C2 over App‑Protocols

Info

C2 over App‑Protocols

Adversaries may establish command‑and‑control (C2) channels leveraging legitimate application protocols and communication flows. For example, they might tunnel data over APIs that the application commonly uses (e.g., GraphQL, REST calls), or encode malicious instructions within the payloads processed by microservices. This evasion strategy disguises malicious traffic as normal business operations, complicating detection by defenders.

When these protocols ride on top of HTTPS or rely on widely accepted ports, the traffic may appear benign to perimeter security solutions. In cloud setups, horizontally scaled services often rely on ephemeral sessions, giving attackers many touchpoints to funnel commands or exfiltrate data. By piggybacking on known channels, adversaries minimize anomalies in network logs and hamper typical rule‑based alerts.