Modern C2 Attacks: Detect & Defend Command-and-Control

Attackers go through several stages to make an attack successful. And the last line in the defense system they aim to break is the command and control (C2).

C2 attacks are a severe threat to organizations of all sizes and types because, if successful, adversaries can steal all your valuable data. To protect against these attacks, you should implement a security framework and robust policies, including technical and organizational measures.

In this article, you'll learn how command and control contribute to the security of your overall organization.

What is command and control (C2) in cybersecurity?

The security department in organizations uses a command-and-control system to monitor its security network, identify and respond to potential threats, and communicate with its team. NIST defines C2 as:

Some adversaries constantly seek ways to disrupt the C2 system, gain network access and steal valuable data. To achieve this, they use various techniques and MITRE ATT&CK's research highlights 16 ways attackers may compromise your C2 system:

MITRE-mapped techniques attackers can use in C2 attacks.

Once an adversary has compromised the C2 system, they can trigger the download of additional malware, steal sensitive company data such as financial documents and passwords and even bring down your company's entire network.

Suppose you don't have strong command and control. In that case, your organization can suffer severe consequences like financial loss, reputational damage and potential legal repercussions. To prevent these attacks, your security teams must take a proactive approach to cybersecurity and implement robust command and control. You can do this using a few best practices such as:

• Keeping software up to date.
• Implementing strong access controls.
• Using encryption.
• Monitoring the network for unusual activity.

Pro Tip: You can use advanced technologies like AI and ML to identify and respond to threats in real time.

How C2 attacks work

A C2 attack is a cyberattack that allows an attacker to take control of a compromised machine and use it to carry out malicious activities.

In this attack, the attacker establishes a communication channel between the infected machine and a C2 server. This channel then transmits instructions and data to the infected machine. Here's how a C2 attack is executed:

1. Gaining foothold for Initial compromise. Adversaries will first establish a foothold in the targeted machine to initiate their attack. They can achieve this through phishing emails, social engineering, or by exploiting vulnerabilities in software or operating systems.
2. Establishing the channel. Once they have access to the targeted machine, they will attempt to install malware or other malicious software that grants them control over the machine.
3. Executing commands, maintaining persistence. The attackers will then build a communication line between the infected machine and the command and control server. They might use a Remote Access Trojan (RAT), a type of malware that enables remote control of a compromised machine.
4. Initiating malicious activity. Once the communication channel is established, the infected machine will signal the attacker's server to initiate malicious activity.

This is how attackers can steal essential data. They use this communication channel to exfiltrate data from the compromised machine or to issue commands to carry out further malicious activities, such as launching a distributed denial-of-service (DDoS) attack.

Emerging C2 communications

As adversaries refine their tradecraft, many have begun to hide C2 channels inside legitimate cloud and web services, so their traffic looks like routine business communications. In a notable 2025 campaign, researchers observed a previously undocumented backdoor (named HazyBeacon) that used AWS Lambda URLs over HTTPS as its command-and-control endpoint, effectively piggybacking on trusted serverless infrastructure to avoid simple IP/domain blocking.

This living-off-the-land (LOTL) approach isn’t limited to serverless: threat actors increasingly use code hosting and public services to store commands or rendezvous information, making C2 traffic blend with normal API and web calls.

At the same time, modern C2 frameworks support dynamic, multi-modal communications. Implants can default to low-frequency beaconing and then switch to alternate protocols or higher-bandwidth channels when needed, complicating detection based on static signatures. Some campaigns use indirect “lookup” channels (for example, retrieving encoded C2 addresses from GitHub, Pastebin, or DNS TXT records) so the true endpoint isn’t obvious until later in the kill chain.

Defenders should move beyond simple blacklist/block rules and prioritize behavioral baselining, encrypted-flow analysis, and anomaly detection that spot deviations in how services are being used rather than only known bad IPs or domains.

Detection & defense strategies

As attackers adopt stealthier communication methods, detecting C2 traffic has become increasingly challenging. Recent research shows that attackers increasingly remain undetected for extended periods — these extended dwell times give ample opportunity for attackers to exfiltrate data and expand their foothold.

Separately, an analysis of 22,000+ security incidents saw a significant portion involve C2 communications, highlighting how common these threats are in today’s environments.

To stay ahead, security teams are turning to more advanced detection techniques:

• AI-based anomaly detection: Machine learning models analyze network and system behavior to spot unusual patterns that may indicate C2 activity.
• Behavioral baselining: Monitoring deviations from normal traffic or user behavior helps uncover malicious communications that would bypass static rules.
• Encrypted-flow analysis: Examining encrypted traffic for anomalies ensures that even hidden C2 channels can be detected.

These approaches help teams move beyond simple IP/domain blocking and respond more quickly to stealthy attacks.

Examples of command-and-control attacks

Log4j exploitation (Classic, infamous example of a vulnerability-driven C2)

According to former U.S. CISA Director Jen Easterly, Log4j is among the most serious vulnerabilities she’s seen due to how early in the attack lifecycle it occurs. It's an example of how attackers can exploit vulnerabilities to make a c2 attack successful.

Attackers can leverage it to compromise an end host, download a secondary payload and hack the entire command and control system. Once an attacker gains access, they use Log4j to escalate their privileges and gain control of the whole network. Here's how they accomplish their attack:

• They exploit the Log4j vulnerability to access a target system and install a backdoor or malicious software.
• Next, they use this foothold to establish a c2 connection with the compromised system.
• Then, they can remotely control it and carry out further attacks.

By monitoring and detecting C2 activities, security teams or commanders can prevent attackers from establishing a foothold in their systems and carrying out further attacks.

(See how Splunk handled the Log4j vulnerability.)

Volt Typhoon

In 2023, the state-sponsored group known as Volt Typhoon initiated a campaign targeting U.S. critical infrastructure. Utilizing LOTL techniques, they exploited existing system tools to maintain persistence without deploying traditional malware. This approach allowed them to evade detection by conventional security measures.

Their activities were not limited to espionage but also aimed at pre-positioning for potential disruptive actions. CISA issued a joint advisory with international partners, highlighting the group's tactics and urging organizations to strengthen their defenses against such stealthy intrusions.

Ransomware gangs exploiting C2 infrastructure

Concurrently, ransomware groups have increasingly leveraged compromised C2 infrastructure to enhance the effectiveness of their attacks. In 2024 and 2025, these actors utilized legitimate cloud services and anonymized VPS providers to host their C2 servers, making detection more challenging.

This trend underscores the necessity for defenders to adopt advanced detection strategies that go beyond traditional signature-based methods, focusing instead on behavioral analysis and anomaly detection to identify malicious activities within legitimate infrastructure.

Stopping C2 attacks

Preventing C2 attacks requires a multi-layered approach that includes technical and organizational measures. Technical measures may include using firewalls, intrusion detection and prevention systems and endpoint protection solutions to monitor and block suspicious activities.

Organizational measures include implementing strong access controls, such as two-factor authentication, to prevent unauthorized access to sensitive systems and data.

Security commanders can protect your organization from command-and-control attacks. Since they know C2 systems, they can identify and mitigate potential threats and vulnerabilities using their knowledge and expertise. Here's how they can thwart c2 attacks:

Monitor network traffic

Security command teams monitor the network traffic to detect any suspicious activity. By doing so, they identify and respond to any suspicious activity, preventing command and control attacks from succeeding. They use intrusion detection systems (IDS) and intrusion prevention systems (IPS), which can analyze network traffic in real-time and alert security teams to potential threats.

(Read more about networking security monitoring & network security.)

Prioritize security implementations

Done right, prioritizing security implementations such as two-factor authentication and digital code signing can reduce the risk of command and control attacks:

• Two-factor authentication is an additional layer of security to protect a system. To enable this, users provide a second form of identification, like a fingerprint or a code sent to their phone.
• Digital code signing is used to verify the authenticity of software code and ensure that unauthorized parties have not modified it.

(See what generative AIs, like ChatGPT, mean for cybersecurity.)

Provide security training to staff

Staff members must be aware of the potential risks associated with command and control attacks to contribute their part when it comes to the safety of the organization. So, the security team should educate them on the importance of strong passwords, recognizing phishing scams and avoiding suspicious websites and downloads to protect against cyberattacks.

The best way your organization can ensure the staff is knowledgeable is by starting ongoing training about keeping up with the latest threats and learning mitigation strategies.

Protect your business from C2 attacks

Cybercriminals have become increasingly sophisticated in their approach to command and control (C2) attacks, which is a threat to organizations. By making these attacks, they can steal valuable data and compromise your organization's sensitive information.

So, your organization should adopt a comprehensive security strategy to prevent C2 attacks. By implementing this, you can safeguard your assets, protect customers' data and maintain the trust of customers.