Command & Control in 2025: Architecture, Evasion & Operations

⚠️ Educational Disclaimer: This content is for educational and defensive security research purposes only. The techniques described (such as sleep obfuscation and thread stack manipulation) should only be used in controlled environments for learning, threat hunting, and improving defensive capabilities.

The command and control (C2) landscape has undergone a fundamental shift as we close out 2025. The era where monolithic, commercial frameworks like Cobalt Strike dominated the threat landscape is effectively over. Defensive maturity has caught up; aggressive signature generation and behavioral heuristics have rendered standard "out-of-the-box" beacons noisy and dangerous for sophisticated actors.

In response, we observe a fragmentation of the ecosystem. Threat actors are increasingly adopting modular, open-source frameworks or custom-built tooling designed to evade modern EDR telemetry. This analysis explores the current tradecraft defining C2 operations, dissecting the internal mechanics of industry standards like Sliver and Havoc, and detailing the forensic methodologies required to hunt them.

1. Strange Loops: C2 as a Strategic Function (TA0011)

Command and Control is often misunderstood as simple connectivity. From a strategic perspective, it is the nervous system of an intrusion. In the context of the Cyber Kill Chain, C2 bridges the gap between the initial "Exploitation" and the ultimate "Actions on Objectives". Without a resilient C2 channel, a compromise is merely a fleeting foothold; with it, the adversary establishes a persistent siege.

Technically, C2 enables the adversary to execute the OODA Loop (Observe, Orient, Decide, Act) inside the victim's network:

The C2 Attack Cycle

Interactive flowchart of the Command & Control OODA Loop. Click a stage for details.

Initial Infection

C2 Callback

Command Retrieval

Action on Objectives

Select a stage above to analyze its internal mechanics.

Observe: The implant beacons back, exfiltrating host metadata (username, privileges, and OS build versions), giving the operator situational awareness.
Orient: The operator assesses the value of the compromised asset. Is it a high-value target or a stepping stone?
Decide: Based on this intelligence, the operator selects the appropriate post-exploitation module, such as Mimikatz for credential harvesting or Rubeus for Kerberos abuse.
Act: The implant executes the task, streaming output back to the controller.

Modern tradecraft prioritizes Operational Security (OpSec) over speed. The channel must be resilient enough to survive network interruptions yet stealthy enough to blend into the background noise of a corporate network, evading Network Detection and Response (NDR) anomalies.

2. Infrastructure Evasion: Living off the Trust

While custom frameworks offer flexibility, they introduce a significant footprint: the C2 server itself. Mature threat actors increasingly bypass this risk by leveraging "Living off the Trusted" (LotT) infrastructure. By rooting their communications in services that organizations cannot afford to block, they effectively hide in plain sight.

Domain Fronting: The Hidden Route

A classic, albeit waning, technique for masking traffic destination is Domain Fronting. It exploits a fundamental disconnect in Content Delivery Network (CDN) architecture: the difference between the SNI (Server Name Indication) used for the TLS handshake and the Host Header used for HTTP routing.

The Handshake: The implant initiates a TLS connection to a legitimate, high-reputation domain (e.g., cdn.good-site.com). The SNI is visible in plaintext, so firewalls see a connection to a trusted site and allow it.
The Routing: Inside the encrypted HTTP tunnel, the implant sends a GET request with a Host header pointing to the attacker's domain (e.g., malicious-c2.azureedge.net).
The Proxy: The CDN edge server decrypts the packet, reads the Host header, and unknowingly routes the request to the attacker's origin server.

Status in 2025: Major providers (AWS, Google, Azure) have largely patched "cross-tenant" fronting, but "intra-tenant" fronting and smaller CDNs remain viable vectors.

Living off the Cloud (LotC)

The "Living off the Land" philosophy has extended to network infrastructure. Attackers are abusing legitimate web services to blend their C2 traffic with authorized business workflows.

C2 Infrastructure Visualizer

Experiment with redirection and Domain Fronting to see how C2 traffic is routed and disguised.

Use Cloud Redirector

Enable Domain Fronting

Victim

Gateway IP: 192.168.1.50

HTTPS POST

Cloud Redirector

AWS EC2 / VPS

Forwarding

Team Server

Hidden Backend

Technique Analysis:

Redirector Active: The Implant talks to a disposable "Redirector" node. If Blue Team detects and blocks this IP, the Team Server remains safe. Operators just spin up a new Redirector and update the DNS.

Dead Drop Resolvers allow implants to function without a hardcoded IP address. Instead, the malware reaches out to a public, high-reputation URL, such as a specific Telegram channel description, a Google Drive file, or a Firebase database, to retrieve its next command server. Specialized tools like Rust-DriveC2 exemplify this tradecraft, utilizing the Google Drive API to create a bidirectional C2 channel that looks identical to a user syncing documents.

Traffic Blending is the ultimate goal. When C2 data is encapsulated within HTTPS requests to api.google.com or graph.microsoft.com, distinguishing it from legitimate employee activity becomes a herculean task for SOC analysts. The shear volume of legitimate traffic to these domains makes them "too big to block" without causing unacceptable business disruption.

Chat-Based "Botnet" Protocols

Before the dominance of HTTP/S REST APIs, chat protocols provided the ideal resilient infrastructure for botnets. This tactic has seen a resurgence in 2025 with highly sophisticated multimedia capabilities.

Discord C2 has become a favorite for both cybercriminals and red teams. Attackers abuse Discord Webhooks and Bot APIs to orchestrate operations. The traffic flows to discord.com over encrypted TLS, a domain widely whitelisted in corporate environments. The chat history essentially acts as a persistent, asynchronous command queue.

Multimedia Steganography (GlytchC2) represents the bleeding edge of this category. Frameworks like GlytchC2 leverage streaming platforms like Twitch for a dual-channel C2 architecture.

Command Channel (IRC): It uses Twitch's chat interface (running on standard IRC port 6667) to receive plaintext commands issued by the attacker.
Exfiltration Channel (RTMP): Instead of sending data back via chat, the implant broadcasts a live video stream via Twitch's RTMP service. The exfiltrated data is encoded directly into the video frames of the livestream. This separates the input and output channels, complicating forensic correlation. A defender might see an IRC connection to irc.chat.twitch.tv (suspicious but explainable) but miss the data leaking out through a legitimate video stream.

Legacy IRC, the backbone of early botnets like Zeus and Mariposa, provided a simple, persistent socket connection. However, raw IRC is noisy and easily flagged by modern firewalls. While sophisticated actors have largely moved to API-driven approaches like Slack or Telegram, the fundamental concept of a persistent, chat-based command channel remains relevant.

The "Shadow IT" Pivot: RMM Abuse

Why invest resources in developing complex malware when signed, commercial administration tools work perfectly?

We frequently observe threat actors deploying Remote Monitoring and Management (RMM) tools such as AnyDesk, Atera, or RustDesk as persistence mechanisms. This technique poses a unique detection challenge. Because the binaries are digitally signed by reputable vendors, they bypass static antivirus signatures effortlessly. Detection requires a pivot to behavioral baselining: identifying the context of execution rather than the file itself. Is it normal for the HR department to run AnyDesk at 3 AM? If not, it's likely an intrusion.

3. Architecture of Modern Frameworks

The days of the simple "server-client" model are gone. Modern frameworks employ distributed, resilient architectures designed to withstand take-downs and analysis.

Sliver: The Go-Based Monolith

Sliver, developed by Bishop Fox, represents a paradigm shift in implant design. Unlike Cobalt Strike, which patches a static shellcode template, Sliver dynamically compiles a unique binary for every implant generation. This dynamic compilation of Go code results in a unique binary structure for each payload, complicating static signature creation.

The implant itself is robust, relying on a rich standard library that provides cross-platform stability across Windows, Linux, and macOS without external dependencies. This comes at the cost of file size, often exceeding 10MB. From a network perspective, Sliver enforces Mutual TLS (mTLS) for all C2 communications. The server generates a unique Certificate Authority (CA) upon initialization, and each implant is embedded with a unique certificate signed by this CA. This strictly authenticates the server to the implant, preventing "rogue" implants from connecting and protecting the detailed C2 traffic from interception.

Havoc: The Win32 Evasion Specialist

Havoc takes a different approach, specializing in Windows post-exploitation tradecraft. Its primary agent, "Demon", is written in C and Assembly, specifically engineered to operate in hostile EDR environments.

Havoc's key innovation is its implementation of Indirect Syscalls. Instead of calling Windows APIs like NtAllocateVirtualMemory directly—calls that are routinely hooked and monitored by EDR sensors—Havoc resolves the System Service Number (SSN) at runtime. It then executes a syscall instruction within the memory space of ntdll.dll itself. This sophisticated redirection confuses the return address stack analysis performed by security products, making the API call appear legitimate. Furthermore, Havoc natively integrates sleep obfuscation, encrypting its own heap and text segments between check-ins to minimize its memory footprint.

4. Advanced Memory Evasion Mechanisms

In 2025, the survivability of a C2 agent depends almost entirely on its ability to vanish from memory during its idle periods.

Evolution of Evasion: From Shellter to Elite

The concept of evasion has evolved from simple disk obfuscation to complex in-memory survival. Historical tools like Shellter pioneered dynamic PE infection, injecting shellcode into code caves of legitimate binaries like calc.exe to borrow their execution context.

This philosophy has matured into modern engines like Shellter Elite. No longer just an injector, Shellter Elite acts as a comprehensive evasion framework. It proactively neutralizes defensive telemetry by blinding ETW (Event Tracing for Windows) and bypassing AMSI (Antimalware Scan Interface), effectively blinding the EDR's sensors. Simultaneously, it employs Memory Scan Evasion with polymorphic encryption, constantly mutating its own code segments in memory to defeat scanners like Moneta, which hunt for static signatures in memory.

Sleep Obfuscation Theory: Beyond `Sleep()`

When a standard implant calls the Windows API Sleep(), it enters a Wait:DelayExecution state. To a memory scanner, this is a sitting duck: the malicious code is static, readable, and clearly suspicious.

Modern "Sleep Mask" implementations have weaponized this idle time. Instead of simply waiting, the agent performs a complex disappearing act known as User-Land Hooking Evasion. Variants like Ekko (by Cracked5pider) and Foliage have popularized the use of Timer Queues (CreateTimerQueueTimer) to delay execution without explicit sleep calls.

The process typically follows this cycle:

Self-Encryption: Before sleeping, the agent encrypts its own memory segments (Text, Data, and Heap), rendering them opaque to scanners.
Permission Flux: It changes its memory protections from RWX (Read-Write-Execute) to RW (Read-Write) or NO_ACCESS using VirtualProtect, making the region look empty or non-executable.
ROP Chain Execution: To avoid calling Sleep directly (a suspicious action from a non-backed memory region), the agent triggers a Return-Oriented Programming (ROP) chain. This chain pivots the stack to a legitimate thread context (like NtContinue) and schedules a wake-up timer.
Restoration: Upon the timer's trigger, a stub—carefully written in position-independent code—decrypts the agent and resumes execution.

Thread Stack Spoofing: Hiding the Origin

EDRs have grown wise to "floating code"—threads originating from unbacked memory regions. A thread stack that starts in allocated memory and ends in a Sleep call is a glaring Indicator of Compromise (IoC).

Stack Spoofing is the art of forging a legitimate return address call chain. Attackers purposely overwrite their thread's stack frames to mimic a benign call path. To an analyst looking at the thread in Process Hacker, it doesn't look like Unkown Module -> Sleep. Instead, it looks like a legitimate system worker thread: kernel32.dll!BaseThreadInitThunk -> ntdll.dll!RtlUserThreadStart -> ntdll.dll!NtWaitForSingleObject.

By borrowing these return addresses from legitimate DLLs, the malware makes its execution path indistinguishable from the thousands of other benign threads running on the system.

// Conceptual Stack Frame Manipulation (ROP-style)
// We forge the return address to point to a 'ret' gadget in a legitimate DLL
CONTEXT ctx = { 0 };
ctx.ContextFlags = CONTEXT_FULL;
GetThreadContext(hThread, &ctx);

// Spoof the chain to look legitimate:
// 1. kernel32.dll!BaseThreadInitThunk
// 2. ntdll.dll!RtlUserThreadStart
ctx.Rsp = (DWORD64)ForgedStackPtr; 
ctx.Rip = (DWORD64)LegitimateGadget;

SetThreadContext(hThread, &ctx);

Memory Forensics Simulator

Visualize how malware hides in memory and how "Stack Spoofing" defeats simple thread analysis.

Inject Shellcode (RWX)

Enable Stack Spoofing

Virtual Address Space (svchost.exe)

0x00400000

.text (Code)

RX / MEM_IMAGE

0x7FF...ntdll.dll

0x7FF...kernel32.dll

RX / MEM_IMAGE

0x02000000

Heap

RW / MEM_PRIVATE

Thread Call Stack

NtDelayExecution

↓

Backed by kernel32.dll

↓

RtlUserThreadStart

↓

Top of Stack

Scanner Output (Moneta/Pe-sieve)

✔ CLEAN

No memory anomalies or unbacked execution detected.

5. Network Forensics & Anomaly Detection

Network defense is no longer about blocking IP addresses; it is about detecting slight deviations in behavioral patterns.

The Threat Hunter's Lens: Jitter & Heartbeats

Jitter is the randomization of communication intervals. To a Threat Hunter, a rigid 5-second beacon is a "mathematical anomaly". In nature—and especially in human-driven network traffic—perfect regularity does not exist. User traffic is bursty: a user clicks a link, downloads a page (intense traffic), and then reads for 2 minutes (silence).

Malware, however, is algorithmic. Even when an attacker adds "10% jitter" to a 60-second beacon (resulting in intervals like 54s, 66s, 58s), the underlying distribution remains artificial. By applying Fourier Transform analysis to the inter-arrival times of packets, hunters can cut through the noise. A benign user session looks like white noise; a C2 beacon, even with jitter, often reveals a strong spectral peak at its base frequency (e.g., 1/60 Hz). This "heartbeat" screams "automated process" regardless of the encryption used.

C2 Jitter Simulator

Visualize how "Jitter" breaks time-based detection patterns. Adjust the Sleep and Jitter to see the impact on beacon regularity.

Sleep Interval (Mean)5s

Jitter Percentage0%

Detection Probability

LOW (Stealthy)

Beacon Timeline (Seconds)

0s50s+

How to read this:

Regular spacing (low jitter) creates a predictable "heartbeat" that is easily detected by mathematical analysis (Fourier Transforms). High jitter introduces chaos, blending the traffic with random noise.

JARM Fingerprinting

Despite complex logic, the underlying infrastructure often betrays the attacker. JARM scans act as an active fingerprinting method for TLS configurations. A C2 server, no matter how "malleable" its HTTP traffic, often runs on a standard library (like Go's net/http or Java's JVM) with a distinct TLS handshake signature. Identifying these unique hashes allows defenders to proactively block C2 controllers before they even issue a command.

JARM Analysis Command

6. Threat Hunting Methodology

Detecting these advanced frameworks requires moving beyond file-based scanning to behavioral memory forensics.

Memory Analysis in Practice

The primary weapon in the hunter's arsenal involves tools like Moneta, pe-sieve, or the simpler Process Hacker with "Image" verification. The hunt focuses on anomalies that cannot be easily spoofed:

Private Commit Identification:
- Concept: Legitimate code is usually "Image Backed", meaning the memory manager maps it directly from a file on disk (like kernel32.dll). Malware often allocates memory manually using VirtualAlloc.
- Technique: We scan for memory regions marked as MEM_PRIVATE (not shared) and MEM_COMMIT (in use) that also possess RWX (Read-Write-Execute) permissions. In a legitimate Firefox or Word process, finding a 200KB private RWX blob is incredibly rare and is a "smoking gun" for shellcode injection.
Floating Code:
- Concept: Every running thread should point to code that exists on the hard drive.
- Technique: Using a scanner, we enumerate all threads and check their Start Address. If a thread's start address points to a memory region that has no file path associated with it (unbacked memory), it is "Floating Code"—the hallmark of a memory-resident implant.
Modified PE Headers (Inline Hooking):
- Concept: EDRs and malware both love to modify system DLLs in memory to intercept data.
- Technique: Tools like pe-sieve compare the in-memory version of a DLL (e.g., ntdll.dll) against the clean copy sitting on the disk (C:\Windows\System32\ntdll.dll). Any deviation (a JMP instruction where there should be a MOV) indicates inline hooking or patching. This reveals the presence of user-land rootkits or stealthy persistence.

Pe-sieve Detection Workflow

Network Traffic Correlation

While encryption blinds us to the content, traffic metadata remains a high-fidelity indicator. Beaconing Analysis via tools like Zeek can identify periodic connections, even amidst jitter. The persistence of the connection (long duration sessions with regular keep-alives) stands out against the bursty nature of legitimate web traffic. Furthermore, Certificate Anomalies, such as self-signed certificates or those issued by non-public CAs originating from user workstations, should always trigger an investigation.

Conclusion

The technical barrier for effective C2 operations has risen significantly. The integration of indirect syscalls, stack spoofing, and complex sleep masks into open-source frameworks like Havoc and Sliver demonstrates that advanced tradecraft is now commoditized. For defenders, this necessitates a shift towards continuous memory scanning and behavioral network analysis. Static indicators are dying; behavioral anomalies are the new battleground.

References & Further Reading

For those looking to validate these findings or replicate the evasion techniques in a lab environment, the following resources provide the foundational tools and documentation used in this analysis.

Sliver C2 - Bishop Fox. https://github.com/BishopFox/sliver
Havoc Framework - C5pider. https://github.com/HavocFramework/Havoc
Ekko (Sleep Obfuscation) - Cracked5pider. https://github.com/Cracked5pider/Ekko
Moneta (Memory Scanner) - Forrest Orr. https://github.com/forrest-orr/Moneta
Pe-sieve - Hasherezade. https://github.com/hasherezade/pe-sieve
Shellter Elite - Shellter Project. https://www.shellterproject.com/homepage/
Understanding Sleep Obfuscation - Binary Defense. https://binarydefense.com/resources/blog/understanding-sleep-obfuscation
The Art of Memory Forensics (PDF): Definitive guide on dissecting volatile memory for artifacts.