A latest evaluation of over a million malware samples by Picus Safety has revealed a rising development within the exploitation of software layer protocols for stealthy command-and-control (C2) operations.
These findings, detailed within the Pink Report 2025, underscore the rising sophistication of cyber adversaries who leverage extensively used protocols to evade detection and preserve persistence in goal environments.
Utility Layer Protocols: A Key Enabler for Trendy Malware
The applying layer, the topmost layer of the OSI mannequin, is crucial for enabling communication between software program functions throughout numerous platforms.
Adversaries exploit this layer by embedding malicious instructions and knowledge inside reputable visitors, successfully mixing their actions into routine community communications.
This tactic is mapped to MITRE ATT&CK Approach T1071 and its sub-techniques, which cowl varied protocols reminiscent of HTTP/S, DNS, FTP, and WebSockets.
The report highlights that adversaries more and more favor software layer protocols as a result of their ubiquity and inherent belief.
For instance, HTTPS visitors is encrypted, making it tough for conventional safety instruments to examine malicious payloads.
Equally, DNS tunneling and WebSockets present steady communication channels which can be exhausting to tell apart from reputable exercise.
Case Research: Malware Leveraging Utility Layer Protocols
A number of notable malware campaigns from 2024 illustrate how these methods are being operationalized:
- WezRat Malware: This malware makes use of HTTPS for encrypted C2 communication. By disguising its visitors as reputable internet requests, WezRat exfiltrates knowledge and fetches instructions with out triggering alarms.
- Glutton Malware: Working over HTTP, this modular malware polls C2 servers utilizing customary GET/POST requests to obtain further payloads. Its reliance on clear-text HTTP permits it to imitate routine internet visitors whereas embedding malicious instructions.
- RevC2 Backdoor: Leveraging WebSockets, RevC2 establishes a full-duplex communication channel with its C2 server. This persistent connection allows real-time knowledge alternate whereas evading detection instruments that monitor conventional HTTP visitors.
- ZLoader: The most recent model of this malware employs DNS tunneling for encrypted C2 communications. By encoding knowledge into DNS packets, ZLoader bypasses typical community defenses whereas sustaining a covert channel.
Picus Safety evaluation revealed that 93% of malicious actions noticed in 2024 had been preventable with current safety measures.
Nonetheless, the rise in “whispering channels,” reminiscent of HTTPS and DNS-over-HTTPS (DoH), highlights the necessity for superior detection instruments able to analyzing encrypted visitors with out compromising privateness.
These findings emphasize the significance of adopting proactive safety methods.
Organizations should improve monitoring capabilities for application-layer visitors and implement strong defenses in opposition to protocol abuse.
Strategies reminiscent of deep-packet inspection (DPI), behavioral analytics, and encrypted visitors evaluation are crucial to countering these evolving threats.
As adversaries proceed to refine their strategies, leveraging trusted protocols for stealthy operations will possible stay a cornerstone of refined cyberattacks within the years forward.
Are you from SOC/DFIR Crew? - Be a part of 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox - Strive for Free