Command and Control (C2)

Command and control, almost always written as C2, is the nervous system of a modern intrusion. Once an attacker gets malware onto a system, that code is useless unless the attacker can talk to it: send new instructions, pull down extra tools, and collect whatever the malware finds. C2 is that conversation. It is one of the fourteen tactics in the MITRE ATT&CK framework precisely because nearly every serious breach, from ransomware crews to nation-state actors, depends on a working C2 channel.

How a C2 Channel Works

After the initial compromise, malware does not sit idle. It reaches back out to a server the attacker controls and begins "beaconing": checking in on a schedule, asking for instructions, running them, and reporting the results. This callback model means the infected machine initiates the connection, which conveniently slips past firewalls that block inbound traffic but allow outbound.

The hard part for attackers is staying hidden, so C2 traffic is designed to look boring. Common channels include:

• HTTPS to a web server, indistinguishable from ordinary browsing at a glance.
• DNS queries, which most networks allow freely and rarely inspect closely.
• Legitimate cloud services, where C2 hides inside traffic to platforms a company already trusts.

Why C2 Sits at the Center of an Attack

C2 is the hinge between gaining a foothold and achieving the actual goal. With a live channel, an attacker can deploy additional payloads, perform lateral movement to reach higher-value systems, and ultimately carry out data exfiltration, often reusing the very same channel to smuggle data back out.

Because building and operating this infrastructure is repetitive technical work, it has become one of the tasks attackers increasingly try to offload onto AI assistants. As we explore in how hackers use AI, generating C2 scaffolding, obfuscating beacon traffic, and scripting infrastructure setup are exactly the kind of preparatory chores attackers ask models to accelerate.

Compromised Host

→beacon

C2 Server

→tasking

Attacker

→exfil

Stolen Data

Detecting and Cutting C2

For defenders, finding C2 is core SOC and threat hunting work, because it offers a window to act before the attacker reaches their objective. Analysts look for regular beaconing intervals, connections to newly registered or low-reputation domains, spikes in DNS volume, and data leaving the network at unusual times. Correlating endpoint telemetry with network logs and threat intelligence turns these faint signals into a confident detection.

The lesson cuts both ways. Attackers invest heavily in C2 because no channel means no control; defenders invest just as heavily in detecting it because the C2 conversation, once found, is the thread that unravels the entire attack.