The Beginner’s Guide to Command and Control Part 2 – The Role of C2 in Modern Threat Campaigns

May 1, 2025 Technology, Threat Hunting

Introduction

Welcome back to the second installment of our series on Command and Control (C2) frameworks. In Part 1, we took a deep dive into how C2 frameworks operate on a systems level. We explored the client-server model, the critical importance of outbound connections, and the various components like agents, servers, clients, and redirectors that make up a typical C2 infrastructure.

Now that we have a foundational understanding of the mechanics, I want to zoom out a bit in this article. We’ll shift our focus from the how to the what and why. Specifically, what role do C2 frameworks actually play in modern threat campaigns? Why have they become such a central pillar in the cybercrime ecosystem?

To get there, we first need to understand how we arrived at this point. So, let’s start by stepping back and asking an even more fundamental question: what is malware, and how has its purpose evolved?

 

A Magical Journey Back to the 90s

To answer this, I want you to join me on a little trip down memory lane. Picture this: it’s a typical Saturday morning in the mid-1990s. There’s no school, so you’ve slept in. You stumble downstairs, pour yourself a mountain of your favorite sugary cereal, and plant yourself in front of the TV for the sacred ritual of Saturday morning cartoons – because let’s be honest, that’s when the best cartoons were on.

Hours later, you’re roused from your zombie-like state by the ringing of the home phone. Yes, the home phone – that ancient artifact plugged into the wall, a single line for the entire household. Your mom or sister answers, and after a moment, calls out your name. On the other end is one of your best friends, practically hyperventilating with excitement. It takes a minute to decipher his rapid-fire speech, but finally, the glorious news breaks through: another friend just got the most awesome, badass game of all time – DOOM II!

Even better, he has it on a series of 3.5″ floppy disks (remember those?). If you bike over there right now, you can grab the disks, bring them back, and install the game on your own computer. Soon, you too can be blasting demons in hell with a shotgun from the comfort of your own living room to your heart’s content.

Naturally, you meet up, grab the precious disks, and spend the rest of the day embarking on a noble quest: biking from house to house, installing DOOM II on every computer in your friend group. I mean, that’s what friends are for.

Finally, exhausted but triumphant, you return just as the streetlights come on – the universal sign that your Mom is expecting you home soon. Finally, you get to enjoy the fruits of labor, you gather some snacks and excuse yourself, ready to finally enjoy the fruits of your labor.

But then, as you turn the computer on… The computer says: “No.”

Unbeknownst to you and your friends, you have, in the words of Marshall McLuhan, unwittingly acted as the “sex organs of the machine world.” Or in this case, of the malware world. In your eagerness to share the digital gospel of DOOM II, you’ve propagated a computer virus.

Not only can you not play the game, but your Dad is furious about the now-trashed family computer, and your weekend plans have shifted to desperately phoning around to find some kid’s older, smarter sibling who knows how to fix this mess.

 

Malware as Agents of Chaos

That little anecdote captures how I, and likely many others of a certain vintage, first experienced malware. We didn’t call it “malware” back then; we called it “computer viruses.” There were countless strains, often bearing quirky, idiosyncratic names like Stoned, Michelangelo, Jerusalem, Cascade, or Walker (image below). Sometimes they’d just display a weird message or a bouncing pixel; other times, they might play a tune or, in more severe cases, wipe your hard drive.

And mostly, these viruses didn’t cause catastrophic damage. They were annoying, impeding your ability to use the computer in irritating, sometimes even darkly humorous ways. I think of these “retro” viruses primarily as “agents of chaos.” They were typically created by individuals, often young programmers embodying the “trickster” archetype. The goal wasn’t financial gain; it was usually about disruption, showing off technical skill, pulling a digital prank on strangers, or perhaps just satisfying a narcissistic urge to leave a mark.

These creators would craft their digital messages in a bottle, seed them onto bulletin board systems (BBSes) or sneak them onto shareware disks, and release them into the world, often with little idea of who or how many people they would ultimately affect. It was pure mischief bundled into a monolithic executable file designed just to “mess with people.”

 

Then Came the Internet…

But then, something happened. A rather big something, actually: the internet.

Of course, the internet’s technical foundations were laid decades earlier, but the mid-to-late 90s marked the period when it truly started becoming mainstream. Suddenly, households across the suburbs were getting dial-up connections, AOL CDs cluttering mailboxes (“You’ve got mail”), and the digital world began to interconnect in unprecedented ways.

The internet fundamentally changed society, but for our story, it dramatically altered the evolution of malware in at least two crucial ways:

  1. It revolutionized how malware propagated.
  2. It introduced money into the equation.

 

 

Propagation via Network Effects

Think back to our DOOM II story. Spreading that virus required significant physical effort: copying disks, biking around town, manually inserting media into each machine. Pre-internet, all our computers were largely “air-gapped” from each other. For malware to spread, it required conscious (or unwitting) human action and physical proximity.

The internet obliterated those barriers. Suddenly, everyone was connected to one giant network. In the early “Wild West” days, security was often an afterthought. You could download all sorts of “free” software, music, and games from dubious sources with just a few clicks. This connectivity dramatically increased the attack surface.

If we think purely in terms of probability, the internet meant far more people were exposed to far more potentially malicious code, far more often. Getting a virus shifted from being a relatively rare, notable event to becoming an almost mundane aspect of owning a computer.

By my teenage years, navigating the temptations of “warez” and peer-to-peer file sharing meant that reformatting the hard drive and reinstalling Windows every few months was just par for the course. It was the price of admission for being a curious internet denizen.

 

Enter the Money Motive

The internet didn’t just connect home computers; it connected everything, including corporate networks. Simultaneously, computers evolved from being niche devices for games, encyclopedias, or word processing into indispensable tools integrated into every facet of our lives and businesses. People started storing genuinely valuable information on them – personal photos, financial records, sensitive business documents, intellectual property.

And where there’s value, there’s opportunity for crime. If someone can control or access something you value, they gain leverage. They can threaten to destroy it, steal it, or expose it unless you pay them. The internet provided the perfect medium for this, allowing criminals anywhere in the world to potentially access valuable data stored on computers anywhere else. This created the foundation for extortion.

Furthermore, the introduction of money acts as a powerful “selective pressure” on any human endeavor, driving professionalization and evolution. Think of e-sports: what started as kids playing games at the local arcade became a multi-billion dollar industry with professional teams, sponsorships, coaches, and sold-out stadiums.

Money fuels innovation, specialization, and optimization. In the context of malware, the potential for financial gain spurred the “professionalization of cybercrime.” What was once the domain of pranksters and hobbyists began attracting organized criminal enterprises focused on profit.

 

Milestones in Malware Monetization

This transformation didn’t happen overnight, of course. The evolution from simple viruses to sophisticated, profit-driven malware was gradual, punctuated by several key shifts. Let’s briefly touch on some major milestones.

 

The AIDS Trojan (1989)

Often cited as the first ransomware, this predated the mainstream internet’s rise. Distributed via floppy disks mailed to attendees of a WHO AIDS conference, it encrypted filenames after 90 reboots and demanded $189 be mailed to a PO box in Panama to restore access. While primitive and relying on physical media, it planted the seed of extortion-based malware.

 

 

Scareware (Mid-Late 2000s)

As internet use became widespread, “scareware” emerged. These programs, often disguised as free antivirus software, would bombard users with fake warnings about non-existent infections. They’d lock up the system, demanding payment (typically $40-$80 via credit card or early online payment systems) for a “license” to remove the fake threats. This marked a shift towards psychological manipulation and online payment processing, albeit facing challenges with traceability and payment reversals.

 

 

The Crypto- Era (~2013)

The game changed significantly with the arrival of true crypto-ransomware like CryptoLocker. Instead of just locking the screen, these variants used strong encryption to make victims’ files genuinely inaccessible. Coupled with the rise of Bitcoin, which offered a relatively anonymous way to collect payments, this model proved devastatingly effective. Attackers added psychological pressure with countdown timers threatening permanent key deletion.

 

 

Human-Operated Ransomware (HUMOR) (~2014-2015)

Here the attackers shifted tactics, moving from opportunistic, widespread infections to targeted intrusions reminiscent of espionage campaigns. They would gain initial network access, move laterally, escalate privileges, disable backups, and then deploy ransomware across the entire organization. This “big game hunting” approach allowed for dramatically higher ransom demands, targeting organizations rather than individuals.

 

Ransomware-as-a-Service (RaaS) (~2015-2016)

This wasn’t a technical evolution but a business model innovation. RaaS platforms emerged where core developers created and maintained the ransomware, backend infrastructure, and payment portals. They then recruited “affiliates” who focused solely on gaining access to networks and deploying the ransomware. Profits were shared, dramatically lowering the barrier to entry and fueling an explosion in attacks. Groups like GandCrab, REvil, and DarkSide pioneered this model.

 

 

Builder Leaks (~2021-2022)

Internal conflicts and law enforcement actions led to leaks of source code and “builders” for prominent RaaS operations like Babuk, Conti, and LockBit. This inadvertently “democratized” sophisticated ransomware creation, allowing less-skilled actors to launch their own operations by modifying leaked code, leading to a fragmented landscape with numerous copycat groups.

 

The Modern Ransomware Ecosystem: Industrialized Cybercrime

Today’s ransomware landscape looks less like scattered gangs and more like a mature, albeit illicit, industry. It features a high degree of specialization, mirroring legitimate business ecosystems:

  • Developers focus on the core technology: writing robust ransomware code, improving encryption, and building resilient C2 infrastructure.
  • Initial Access Brokers (IABs) are specialists in breaching networks. They find vulnerabilities, exploit weak credentials, or run phishing campaigns, then sell that foothold to other groups on dark web markets.
  • Affiliates (who sometimes ironically call themselves “pentesters”) are the operators who purchase access from IABs or gain it themselves. They navigate the compromised network, escalate privileges, exfiltrate data, and ultimately deploy the ransomware.
  • Data Managers analyze stolen data to identify the most sensitive information (PII, financials, IP) to maximize leverage for extortion.
  • Negotiators are skilled in psychological manipulation, handling communication with victims to pressure them into paying the highest possible ransom.
  • Money Launderers manage the financial backend, using cryptocurrency tumblers and mixers to obscure the flow of ransom payments and evade tracking.

This intricate division of labor makes the entire process highly efficient and difficult to disrupt. Each player focuses on their area of expertise, contributing to a larger criminal enterprise.

 

Okay, But What Does This Have to Do With C2?

We’ve journeyed through the history of malware, from 90s prankster viruses to today’s industrialized ransomware syndicates. This context is crucial because it sets the stage for understanding where C2 fits in. We now see who is using malware (organized criminals, nation-states, industrial spies) and why (primarily financial gain, espionage, sabotage).

So, let’s connect the dots. What does a modern threat campaign actually look like, and what role does C2 play?

Now, there are many excellent models describing the stages of a cyberattack, like the MITRE ATT&CK framework or the Cyber Kill Chain. These provide invaluable detail for defenders. However, for our purpose of highlighting C2’s role, I want to propose a radically simplified model. Brace yourselves, because I’m about to reveal a shocking truth…

A modern threat campaign really only has three parts: a Beginning, a Middle, and an End 🙂

 

The Beginning: Initial Access

The beginning is what we typically call Initial Access. This is how attackers get their first foothold in the target environment. While the specific methods vary, the “big three” currently responsible for most breaches are:

  1. Exploiting publicly exposed services like Remote Desktop Protocol (RDP) secured with weak passwords and no multi-factor authentication.
  2. Good old-fashioned phishing emails, especially spear-phishing targeted at specific individuals.
  3. Exploiting unpatched vulnerabilities in software, hardware, network devices, or IoT gadgets.

 

Regardless of the vector, the key outcome of Initial Access is that the attacker goes from having NO access to having SOME access. Using the house break-in analogy, this is like getting a foot in the door, jimmying open a window, or finding an unlocked back entrance. It’s a start, but usually not enough to achieve the ultimate goal.

We can reframe this as going from NO control over the environment to SOME control. The keyword is some. This initial control is often limited, perhaps restricted to a single user’s workstation or a low-privilege account.

 

The End: Achieving the Goal

Let’s jump to the end. The goal of the campaign can vary wildly depending on the threat actor’s motives – espionage, sabotage, data theft, or financial extortion. In the context of financially motivated cybercrime, which dominates the landscape, the end usually involves some form of extortion: deploying ransomware, threatening to leak stolen data (double extortion), or threatening to disrupt operations (triple extortion).

For a ransomware group, “achieving the goal” means successfully deploying the encryptor across valuable systems, ensuring backups are neutralized, revealing their presence, negotiating a ransom, receiving payment, and walking away with a digital bag of money without getting caught.

 

The Middle: The Long Hard Road

Now, the crucial part: the Middle. This is the vast chasm between gaining that initial (some) access and achieving the final goal. Getting from a single compromised endpoint to owning the entire network, encrypting critical servers, and exfiltrating gigabytes of sensitive data requires a lot of work and control.

The Middle represents the vast majority of the time, effort, and complexity in any significant campaign. It’s where attackers need to:

  • Establish Persistence (making sure they don’t lose access if the initial entry point is closed or the machine reboots).
  • Perform Defense Evasion (avoiding detection by antivirus, EDR, and security analysts).
  • Execute Privilege Escalation (gaining higher levels of access, ideally domain administrator rights).
  • Harvest Credentials (stealing usernames and passwords to access more systems).
  • Conduct Lateral Movement (moving from one compromised system to others within the network).
  • Pivot between network segments.
  • Enumerate the network (mapping out systems, users, and data).
  • Exfiltrate valuable data before deploying ransomware.

 

These are all discrete steps, pieces of a larger puzzle. Some might happen multiple times, others only once. They all require careful execution and represent opportunities for the attacker to be detected and stopped.

What do almost all these activities in the Middle have in common? They are typically enabled, orchestrated, mediated by, or executed through Command and Control.

 

C2: The Foundation of Control

Why? Because C2 isn’t just another step in the Middle like credential harvesting or lateral movement. It’s not a box to be checked off a list. C2 is the foundation upon which most other activities in the Middle are built.

Typically, one of the very first actions an attacker takes after gaining Initial Access is to establish a C2 channel. This channel provides the ongoing communication and, crucially, the control needed to execute all subsequent steps. It’s the remote control mechanism that allows the attacker to issue commands, receive output, upload tools, spawn new processes, download stolen data, and navigate the compromised environment from afar.

Think back to our Beginning-Middle-End model.

  • Beginning: Go from NO control to SOME control.
  • End: Requires A LOT of control to achieve the goal.

 

So then where does all that extra conceptual control needed to bridge the gap come from? It comes from Command and CONTROL. C2 is the facilitator, the enabler, the operational backbone that allows attackers to systematically expand their limited initial foothold into pervasive access across the network. It’s less a discrete event and more the glue that binds the entire “Middle” phase together.

 

Are There Alternatives?

Now, to be clear, attackers don’t have to use a dedicated C2 framework like Cobalt Strike or Havoc. There are other ways to maintain control and execute actions in the Middle:

  • A collection of standalone scripts and tools deployed manually.
  • Classic Remote Access Trojans (RATs) like AsyncRAT or XenoRAT, which are often simpler and less modular than full C2 frameworks, focusing on a core set of remote administration features.
  • Legitimate remote management and monitoring (RMM) tools like AnyDesk, ScreenConnect, or TeamViewer. Attackers increasingly abuse these tools because their traffic often blends in if the target organization already uses them. They also offer a user-friendly graphical interface, which appeals to less technically sophisticated “affiliates”.
  • Direct connections via SSH or RDP, especially if the initial access involved compromised credentials for these services.

 

In reality, looking at incident response reports (like those from the DFIR Report), attackers often use a combination of these methods. For example, a campaign might establish a Cobalt Strike C2 channel for primary operations, use a separate RAT as a backup, and leverage stolen credentials to access ScreenConnect for direct interaction with specific machines. This provides redundancy and flexibility.

However, more often than not, a dedicated C2 framework still forms the central backbone for command and control in sophisticated attacks, providing the structured, extensible platform needed to manage complex, long-term operations. And despite the proliferation of newer tools, Cobalt Strike remains the framework of choice.

 

Conclusion

We’ve covered a lot of ground today, tracing the evolution of malware from simple 90s viruses driven by mischief to today’s highly organized, financially motivated cybercrime industry fueled by ransomware and sophisticated attack campaigns. We saw how the internet and the potential for profit transformed the landscape, leading to specialized roles and industrialized operations.

Most importantly, we contextualized the role of Command and Control within this modern threat landscape. We established that while Initial Access gets attackers a foot in the door (some control), C2 provides the foundational control necessary to navigate the complex “Middle” phase of an attack – performing persistence, evasion, escalation, lateral movement, and ultimately achieving their final goal. C2 isn’t just one tool among many; it’s often the central nervous system of the entire operation.

Understanding this role is vital for defenders. Recognizing that C2 is the enabler for most post-exploitation activity helps us prioritize detection and disruption efforts.

In our next article, we’ll dive into technical details, building on both Part 1 and Part 2. We’ll explore the nuances of how C2 frameworks actually communicate – looking at protocols, profiles, encoding, encryption, and the techniques they use to blend in and evade detection on the network and endpoint.

Live Long and Prosper,
Faan

 

< The Beginner’s Guide to Command and Control – Part 1

 

 

 

Interested in threat hunting tools? Check out AC-Hunter

Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to Email Us with your ideas!

Share this:
Tags:
AC-Hunter Datasheet
GET THE PDF
AC-Hunter Personal Demo
SCHEDULE HERE
What We’re up To

SUBSCRIBE

Recent Posts
Categories
Archives