During the 2015 Ukraine Electric Power Attack, Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests. [3]
ABK has the ability to use HTTP in communications with C2.[4]
Action RAT can use HTTP to communicate with C2 servers.[5]
ADVSTORESHELL connects to port 80 of a C2 server using Wininet API. Data is exchanged via HTTP POSTs.[6]
Agent Tesla has used HTTP for C2 communications.[7][8]
ANDROMEDA has the ability to make GET requests to download files from C2.[11]
AppleJeus has sent data to its C2 server via POST requests.[12][13]
AppleSeed has the ability to communicate with C2 over HTTP.[14][15]
APT19 used HTTP for C2 communications. APT19 also used an HTTP malware variant to communicate over HTTP for C2.[17][18]
Later implants used by APT28, such as CHOPSTICK, use a blend of HTTP, HTTPS, and other legitimate channels for C2, depending on module configuration.[19][20]
APT32 has used JavaScript that communicates over HTTP or HTTPS to attacker controlled domains to download additional frameworks. The group has also used downloaded encrypted payloads over HTTP.[21][22]
APT38 used a backdoor, QUICKRIDE, to communicate to the C2 server over HTTP and HTTPS.[25]
APT41 used HTTP to download payloads for CVE-2019-19781 and CVE-2020-10189 exploits.[28]
APT41 DUST used HTTPS for command and control.[29]
AuTo Stealer can use HTTP to communicate with its C2 servers.[5]
Avenger has the ability to use HTTP in communication with C2.[4]
BackConfig has the ability to use HTTPS for C2 communiations.[31]
BACKSPACE uses HTTP as a transport to communicate with its command server.[32]
BADHATCH can use HTTP and HTTPS over port 443 to communicate with actor-controlled C2 servers.[33][34]
Bankshot uses HTTP for command and control communication.[37]
Bazar can use HTTP and HTTPS over ports 80 and 443 in C2 communications.[38][39][40]
BBK has the ability to use HTTP in communications with C2.[4]
BBSRAT uses GET and POST requests over HTTP or HTTPS for command and control to obtain commands and send ZLIB compressed data back to the C2 server.[41]
BlackEnergy communicates with its C2 server over HTTP.[46]
BlackMould can send commands to C2 in the body of HTTP POST requests.[47]
BLINDINGCAN has used HTTPS over port 443 for command and control.[48]
BLUELIGHT can use HTTP/S for C2 using the Microsoft Graph API.[49]
BRONZE BUTLER malware has used HTTP for C2.[51]
Brute Ratel C4 can use HTTPS and HTTPS for C2 communication.[52][53]
BUBBLEWRAP can communicate using HTTP or HTTPS.[54]
During C0017, APT41 ran wget http://103.224.80[.]44:8080/kernel to download malicious payloads.[56]
During C0018, the threat actors used HTTP for C2 communications.[57]
During C0021, the threat actors used HTTP for some of their C2 communications.[58]
The Carbanak malware communicates to its command server using HTTP with an encrypted payload.[59]
Cardinal RAT is downloaded using HTTP over port 443.[62]
CharmPower can use HTTP to communicate with C2.[64]
ChChes communicates to its C2 server over HTTP and embeds data within the Cookie HTTP header.[65][66]
CHIMNEYSWEEP can send HTTP GET requests to C2.[68]
China Chopper's server component executes code sent via HTTP POST commands.[69]
Various implementations of CHOPSTICK communicate with C2 over HTTP.[70]
COATHANGER uses an HTTP GET request to initialize a follow-on TLS tunnel for command and control.[73]
Cobalt Group has used HTTPS for C2.[74][75][76]
Cobalt Strike can use a custom command and control protocol that can be encapsulated in HTTP or HTTPS. All protocols use their standard assigned ports.[77][78][79][80][81]
ComRAT has used HTTP requests for command and control.[83][84][85]
CosmicDuke can use HTTP or HTTPS for command and control to hard-coded C2 servers.[72][88]
CozyCar's main method of communicating with its C2 servers is using HTTP or HTTPS.[90]
CreepyDrive can use HTTPS for C2 using the Microsoft Graph API.[91]
CreepySnail can use HTTP for C2.[91]
Crimson can use a HTTP GET request to download its final payload.[92]
Crutch has conducted C2 communications with a Dropbox account using the HTTP API.[93]
CSPY Downloader can use GET requests to download additional payloads from C2.[94]
Cuckoo Stealer can use the curl API for C2 communications.[95]
Cyclops Blink can download files via HTTP and HTTPS.[96][97]
Daggerfly uses HTTP for command and control communication.[100]
Dark Caracal's version of Bandook communicates with their server over a TCP port using HTTP payloads Base64 encoded and suffixed with the string "&&&".[102]
DarkTortilla has used HTTP and HTTPS for C2.[104]
DarkWatchman uses HTTPS for command and control.[105]
DealersChoice uses HTTP for communication with the C2 server.[106]
DEATHRANSOM can use HTTPS to download files.[107]
Donut can use HTTP to download previously staged shellcode payloads.[111]
down_new has the ability to use HTTP in C2 communications.[4]
Dridex has used POST requests and HTTPS for C2 communications.[114][115]
Drovorub can use the WebSocket protocol and has initiated communication with C2 servers with an HTTP Upgrade request.[116]
Egregor has communicated with its C2 servers via HTTPS protocol.[120]
Empire can conduct command and control over protocols like HTTP and HTTPS.[125]
Exaramel for Linux uses HTTPS for C2 communications.[129][130]
FatDuke can be controlled via a custom C2 protocol over HTTP.[132]
FELIXROOT uses HTTP and HTTPS to communicate with the C2 server.[134][135]
FIN13 has used HTTP requests to chain multiple web shells and to contact actor-controlled C2 servers prior to exfiltrating stolen data.[136][137]
FIN4 has used HTTP POST requests to transmit data.[138][139]
Final1stspy uses HTTP for C2.[141]
FlawedAmmyy has used HTTP for C2.[143]
FoggyWeb has the ability to communicate with C2 servers over HTTP GET/POST requests.[144]
FRAMESTING can retrieve C2 commands from values stored in the DSID cookie from the current HTTP request or from decompressed zlib data within the request's POST data.[145]
During Frankenstein, the threat actors used HTTP GET requests for C2.[146]
FRP has the ability to use HTTP and HTTPS to enable the forwarding of requests for internal services via domain name.[147]
Gamaredon Group has used HTTP and HTTPS for C2 communications.[148][149][150][151][152][153][154]
GeminiDuke uses HTTP and HTTPS for command and control.[72]
Get2 has the ability to use HTTP to send information collected from an infected host to C2.[157]
Gold Dragon uses HTTP for communication to the control servers.[158]
GoldenSpy has used the Ryeol HTTP Client to facilitate HTTP internet communication.[159]
GoldFinder has used HTTP for C2.[160]
GoldMax has used HTTPS and HTTP GET requests with custom HTTP cookies for C2.[160][161]
Goopy has the ability to communicate with its C2 over HTTP.[22]
Grandoreiro has the ability to use HTTP in C2 communications.[162][163]
GravityRAT uses HTTP for C2.[164]
GreyEnergy uses HTTP and HTTPS for C2 communications.[135]
GrimAgent has the ability to use HTTP for C2 communications.[165]
GuLoader can use HTTP to retrieve additional binaries.[166][167]
HAFNIUM has used open-source C2 frameworks, including Covenant.[168]
The "Uploader" variant of HAMMERTOSS visits a hard-coded server over HTTP/S to download the images HAMMERTOSS uses to receive commands.[169]
HAWKBALL has used HTTP to communicate with a single hard-coded C2 server.[170]
Higaisa used HTTP and HTTPS to send data back to its C2 server.[173][174]
HTTPBrowser has used HTTP and HTTPS for command and control.[176][177]
httpclient uses HTTP for command and control.[1]
IceApple can use HTTP GET to request and pull information from C2.[179]
IcedID has used HTTPS in communications with C2.[180][181][182]
Inception has used HTTP, HTTPS, and WebDav in network communications.[183][184]
Industroyer’s main backdoor connected to a remote C2 server using HTTPS.[185]
InvisiMole uses HTTP for C2 communications.[186]
IPsec Helper connects to command and control servers via HTTP POST requests based on parameters hard-coded into the malware.[187]
JHUHUGIT variants have communicated with C2 servers over HTTP and HTTPS.[190][191][192]
Kazuar uses HTTP and HTTPS to communicate with the C2 server. Kazuar can also act as a webserver and listen for inbound HTTP requests through an exposed API.[193]
Ke3chang malware including RoyalCli and BS2005 have communicated over HTTP with the C2 server through Internet Explorer (IE) by using the COM interface IWebBrowser2.[194][195]
KEYPLUG has the ability to communicate over HTTP and WebSocket Protocol (WSS) for C2.[56]
KOPILUWAK has used HTTP POST requests to send data to C2.[11]
Latrodectus can send registration information to C2 via HTTP POST.[204][205][206]
Lazarus Group has conducted C2 over HTTP and HTTPS.[207][98][99][208][209][210]
LiteDuke can use HTTP GET requests in C2 communications.[132]
LitePower can use HTTP and HTTPS for C2 communications.[211]
LookBack’s C2 proxy tool sends data to a C2 server over HTTP.[214]
LOWBALL command and control occurs via HTTPS over port 443.[54]
LuminousMoth has used HTTP for C2.[215]
LunarWeb can use POST to send victim identification to C2 and GET to retrieve commands.[216]
Magic Hound has used HTTP for C2.[222][223][224]
Manjusaka has used HTTP for command and control communication.[225]
MarkiRAT can initiate communication over HTTP/HTTPS for its C2 server.[226]
Maze has communicated to hard-coded IP addresses via HTTP.[227]
MCMD can use HTTPS in communication with C2 web servers.[228]
MechaFlounder has the ability to use HTTP in communication with C2.[229]
Micropsia uses HTTP and HTTPS for C2 network communications.[233][234]
Milan can use HTTPS for communication with C2.[235][196][236]
MiniDuke uses HTTP and HTTPS for command and control.[72][132]
Moonstone Sleet used curl to connect to adversary-controlled infrastructure and retrieve additional payloads.[239]
Mori can communicate using HTTP over IPv4 or IPv6 depending on a flag set.[241]
MuddyWater has used HTTP for C2 communications.[242][243]
Mustang Panda has communicated with its C2 via HTTP POST requests.[244][245][246][247]
NETEAGLE will attempt to detect if the infected host is configured to a proxy. If so, NETEAGLE will send beacons via an HTTP POST request. NETEAGLE will also use HTTP to download resources that contain an IP address and Port Number pair to connect to for further C2.[32]
NGLite will initially beacon out to the NKN network via an HTTP POST over TCP 30003.[251]
During Night Dragon, threat actors used HTTP for C2.[252]
Octopus has used HTTP GET and POST requests for C2 communications.[256][257]
During Operation CuckooBees, the threat actors enabled HTTP and HTTPS listeners.[264]
During Operation Dream Job, Lazarus Group uses HTTP and HTTPS to contact actor-controlled C2 servers.[265]
During Operation Wocao, threat actors’ XServer tool communicated using HTTP and HTTPS.[266]
Orangeworm has used HTTP for C2.[267]
OSX_OCEANLOTUS.D can also use use HTTP POST and GET requests to send and receive C2 information.[268]
Out1 can use HTTP and HTTPS in communications with remote hosts.[243]
OwaAuth uses incoming HTTP requests with a username keyword and commands and handles them as instructions to perform actions.[176]
P.A.S. Webshell can issue commands via HTTP POST.[130]
PinchDuke transfers files from the compromised host via HTTP or HTTPS to a C2 server.[72]
A PingPull variant can communicate with its C2 servers by using HTTPS.[272]
PLEAD has used HTTP for communications with command and control (C2) servers.[273][274]
PlugX can be configured to use HTTP for command and control.[176][275]
PolyglotDuke has has used HTTP GET requests in C2 communications.[132]
Pony has sent collected information to the C2 via HTTP POST request.[277]
PoshC2 can use protocols like HTTP/HTTPS for command and control traffic.[278]
PowerShower has sent HTTP GET and POST requests to C2 servers to send information and receive instructions.[184]
PowGoop can send HTTP GET requests to malicious servers.[280]
Proxysvc uses HTTP over SSL to communicate commands with the control server.[282]
Pteranodon can use HTTP for C2.[148]
PULSECHECK can check HTTP request headers for a specific backdoor key and if found will output the result of the command in the variable HTTP_X_CMD.[284]
PUNCHBUGGY enables remote interaction and can obtain additional code over HTTPS GET and POST requests.[285][286][287]
QakBot has the ability to use HTTP and HTTPS in communication with C2 servers.[289][290][291]
QUIETCANARY can use HTTPS for C2 communications.[11]
QuietSieve can use HTTPS in C2 communications.[293]
Raccoon Stealer uses HTTP, and particularly HTTP POST requests, for command and control actions.[294][295][296]
Raspberry Robin uses outbound HTTP requests containing victim information for retrieving second stage payloads.[300] Variants of Raspberry Robin can download archive files (such as 7-Zip files) via the victim web browser for second stage execution.[301]
RATANKBA uses HTTP/HTTPS for command and control communication.[302][303]
RDAT can use HTTP communications for C2, as well as using the WinHTTP library to make requests to the Exchange Web Services API.[305]
RedCurl has used HTTP, HTTPS and Webdav protocls for C2 communications.[307][308]
RedLeaves can communicate to its C2 over HTTP and HTTPS if directed.[309][310]
The Regin malware platform supports many standard protocols, including HTTP and HTTPS.[311]
Remexi uses BITSAdmin to communicate with the C2 server over HTTP.[312]
Remsec is capable of using HTTP and HTTPS for C2.[313][314][315]
REvil has used HTTP and HTTPS in communication with C2.[316][317][318][319][320]
APT12 has used RIPTIDE, a RAT that uses HTTP to communicate.[322]
Rising Sun has used HTTP and HTTPS for command and control.[323]
Rocke has executed wget and curl commands to Pastebin over the HTTPS protocol.[324]
ROKRAT can use HTTP and HTTPS for command and control communication.[325][326][327]
RTM has initiated connections to external domains using HTTPS.[328]
Samurai can use a .NET HTTPListener class to receive and handle HTTP POST requests.[253]
Sandworm Team's BCS-server tool connects to the designated C2 server via HTTP.[331]
ServHelper uses HTTP for C2.[333]
ShadowPad communicates over HTTP to retrieve a string that is decoded into a C2 server URL.[334]
Shark has the ability to use HTTP in C2 communications.[235][236]
ShimRat communicated over HTTP and HTTPS with C2 servers.[336]
ShimRatReporter communicated over HTTP with preconfigured C2 servers.[336]
Sibot communicated with its C2 server via HTTP GET requests.[160]
SideTwist has used HTTP GET and POST requests over port 443 for C2.[337]
Sidewinder has used HTTP in C2 communications.[338][339][340]
SilverTerrier uses HTTP for C2 communications.[341]
SLIGHTPULSE has the ability to process HTTP GET requests as a normal web server and to insert logic that will read or write files or execute commands in response to HTTP POST requests.[284]
Sliver has the ability to support C2 communications over HTTP/S.[342][343][344]
SLOTHFULMEDIA has used HTTP and HTTPS for C2 communications.[345]
Small Sieve can contact actor-controlled C2 servers by using the Telegram API over HTTPS.[241]
Smoke Loader uses HTTP for C2.[346]
SMOKEDHAM has communicated with its C2 servers via HTTPS and HTTP POST requests.[347]
During the SolarWinds Compromise, APT29 used HTTP for C2 and data exfiltration.[348]
Spark has used HTTP POST requests to communicate with its C2 server to receive commands.[351]
SpeakUp uses POST and GET requests over HTTP to communicate with its main C&C server. [352]
Squirrelwaffle has used HTTP POST requests for C2 communications.[353]
STARWHALE has the ability to contact actor-controlled C2 servers via HTTP.[354][241]
STEADYPULSE can parse web requests made to a targeted server to determine the next stage of execution.[284]
Stealth Falcon malware communicates with its C2 server via HTTPS.[355]
StrongPity can use HTTP and HTTPS in C2 communications.[356][357]
Stuxnet uses HTTP to communicate with a command and control server. [358]
SUNBURST communicated via HTTP GET or HTTP POST requests to third party servers for C2.[360]
SUPERNOVA had to receive an HTTP GET request containing a specific set of parameters in order to execute.[361][362]
TeamTNT has the curl command to send credentials over HTTP and the curl and wget commands to download new software.[368][369][370] TeamTNT has also used a custom user agent HTTP header in shell scripts.[371]
ThiefQuest uploads files via unencrypted HTTP. [372][373]
Threat Group-3390 malware has used HTTP for C2.[374]
TrailBlazer has used HTTP requests for C2.[378]
TrickBot uses HTTPS to communicate with its C2 servers, to get malware updates, modules that perform most of the malware logic and various configuration files.[379][10]
Trojan.Karagany can communicate with C2 via HTTP POST requests.[380]
Tropic Trooper has used HTTP in communication with the C2.[381][382]
TSCookie can multiple protocols including HTTP and HTTPS in communication with command and control (C2) servers.[383][384]
Turla has used HTTP and HTTPS for C2 communications.[386][387]
UPPERCUT has used HTTP for C2, including sending error codes in Cookie headers.[389]
Uroburos can use a custom HTTP-based protocol for large data communications that can blend with normal network traffic by riding on top of standard HTTP.[390]
VaporRage can use HTTP to download shellcode from compromised websites.[50]
Vasport creates a backdoor by making a connection using a HTTP POST.[395]
VBShower has attempted to obtain a VBS script from command and control (C2) nodes over HTTP.[396]
Versa Director Zero Day Exploitation established HTTPS communications from adversary-controlled SOHO devices over port 443 with compromised Versa Director servers.[398]
WellMess can use HTTP and HTTPS in C2 communications.[399][400][401][350]
WhisperGate can make an HTTPS connection to download additional files.[402][403]
Windshift has used tools that communicate with C2 over HTTP.[404]
WindTail has the ability to use HTTP for C2 communications.[405]
Winnti for Linux has used HTTP in outbound communications.[406]
Winnti for Windows has the ability to use encapsulated HTTP/S in C2 communications.[407]
Winter Vivern uses HTTP and HTTPS protocols for exfiltration and command and control activity.[408][409]
WIREFIRE can respond to specific HTTP POST requests to /api/v1/cav/client/visits.[410][411]
Wizard Spider has used HTTP for network communications.[413]
Woody RAT can communicate with its C2 server using HTTP requests.[414]
xCaon has communicated with the C2 server by sending POST requests over HTTP.[416]
Zeus Panda uses HTTP for C2 communications.[426]