Command and Control (C2) refers to the mechanisms and techniques used by threat actors to issue commands to compromised systems and receive data back from them. Once malware is installed on a victim machine, the C2 infrastructure allows attackers to:
In every serious cyberattack, getting into a system is just the beginning. To maintain access, move laterally, exfiltrate data, or launch further actions, attackers need a way to communicate with the compromised environment—silently, remotely, and reliably. This critical component is known as Command and Control (C2).
Command and Control is one of the most important phases in the cyber kill chain. It’s where attackers establish a hidden communication channel between the victim’s environment and their own infrastructure, allowing them to control compromised devices like puppets from afar.
Understanding how C2 works—and how to detect and disrupt it—is essential for defenders to break the attack chain before real damage is done.
Want to save time on reporting?
Let PentestPad generate, track, and export your reports - automatically.
How Command and Control Works
The C2 phase typically begins after the attacker has successfully compromised a system. Here’s how it usually unfolds:
- Malware Installation – A malicious payload is executed on the victim’s system (via phishing, exploit kits, drive-by downloads, etc.).
- C2 Beaconing – The malware attempts to “call home” by reaching out to a preconfigured IP address, domain, or endpoint to establish communication.
- Communication Established – If successful, the C2 server begins issuing commands to the compromised system. This can include downloading additional payloads, running shell commands, or scanning the network.
- Data Exfiltration or Lateral Movement – The attacker uses the C2 channel to gather information or pivot to other systems.
To stay undetected, attackers often use techniques like encryption, domain fronting, custom protocols, or legitimate cloud services (e.g., Dropbox, GitHub, Google Drive) to disguise their C2 traffic.
Real-World Examples of C2 in Action
- Cobalt Strike – A legitimate penetration testing tool often abused by attackers for C2 due to its flexible and encrypted communication channels. Frequently used in ransomware and APT campaigns.
- Emotet – Malware known for using polymorphic C2 traffic, fast-changing IP infrastructure, and modular payloads. Once considered one of the most dangerous botnets in the world.
- APT29 (Cozy Bear) – A Russian state-linked group known to use advanced C2 techniques, including steganography and cloud services like Microsoft OneDrive to mask communications.
- Turla – A Russian threat group that once used hijacked satellite internet links as a C2 channel to hide their location and evade attribution. Known for years-long cyber-espionage campaigns.