The C2 You Didn’t See Coming: APT C2 Techniques That Redefine Stealth

Just when we thought we had seen every possible command and control technique, sophisticated adversaries continue to develop new methods to remain stealthy in compromised environments. These evolving techniques are actively reshaping the threat landscape.

This presentation examines unconventional C2 techniques used in recent years by threat actors to blend seamlessly into normal network traffic.

In this session, we will explore cases observed in the wild involving nation state-threat actors who maintained persistent access for months operating entirely within approved enterprise applications and trusted network traffic. Examples include the use of AWS Lambda functions for command relays, the abuse of Outlook APIs by a sophisticated China-linked backdoor to mask malicious communication, exploitation of Google services for covert command channels, the use of social media platforms to control malware remotely, and how large language models (LLMs) can be leveraged as C2 servers by malware.

The presentation will conclude with actionable recommendations to help organizations defend against these attacks, including practical tips for detecting and hunting unconventional C2 channels within their environments.