only a handful are ever registered by the operator.

Malware encodes C2 traffic or exfiltrated data inside DNS queries and responses, abusing a protocol that egress filters and proxies almost always allow to pass.