IronSights

Threats & attacks

Command and controlC2

Infrastructure used by attackers to communicate with and control malware or compromised systems within a target network, issuing commands and receiving exfiltrated data.

Also known asC2C&Ccommand and control infrastructureC2 server

In plain English

Once malware infects a device, it 'phones home' to a C2 server controlled by the attacker. This allows the attacker to issue commands, download additional tools, receive stolen data, or trigger actions like ransomware detonation — all while appearing to be legitimate web traffic. DNS filtering blocks known C2 domains before connections are established.

Full definition

C2 infrastructure is how an attacker stays connected after the initial breach. Once runs on a device, it needs a way to receive instructions. The attacker's server sends commands; the infected device reports back with , screenshots, or confirmation that the network has been mapped and is ready to fire. Modern C2 traffic is built to blend in. It runs over HTTPS, mimics normal web browsing, and spaces its check-ins to avoid volume-based alerts.

is one of the more effective ways to break this link. Known C2 domains get blocked at the resolver level, so the malware cannot phone home even if it executes. includes this capability. Fortify's 24/7 monitoring watches for C2 patterns that bypass domain blocklists: beaconing behaviour (regular, timed outbound connections to unusual destinations) and connections to newly registered domains.

The window between initial infection and C2 contact is often minutes. If that connection succeeds, the attacker is inside and working. Breaking it early, before commands are issued or data is pulled, is what separates a contained incident from a reportable one under Australia's .

Keep learning

More terms in the IronSights Glossary.