commandandcontrolserver

A command and control server, often abbreviated as C2 server, is a centralized or distributed system used to issue commands to compromised hosts and to receive data from them. In cyberspace, C2 infrastructure is a core component of botnets, remote-access trojans, ransomware, and other malware families. Operators use C2 to coordinate actions such as updates, lateral movement, data collection, or disabling security controls. The C2 typically communicates with infected clients over outbound connections to ports and protocols that blend with normal traffic, enabling remote control even when the compromised systems are behind firewalls. Common communication patterns include pull-based beaconing, where clients periodically check in for commands, and push-based channels controlled by the operator. Protocols observed range from HTTP/HTTPS and DNS to IRC, custom TCP/UDP protocols, or peer-to-peer networks; some families employ domain generation algorithms or fast flux to improve resilience.

Architectures vary from a single centralized server to hierarchies of relays and to decentralized, peer-to-peer models,

Defensive considerations include monitoring for unusual beaconing patterns, excessive outbound connections, DNS anomalies, and SSL/TLS metadata;