Command and Control

Also known as: C2, C&C, Command-and-control server

The infrastructure an attacker uses to send instructions to, and receive data from, malware-infected hosts in a botnet or targeted intrusion.

Last updated: April 21, 2026

What is command and control?

Command and control — typically abbreviated C2 or C&C — is the back-channel between a compromised host and the attacker who controls it. After malware runs on a victim's machine, it needs a way to receive orders ("upload this file", "encrypt the disk", "launch a DDoS") and to send stolen data back. The servers, domains, protocols, and channels used for that back-channel are collectively the C2 infrastructure.

How C2 traffic is structured

Most modern C2 frameworks use HTTPS on port 443, which blends in with normal web traffic and usually passes through corporate firewalls without inspection. Stealthier variants hide C2 inside DNS queries, Slack/Discord/Telegram webhooks, GitHub issue comments, or traffic shaped to mimic a specific SaaS API. Infected hosts typically beacon on a schedule — every 60 seconds, every 5 minutes — to check for new instructions, and the timing of those beacons is one of the most reliable detection signals.

Why C2 hosts appear on abuse lists

C2 infrastructure is quickly identified and published by threat researchers, honeypots, and EDR vendors. A single malware campaign's C2 domains and IPs are usually listed on multiple public blocklists within hours or days of the campaign going live. Blocking outbound traffic to known C2 hosts at the firewall breaks the infection's ability to act, even if the initial malware sample has not been detected. Running a suspicious destination IP through an IP abuse report checker will surface existing C2 reports.

C2 for rent

Commercial DDoS-as-a-service platforms are essentially packaged C2 for botnets — they abstract the C2 layer behind a web dashboard so customers without technical skill can rent attack capacity by the minute.

Frequently Asked Questions

Several techniques are common. HTTPS on port 443 is the default because it blends with normal web traffic. Domain-fronting hides the real C2 host behind a legitimate CDN's certificate. DNS tunneling encodes commands inside DNS queries. SaaS abuse — using Slack, Discord, Telegram, GitHub, or Pastebin webhooks as the C2 channel — disguises the traffic as normal employee app use. The most evasive C2 frameworks (Cobalt Strike with custom malleable profiles) shape traffic to mimic a specific real service so deep-packet inspection sees nothing unusual.

A beacon is the periodic check-in an infected host makes to its C2 server to ask "any new instructions for me?". Typical beaconing intervals range from every few seconds (during active operations) to once a day (during dormant persistence). The regularity of beacons is one of the strongest detection signals — humans browse irregularly, but malware often beacons with machine precision. Modern frameworks add jitter (random delays around the base interval) specifically to make this signal harder to spot.

Yes — through network-based detection. Outbound connections to known C2 IPs and domains are caught by threat-intel feeds at the firewall, even when the host malware itself is not detected. Periodicity analysis of outbound connections spots unknown beacons. JA3/JA4 TLS fingerprinting flags non-browser clients pretending to be browsers. DNS query analysis catches tunneling and domain-generation algorithms. Many EDR platforms now use these network signals as primary detection alongside host-based scanning.

A sinkhole is a controlled server set up to impersonate a compromised C2 server, usually after researchers seize the original C2 domains. Infected hosts then beacon to the sinkhole instead of the real C2, which lets researchers count the infected population, identify victim networks (without compromising them further), and prevent the malware from receiving any commands. The 2017 WannaCry kill-switch domain was effectively an accidental sinkhole that stopped the global outbreak.

A botnet is the population of infected hosts; C2 is the infrastructure used to control them. Every botnet has C2 — it is the back-channel that turns isolated infected machines into a coordinated attacker resource. C2 also exists in non-botnet contexts: a single targeted intrusion into a corporate network uses C2 to operate the implant, even though no "botnet" is involved. Take down the C2 and the botnet becomes inert until the attacker rebuilds it.

Back to glossary