Pi Sigma LogoPiSigma Blog
[ Home ][ Contact Us ]

>>_

Cover Image for Command & Control Servers: From Red Team Arsenal to Real-World Threat Actor Playbooks
#PI

$ Categories:

#penetrationtesting#redteaming

Whether a penetration test, red team engagement, or malicious intrusion by threat actors, is the Command & Control (C2) infrastructure. C2 servers provide remote operators with reliable communication channels into compromised systems, enabling tasking, data exfiltration, lateral movement, persistence, and post-exploitation workflows. In the wild, threat actors leverage both custom malware C2s and publicly available frameworks originally created or adopted by the offensive security community.

What Is a C2 Server?

A command and control (C2) server is the central coordinator that connects and interacts with deployed implants/beacons/agents on compromised endpoints. In the MITRE ATT&CK model, C2 falls under TA0011: Command and Control, encompassing any mechanism used by an adversary to manage compromised hosts. C2 communication can leverage HTTP/S, DNS, proprietary protocols, VPN tunnels, or even covert channels over legitimate cloud services or messaging APIs.

In red team engagements, C2 frameworks simulate adversary communication patterns to test detection, monitoring, and response capabilities.

Top C2 Frameworks

1. Sliver

  • Type: Open-source cross-platform C2 framework
  • Usage: Red team, adversary emulation
  • Communication: Supports mTLS, HTTPS, DNS, WireGuard, etc.
  • Notes: Designed to be versatile and stealthy.

Threat Actor Adoption: Sliver has been observed in real intrusions, including campaigns linked to APT29 (Russian SVR) and financially motivated groups such as TA551 — spanning loaders like BumbleBee.

Although intended for authorized testing, Sliver’s low cost and flexibility have made it attractive to nation-state and cybercrime actors seeking alternatives to Cobalt Strike.

2. PoshC2

  • Type: Python-based proxy-aware C2 framework
  • Usage: Red team post-exploitation and lateral movement
  • Features: Extensible implants, encrypted comms, proxy evasion
  • Notes: Emphasizes operational security and stealth.

Threat Actor Usage: PoshC2 is widely used by penetration testers. Public reporting on PoshC2 in purely malicious campaigns is less prevalent but exists in threat intel chatter due to code leaks and misuse on underground forums.

3. Cobalt Strike

  • Type: Commercial C2 and adversary emulation framework
  • Usage: Red team engagements and threat actor campaigns
  • Components: “Beacon” implant, flexible comms, scripting
  • Notes: Longstanding industry standard for post-exploitation.

Threat Actor Adoption: Cobalt Strike remains the most widely abused framework in real-world attacks. Many ransomware gangs and advanced actors use cracked or unauthorized Cobalt Strike deployments to control compromised hosts.

Examples:

  • Used by ransomware gangs and APTs globally, often via public C2 profiles and beacon payloads.

4. Nighthawk

  • Type: Evasive red team C2 toolkit
  • Usage: Red team post-exploitation
  • Notes: Operational security-focused, with advanced evasion techniques.

Threat Actor Usage: Primarily used in professional engagements; limited public intel exists tying Nighthawk to specific malicious campaigns yet.

5. Mythic

  • Type: Open-source collaborative C2 framework
  • Usage: Red team and penetration testing
  • Features: Multiple agent types, web UI, analytics
  • Notes: Growing footprint among offensive teams.

Threat Actor Adoption: Mythic has been observed at internet-facing C2 servers more frequently than some older tools, suggesting adoption beyond controlled labs.

6. Metasploit

  • Type: Penetration testing framework
  • Usage: Exploit delivery and C2 functions
  • Notes: Well-established but often detectable by defenders.

Threat Actor Usage: Historically observable in real intrusions, often as a secondary C2 or post-exploit facilitator — especially where attackers use cracked or automated Metasploit modules.

7. Merlin

  • Type: Go-based C2 server and agent
  • Usage: Red team post-exploitation
  • Protocols: HTTP/1.1, HTTP/2, HTTP/3 over QUIC
  • Notes: Different protocol options help evade detection. Threat Actor Usage: Merlin has been documented in CISA red team reports as part of legitimate assessments and is also leveraged by attackers due to its flexible protocols.

Emerging C2: AdaptixC2

AdaptixC2 has emerged as a one of the new ** open-source post-exploitation C2 framework** originally marketed to penetration testers. Threat intelligence indicates:

  • Russian ransomware groups (including affiliates tied to Akira, Fog, and others) are actively weaponizing AdaptixC2 for malicious payload delivery.
  • Malware loaders such as CountLoader drop malicious AdaptixC2 agents during campaigns.

Lesson: Even ethical tools with defensive intent can be repurposed by attackers — especially when their code is publicly accessible and extensible.

Observed Threat Actor C2 Usage (Examples)

C2 Framework Known Malicious Usage Threat Actors / Groups
Cobalt Strike Widespread malicious beacons & C2 in ransomware & espionage Multiple ransomware gangs; APTs globally (e.g., LockBit, Qilin affiliates)
Sliver Used as C2 following loader execution APT29 (SVR), TA551, Exotic Lily & BumbleBee carrier cases
AdaptixC2 Weaponized by ransomware affiliates Russian ransomware groups (Akira, Fog)
Mythic Observed internet-facing C2 instances Unattributed but prevalent across diverse threat ops
Merlin Employed in red team & flagged by CISA reports Legit operations; sometimes attacker usage
PoshC2 / Metasploit Abuse reported in underground tooling Various opportunistic actors

Red Team vs Threat Actor Usage Dynamics

Aspect Red Team / Pen Test Threat Actor
Purpose Improve defenses; measure detection Achieve compromise & persistence
Infrastructure Controlled C2 servers on lab/cloud Stealthy public C2, fast flux, and obfuscation
Payloads Authorized implants for testing Malicious loaders & beacons
TTPs Simulated adversary emulation Real exploitation & data theft

The C2 landscape reflects a convergence of red team technology and real-world threat actor techniques. Frameworks once exclusive to professional security teams — like Sliver, Mythic, and now AdaptixC2 — are increasingly adopted by attackers, forcing defenders to broaden their detection and hunting strategies.

Understanding both the tools and the actors who use them is fundamental to effective cyber defense — from identifying malicious traffic patterns to prioritizing controls that can disrupt post-exploitation workflows in enterprise environments.