UNDERSTANDING AND COUNTERING COMMAND AND CONTROL (C2) INFRASTRUCTURES: 2025 GUIDE TO NETWORK SECURITY

IUNDERSTANDING AND COUNTERING COMMAND AND CONTROL (C2) INFRASTRUCTURES: 2025 GUIDE TO NETWORK SECURITY

What is a Command and Control (C2) and why is it so difficult to detect? Discover how attackers operate and how to better protect your networks.

INTRODUCTION TO COMMAND AND CONTROL (C2) INFRASTRUCTURES

A cornerstone of modern cyberattacks, command and control has become the standard threat vector in cybercrime, valued for both its effectiveness and practicality. In 2024, Hoshi, the Cyber Threat Intelligence (CTI) team at Jizô AI, tracked 5,400 ransomware attacks across all industries, generating over 133 million dollars in gains. These attacks share one common trait: the use of a command and control infrastructure in their operations. That same year, over 80% of the cyberattack campaigns handled by our CTI team Hoshi relied on command and control.

WHAT IS A COMMAND AND CONTROL?

COMMUNICATION, CONTROL AND DATA EXFILTRATION

C2s enable communication with infected machines to control them remotely, deploy malicious tools, and exfiltrate data. Their use is pervasive in sophisticated cyberattacks, whether financially motivated ransomware campaigns or APT (Advanced Persistent Threat)-orchestrated cyber-espionage operations. Command and control also plays a major role in managing botnet infrastructures.

The concept of malware traces its origins to the work of John von Neumann in the 1960s, with his theory of Self-Reproducing Automata, which proposed that computer programs could reproduce and spread autonomously. It was not until the 1980s that this idea materialized with the first botnets. Early examples include the Morris Worm and the Brain Virus, which at the time raised awareness of the dangers such malware could pose to information systems. Tens of thousands of machines worldwide were infected, causing significant damage. Morris Worm could replicate multiple times on the same machine, monopolizing all resources and rendering them unusable. However, no remote control technique had yet been employed.

It was on this foundation that the first malware with Command and Control capabilities emerged — most notably Back Orifice in 1999. According to the hacker group behind it, the stated objective was to create a legitimate tool for maintaining and monitoring Microsoft information systems. However, given its keylogging and password recovery capabilities, the legitimacy of those claims is debatable. It was quickly repurposed as a Trojan horse. Once deployed on the target machine, a "centralized" architecture is established — the victim becomes the server and the attacker the client. Once the connection is established, remote control of the victim's machine is possible, enabling the execution of malicious programs or surveillance.

EXAMPLE OF C2 CONCEALMENT TECHNIQUES IN THE COLONIAL PIPELINE ATTACK

As cybercrime evolved, attackers began developing far more complex command and control infrastructures capable of evading detection systems while also exhibiting greater resilience. A prime example is the 2021 Colonial Pipeline attack by the ransomware group DarkSide. To make their C2 covert, the attackers used a combination of techniques to disguise their communications:

• An RDP client redirecting traffic through the Tor network
• An HTTPS tunnel on port 443 to make traffic indistinguishable from legitimate web traffic
• Cobalt Strike implants (Beacons), enabling persistent access

This allowed DarkSide to exfiltrate over 100 gigabytes of corporate data while deploying their ransomware, effectively halting fuel distribution across part of the United States.

That said, this cybercriminal group — while Russian — is not directly linked to the government, unlike APTs that are state-funded and state-supported. Their objectives being sabotage and espionage, APTs use discreet, sophisticated C2s adapted to long-duration campaigns. The ability to detect C2s thus becomes imperative for protecting the infrastructure of critical infrastructure operators (OIV) of sovereign nations.

COMMAND AND CONTROL (C2) IMPLANT: ROLE AND ADVANCED COMMUNICATION TECHNIQUES

A C2 implant is a program that acts as a communication agent between the infected machine and the attackers' command and control server. It is programmed and configured according to the attack's requirements, using numerous communication and defense evasion techniques. These implants can take multiple forms — an executable file, a VBA macro, a PDF, etc. — and are transmitted via various methods such as social engineering through phishing or by exploiting vulnerabilities in target systems. Once installed and executed, the implant contacts the C2 server, transmits stolen data, executes instructions, and maintains persistent access to the target.

Each C2 implant has a different name depending on the framework used; the Cobalt Strike one is called Beacon, but others exist, such as Meterpreter from Metasploit.

We have already seen the most classic architecture — the centralized one used by Back Orifice, where a single server is responsible for communicating with all infected machines. This architecture is easy to set up and administer; however, it is easily detectable by defense and detection tools like Jizô AI. Since the servers in the simplest version are static, once known they are easy to block by signature, thus neutralizing the threat.

The early versions of the Zeus banking Trojan used this architecture but evolved to use a more hybrid architecture, making their operations more resilient. The GameOver Zeus version uses a Peer-to-Peer network allowing infected machines to communicate with each other to transmit updates and data. The botnet, no longer dependent on C2 servers, becomes far more resilient to takedown attempts. However, Zeus retains a centralized portion via C2 servers to collect exfiltrated information and send instructions to the botnet.

portion via C2 servers to collect exfiltrated information and send instructions to the botnet.

The decentralized P2P architecture resolves the problems posed by centralization in specific contexts such as botnet control, but in other cases also provides greater stealth. Stuxnet, for example, used P2P for communication between infected machines on the same air-gapped network, which reduced the detectable indicators of compromise by defensive tools.

The downside of P2P is that it makes it much harder for the attacker to administer and communicate specifically with the botnet. Dedicated protocols are implemented for communication, such as the HeartBeat Message, where infected machines periodically send a message to other bots or to the C2 to signal their existence and status.

Gameover Zeus gets its name from recurring files present in the malware's communications with its C2 containing the word "gameover." Another technique used in P2P architecture is to program a list of peers into each bot, preventing the identification of the entire botnet — which is exactly what the Storm Worm did.

The choice of architecture therefore depends primarily on the C2's objectives and specifics. A ransomware attack is more likely to use a centralized architecture than a botnet.

One of the most modern evolutions is the use of legitimate services and cloud platforms to mask communications (T1102). Platforms such as Discord, Telegram, and GitHub have been used by malicious actors to communicate with their victim machines, giving their traffic the appearance of normal traffic and avoiding detection by security tools. The North Korean APT Lazarus uses this technique for its C2 communications, notably via Telegram — allowing them to encrypt communications using the application's own algorithms while making malicious traffic appear as legitimate traffic, complicating detection by defense tools. This is a real advantage as it also makes infrastructure maintenance and deployment easier, as well as simply increasing the number of C2 servers.

The Black Basta group and its namesake ransomware use legitimate cloud services such as AWS and Azure to mask their command and control infrastructures, making signature-based detection of domains and IPs difficult for defensive tools like IDS.

A complementary method attackers use to add complexity is Bulletproof Hosting — using hosting platforms generally located in countries where regulation is lax and which do not cooperate with law enforcement. These platforms maintain anonymity by frequently changing IP and domain, and above all they ignore judicial requests. A recent example is the Russian bulletproof host Zserver.ru, sanctioned by the US through asset freezes and prohibitions on American institutions doing business with it. In practice, however, Zserver can continue its activity in complete tranquility, as Russia does not cooperate with American authorities.

ADVANCED COMMUNICATION AND EVASION TECHNIQUES

As cybersecurity awareness has grown and security tools have evolved, attackers have developed increasingly sophisticated techniques and tactics. The MITRE ATT&CK Matrix lists and classifies all known techniques and tactics used by attackers — it presents 18 different techniques for command and control alone, demonstrating the diversity and complexity of attacker methods.

SOME OF THE MOST NOTABLE C2 TECHNIQUES:

T1071.001 – Application Layer Protocol: Web Protocols

Attackers can exploit web protocols to communicate with their victims: the victim machine sends HTTP requests containing a specific signature that the C2 server recognizes. Conversely, the C2 server responds with a specific signature that the victim knows how to interpret. Emotet, for example, uses this technique — once a machine is infected, it sends an HTTP POST request containing a specific character string to the server, which returns an exploit binary. Using HTTP allows C2 communications to blend into the mass of target network packets, since HTTP traffic is ubiquitous.

T1572 – Protocol Tunneling

Protocol Tunneling allows attackers to encapsulate one protocol within another to circumvent network restrictions. DNS Tunneling, for example, exploits DNS requests to disguise malicious exchanges. Since DNS requests are generally authorized by firewalls, it is possible to transmit information within the target network through them. An exfiltration technique consists of encoding and segmenting data, then sending each segment as a request to a subdomain of a malicious DNS server. Concretely, if the message to exfiltrate is "password123," the DNS request will be password123.evildomain.com. Attackers also use DNS TXT records to store text instructions: an implant can send a DNS request to a preconfigured server and receive commands by reading the text content in the response.

The BOND UPDATER Trojan uses this specific variation — requests sent to the malicious DNS server contain an action type indicating a specific request. If the action type is "M," the implant must be activated. If "P," the TXT method is not working and another DNS tunneling variant must be used.

Attackers can also add obfuscation or steganography layers to make traffic harder to detect by network detection and response solutions. This technique is relatively easy to implement via open-source tools like DNSCAT2 or offensive frameworks like Cobalt Strike.

T1568.002 – Domain Generation Algorithm (DGA)

DGA is a technique used to dynamically generate domain names and ensure communication with a C2 server while avoiding detection and blocking. Rather than using a fixed, easily identifiable address, the implant automatically generates domain names using an algorithm based on a specific criterion — such as the current date or a predefined character string. This makes domain identification difficult and ensures persistence even when certain domains are blocked.

Advanced attackers combine multiple techniques. In the case of the Ebury malware v1.4 and v1.6, if the attacker does not connect via OpenSSH for three days, a failover mechanism triggers a DGA to generate a list of domains. Ebury then attempts to connect to each and looks for a DNS TXT record it can decrypt with an RSA key programmed into the implant.

• T1568.001 – Fast Flux DNS

Fast Flux is a technique where attackers rapidly rotate the IP addresses associated with a domain. Using a DNS server they control, they arrange for each DNS request to return a new IP address every few minutes (typically 3 to 5), chosen from a regularly changing list assigned via Round Robin. This makes it much harder to locate malicious servers.

Fast Flux can also be combined with botnets — each bot hosts an IP address, distributing the malicious infrastructure across a large number of machines and making it far harder to dismantle. Even if certain servers or bots are shut down, malicious activity continues uninterrupted.

The solution for countering Fast Flux is to focus on malicious domains rather than IPs. This is what Unit42 researchers did by publishing the IOCs of the Gamaredon APT (Trident Ursa), known for using this technique — those same researchers were publicly threatened by the APT in an attempt to prevent further IOC publications.

A more advanced variant is Double Fast Flux, which adds an extra step: the rapid rotation of DNS servers themselves. In addition to rotating IP addresses, the DNS servers are also changed frequently. With low TTL values, the resolver is constantly forced to seek a new DNS server, making each request different from the last.

The Cobalt Strike Framework

Cobalt Strike is a commercialized threat emulation tool for cybersecurity professionals. However, being particularly effective, many malicious actors obtain leaked or pirated versions and use them to carry out cyberattacks.

One of its most popular evasion techniques is Malleable C2, which allows customizing beacon communications to give them a legitimate appearance — mimicking traffic from services like Google Drive or Wikipedia using a custom profile. The Community Kit is a repository where the community publishes validated scripts covering lateral movement, payload generation, and many other capabilities that make attacks highly flexible.

Once a beacon is deployed, multiple communication options are available: HTTP(S), DNS Tunneling, TCP, and SMB. Beacons operate in two modes:

• Asynchronous: The beacon sleeps for a defined period before briefly connecting to receive instructions — preferred for stealth.
• Interactive: The beacon stays continuously connected to the C2 — faster but more easily detected by security tools.

A notable example is the 2020 SolarWinds attack, where CS Beacons were discovered communicating via HTTPS with their C2s. An SMB Beacon was also found on an air-gapped machine, communicating via a Named Pipe over the SMB protocol — allowing data transfer over a local network before being relayed to the attacker's C2 via an internet-connected machine.

Cobalt Strike's main drawback is its notoriety: being very popular, it is more easily detectable than custom malware. Open-source alternatives exist — Sliver, Havoc, Metasploit — but none are as sophisticated for C2 operations. The evidence: well-resourced APTs like APT 41 (Double Dragon) and APT 29 (Cozy Bear) still use Cobalt Strike in their attacks.

THE COBALT STRIKE EXAMPLE AT JIZÔ AI

The cyber threat intelligence team at HOSHI handles new attack campaigns daily to retrieve as many indicators of compromise as possible and detect threats more precisely. These IOCs serve as detection weapons against C2s like Cobalt Strike — tracking IP addresses, domains, and malicious file signatures shared by the cybersecurity community. The volume of campaigns we process allows us to build a comprehensive IOC list with patterns and detection rules.

Our AI-based detection tool also constitutes a major asset: indicators of compromise linked to command and control infrastructures are systematically present in network traffic during an attack. Jizô is capable of identifying suspicious variations in communications and rapidly alerting analysts.

CONCLUSION: TOWARD PROACTIVE AND AUTOMATED C2 DETECTION

Fighting command and control infrastructures has become a defining challenge of modern cybersecurity. As attackers perfect their techniques to defeat detection solutions, implementing newer, more sophisticated detection methods becomes critical. The integration of AI-based technologies — such as those proposed by Jizô AI — is increasingly essential. Behavioral analysis and the detection of anomalous variations in network flows make it possible to identify malicious communications even when they rely on the advanced techniques described above.

 BIBLIOGRAPHIE

• The history of malware: A primer on the evolution of cyber threats
• 
  
• Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine
• Windigo Still not Windigone: An Ebury Update
• OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government
• What is a Command and Control Attack?
• États-Unis : les oléoducs Colonial Pipeline ont versé une rançon de 4,4 millions de dollars à des hackeurs
• What happened in the Colonial Pipeline Cyber Attack
• Understanding Domain Generation Algorithms (DGAs)
• Threat Brief: Understanding Domain Generation Algorithms (DGA)
• What is Domain Generation Algorithm: 8 Real World DGA Variants