In plain English
Once malware infects a device, it 'phones home' to a C2 server controlled by the attacker. This allows the attacker to issue commands, download additional tools, receive stolen data, or trigger actions like ransomware detonation — all while appearing to be legitimate web traffic. DNS filtering blocks known C2 domains before connections are established.
Full definition
C2 infrastructure is how an attacker stays connected after the initial breach. Once runs on a device, it needs a way to receive instructions. The attacker's server sends commands; the infected device reports back with , screenshots, or confirmation that the network has been mapped and is ready to fire. Modern C2 traffic is built to blend in. It runs over HTTPS, mimics normal web browsing, and spaces its check-ins to avoid volume-based alerts.
is one of the more effective ways to break this link. Known C2 domains get blocked at the resolver level, so the malware cannot phone home even if it executes. includes this capability. Fortify's 24/7 monitoring watches for C2 patterns that bypass domain blocklists: beaconing behaviour (regular, timed outbound connections to unusual destinations) and connections to newly registered domains.
The window between initial infection and C2 contact is often minutes. If that connection succeeds, the attacker is inside and working. Breaking it early, before commands are issued or data is pulled, is what separates a contained incident from a reportable one under Australia's .
