About Command and Control Server (C2)

2 minute read

C2 or C&C → Command-and-Control server

Command and control servers are the primary tools cyber threat actors have in their arsenal to launch and control cyber-attacks. Just like how it sounds, C2 servers are the command and control center of the operation. A threat actor wants to distribute malicious programs/scripts and also needs to control the operation or when the target is compromised, needs to run commands on the target machine. With the recent rise in double extortion ransomware campaigns, attackers are also sending exfiltrated data to C2 servers.


C2 is an especially insidious method of attack because just one infected computer can take down an entire network. Once the malware executes itself on one machine, the C2 server can command it to duplicate and spread—which can happen easily, because it’s already gotten past the network firewall.

Once the network is infected, an attacker can shut it down or encrypt the infected devices to lock users out. The WannaCry ransomware attacks in 2017 did exactly that by infecting computers at critical institutions such as hospitals, locking them, and demanding a ransom in bitcoin.

Image Source: [https://www.netscribes.com/wannacry-ransomware-protect/](https://www.netscribes.com/wannacry-ransomware-protect/)

How Does C&C Work?

C2 attacks start with the initial infection, which can happen through channels like:

  • phishing e-mails with links to malicious websites or containing attachments loaded with malware.
  • vulnerabilities in certain browser plugins.
  • downloading infected software/software update that looks legitimate.

In cyber security weakest link of the chain is people, so in most cases, threat actors attack people’s behaviors/weaknesses, they send phishing e-mails, send urgent-sounding e-mails that will make the target person panic and move without thinking. When the target downloads the malicious file and executes it, malware gets snuck past the firewall and compromises the network/computer.


Once a device has been infected, it sends a signal back to the host server. When the host server receives the signal, the attacker access the target computer, and these computers become a “bot” or a “zombie” under the attacker’s control.

The attacker infects the machines on the same network or the machines the infected machine can communicate through and takes them under control. Eventually, these machines form a network or “botnet” controlled by the attacker.


C2 Structures

Today, the main server is often hosted in the cloud, but it used to be a physical server under the attacker’s direct control. Attackers can structure their C&C servers according to a few different structures or topologies:

  • Star topology: Bots are organized around one central server.
  • Multi-server topology: Multiple C&C servers are used for redundancy.
  • Hierarchical topology: Multiple C&C servers are organized into a tiered hierarchy of groups.
  • Random topology: Infected computers communicate as a peer-to-peer botnet (P2P botnet).

All the way back to 2017, hackers have been using apps like Telegram as command and control centers for malware. A program called ToxicEye, which is capable of stealing data and recording people without their knowledge via their computers, was found in 130 instances just this year.