What are command-and-control servers in cyberattacks?

According to TechTarget's article, a command-and-control server, often abbreviated as C2 or C&C servers, is "a computer that issues directives to digital devices that have been infected with rootkits or other types of malware, such as ransomware." 

A command-and-control server is essentially a centralized computer or network of computers that attackers use to communicate with and control compromised systems, known as "bots" or "zombies," within their network. These servers act as the communication hub between cybercriminals and their malware-infected victims. They enable attackers to remotely send commands, receive stolen data, update malicious software, and coordinate large-scale attacks without having to physically access each compromised device. This approach allows cybercriminals to manage thousands or even millions of infected devices simultaneously, creating what security experts call a "botnet." As noted in TechTarget's analysis, "C&C servers can be used to create powerful networks of infected devices capable of carrying out distributed denial-of-service (DDoS) attacks, stealing data, deleting data or encrypting data."

The anatomy of C2 infrastructure

Modern command-and-control infrastructure has changed beyond simple server-client relationships. According to Gardiner, Cova, and Nagaraja in Command & Control: Understanding, Denying and Detecting, "C2 evolution has also been driven by largescale defence efforts to isolate C2 traffic based on its unique traffic characteristics." Today's C2 systems often employ architectures designed to maximize resilience and avoid detection.

The most common structures include:

Centralized architecture: The traditional model features a single server or small cluster of servers that directly communicate with all infected devices. While this approach offers simplicity and efficiency, it creates a single point of failure that security researchers and law enforcement can target to disrupt entire operations.

Decentralized or peer-to-peer (P2P) architecture: In this more resilient model, infected devices can communicate with each other, eliminating the need for a central server. Commands and data flow through the network of compromised devices, making it much harder for defenders to shut down the entire operation by targeting a single point. As TechTarget notes, "most botnets have a centralized command-and-control architecture, although peer-to-peer (P2P) botnets are on the rise due to their decentralized nature."

Hybrid architecture: Many modern botnets combine elements of both centralized and decentralized approaches, using multiple servers and peer-to-peer communication to create redundancy and increase operational security.

How C2 servers facilitate cyberattacks

Command-and-control servers enable a wide range of malicious activities that would be impossible or impractical for attackers to execute manually. TechTarget's analysis emphasizes that "C&C servers act as the headquarters where all activities related to the targeted attack report back." These activities include:

Data exfiltration: C2 servers serve as collection points for stolen information, including personal data, financial records, login credentials, and intellectual property. Attackers can instruct their malware to gather specific types of data and transmit it back to the control server for processing and potential sale on dark markets.

Distributed denial of service (DDoS) attacks: By commanding large numbers of infected devices to simultaneously flood a target with traffic, attackers can overwhelm websites, online services, or entire network infrastructures. These attacks can cause financial damage and operational disruption.

Spam and phishing campaigns: C2 servers coordinate email campaigns designed to spread malware, steal credentials, or defraud recipients. The distributed nature of botnets makes these campaigns difficult to block and trace.

Malware distribution: Attackers use their control infrastructure to deploy additional malicious software, update existing infections, or create new attack methods. 

Communication methods and evasion techniques

To avoid detection by security systems and law enforcement, cybercriminals use communication methods between their malware and C2 servers. Research by Gardiner, Cova, and Nagaraja indicates that "C2 designers have adopted anonymous communication techniques within their architectures... More recently, C2 designers have started abusing systems designed for Internet privacy such as Tor."

Modern C2 infrastructure has also adapted to defensive measures in notable ways. According to TechTarget's research, "Today, C&C servers generally have a short shelf life; they often reside in legitimate cloud services and use automated domain generation algorithms" to make detection and disruption more difficult for security professionals and law enforcement.

These techniques include:

Domain generation algorithms (DGAs): Rather than using fixed server addresses, malware can generate thousands of potential domain names algorithmically. Even if most domains are blocked or taken down, some will remain available for communication.

Fast flux: This technique involves changing IP addresses associated with domain names, making it difficult for defenders to block communications by targeting specific servers.

Encrypted communications: Modern malware often encrypts its communications with C2 servers, making it harder for network monitoring systems to detect and analyze malicious traffic.

Legitimate service abuse: Attackers use legitimate online services like social media platforms, cloud storage, or file-sharing sites as intermediaries for C2 communications, blending malicious traffic with normal internet activity. As noted in Abuse of Cloud-Based and Public Legitimate Services as Command-and-Control (C&C) Infrastructure: A Systematic Literature Review, "The widespread adoption of cloud-based and public legitimate services (CPLS) has inadvertently opened up new avenues for cyber attackers to establish covert and resilient command-and-control (C&C) communication channels." Furthermore, "By setting up a serverless C&C infrastructure within these services, botmasters can establish communication with bots that have been planted on victims' systems, thus evading detection."

Case study: Iranian Embassy Campaign

A September 2025 cyberattack shows how these theoretical concepts translate into real-world operations. Iranian-aligned operators connected to the group Homeland Justice executed a "coordinated" and "multi-wave" spear-phishing campaign targeting diplomatic entities worldwide. According to Israeli cybersecurity company Dream, the operation targeted "embassies, consulates, and international organizations across the Middle East, Africa, Europe, Asia, and the Americas."

The attack chain deployed malicious Microsoft Word documents containing VBA macros, with "the end goal of the attacks is to deploy using the VBA macro an executable that can establish persistence, contact a command-and-control (C2) server, and harvest system information," as Dream's analysis revealed.

Particularly noteworthy was the attackers' use of legitimate service abuse, employing "104 unique compromised addresses belonging to officials and pseudo-government entities" to lend credibility to their phishing emails. Most notably, "At least some of the emails originated from a hacked mailbox belonging to the Oman Ministry of Foreign Affairs in Paris." This approach exemplifies how modern C2 operators exploit trusted infrastructure to mask malicious communications, representing what Dream described as "hallmarks of a well-planned espionage operation that deliberately masked attribution."

This case shows that C2 infrastructure enables not just technical control over compromised systems, but social engineering at scale, turning legitimate diplomatic channels into participants in cyber espionage operations.

Detection and mitigation strategies

The challenge of detecting C2 activity is significant, as highlighted by research showing that "only 37% of the intrusions were discovered by the victim itself: in the remaining cases, the victim was notified by some external party," according to Gardiner, Cova, and Nagaraja's analysis of security incident data. Furthermore, "The median time during which attackers are able to maintain a presence in the intruded network is reported to 243 days," emphasizing the persistence of these threats. This challenge has been made worse by modern developments, as recent research from the systematic literature review demonstrates that "traditional detection systems are proving inadequate in accurately identifying such abuses, emphasizing the urgent need for more advanced detection techniques."

Despite these challenges, cybersecurity professionals employ various techniques to identify and disrupt C2 communications:

Network traffic analysis: Security teams monitor network traffic for suspicious patterns, unexpected communications, or known malicious indicators that might reveal C2 activity.

Behavioral analysis: Rather than focusing solely on known malware signatures, modern security systems analyze device behavior to identify compromised systems that might be communicating with C2 servers.

Threat intelligence: Security researchers track and analyze C2 infrastructure, sharing information about known malicious servers and communication methods across the cybersecurity community.

Sinkholing: Law enforcement and security researchers sometimes redirect traffic from known C2 domains to servers they control, effectively disrupting botnet operations and gathering intelligence about infected systems.

What's next for command-and-control systems

As cybersecurity defenses improve, attackers continue to innovate their C2 infrastructure. The academic research emphasizes that "C2 detection and disruption seems to offer a solution to this problem: by focusing on the C2 phase of an attack" rather than trying to prevent all initial compromises. Recent analysis reveals that "this abuse is not limited to a particular type of service; instead, it is pervasive across a variety of platforms, including cloud storage, social media, business communication platforms, and more. Emerging trends include the use of blockchain technology for decentralized command systems, artificial intelligence for adaptive communication strategies, and exploitation of new technologies like 5G networks and edge computing devices.

FAQs

How do attackers initially compromise devices before connecting them to a C2 server?

Attackers typically use phishing, malicious downloads, or software vulnerabilities to infect devices before linking them to C2 infrastructure.

Are C2 servers always located in the same country as the victims?

No, attackers often host servers in foreign or multiple jurisdictions to complicate investigations and takedowns.

Can artificial intelligence make C2 servers harder to detect?

Yes, AI can help attackers adjust communication patterns to evade security monitoring.

How do law enforcement agencies coordinate international takedowns of C2 infrastructure?

They collaborate through joint task forces and cybercrime treaties to seize servers and disrupt global botnets.

Do nation-state actors use C2 servers differently from cybercriminal groups?

Nation-state actors often design stealthier and longer-lasting C2 systems to support espionage rather than quick financial gain.