Glossary
What Is C2 Infrastructure?
Command-and-control (C2) infrastructure is the network of servers, domains, and channels an attacker uses to control compromised systems after initial access. C2 is how malware on a victim's machine receives instructions, exfiltrates data, and is updated. Mapping C2 is mapping the attacker's nervous system.
What C2 Has to Do
- Receive beacons from compromised systems.
- Issue commands (download payload, exfiltrate file, lateral move).
- Survive defender takedowns and IOC blocklists.
- Avoid drawing attention from network monitoring.
Common C2 Architectures
- Static — a single domain or IP. Cheap but trivially blocked.
- Domain rotation — a list of domains, used in sequence.
- [DGA-based](/glossary/domain-generation-algorithm) — algorithmically generated domains that survive blocklisting.
- [Fast flux](/glossary/fast-flux-dns) — a single hostname rapidly rotated across many IPs to defeat IP blocking.
- Domain fronting — hides C2 traffic inside requests to legitimate CDNs (now mostly mitigated).
- Encrypted channels — DNS over HTTPS, ICMP tunnels, social-media APIs, Tor hidden services.
- Multi-tier — front-end relay nodes for victims, back-end staging where the operator actually sits.
How C2 Is Detected
- Beacon timing — heartbeat intervals stand out in netflow.
- TLS / JA3 fingerprinting — distinctive client fingerprints from popular C2 frameworks.
- Threat-feed enrichment — known C2 IPs and domains, freshness matters.
- Infrastructure clustering — registrar, nameserver, ASN, and certificate patterns.
Why Frameworks Like Cobalt Strike Matter
Most C2 today is built on a small number of frameworks — Cobalt Strike, Sliver, Mythic, Brute Ratel. Each has distinctive defaults: profile structures, jitter values, certificate metadata, port choices. Defenders who recognize the framework's fingerprint can find compromised hosts even when the IOCs rotate.
Mapping C2 with Whisper
Whisper lets analysts start with one suspected C2 domain and traverse the graph to every related hostname, IP, ASN, certificate, and registrant. The result is the full C2 footprint — including infrastructure the attacker has staged but not yet activated.