Friday, May 9, 2025
Homecyber securityNew Report of of 1M+ Malware Samples Show Application Layer Abused for...

New Report of of 1M+ Malware Samples Show Application Layer Abused for Stealthy C2

Published on

SIEM as a Service

Follow Us on Google News

A recent analysis of over one million malware samples by Picus Security has revealed a growing trend in the exploitation of application layer protocols for stealthy command-and-control (C2) operations.

These findings, detailed in the Red Report 2025, underscore the increasing sophistication of cyber adversaries who leverage widely used protocols to evade detection and maintain persistence in target environments.

Application Layer Protocols: A Key Enabler for Modern Malware

The application layer, the topmost layer of the OSI model, is critical for enabling communication between software applications across diverse platforms.

- Advertisement - Google News

Adversaries exploit this layer by embedding malicious commands and data within legitimate traffic, effectively blending their activities into routine network communications.

This tactic is mapped to MITRE ATT&CK Technique T1071 and its sub-techniques, which cover various protocols such as HTTP/S, DNS, FTP, and WebSockets.

The report highlights that adversaries increasingly prefer application layer protocols due to their ubiquity and inherent trust.

For example, HTTPS traffic is encrypted, making it difficult for traditional security tools to inspect malicious payloads.

Similarly, DNS tunneling and WebSockets provide continuous communication channels that are hard to distinguish from legitimate activity.

Case Studies: Malware Leveraging Application Layer Protocols

Several notable malware campaigns from 2024 illustrate how these techniques are being operationalized:

  1. WezRat Malware: This malware uses HTTPS for encrypted C2 communication. By disguising its traffic as legitimate web requests, WezRat exfiltrates data and fetches commands without triggering alarms.
  2. Glutton Malware: Operating over HTTP, this modular malware polls C2 servers using standard GET/POST requests to download additional payloads. Its reliance on clear-text HTTP allows it to mimic routine web traffic while embedding malicious commands.
  3. RevC2 Backdoor: Leveraging WebSockets, RevC2 establishes a full-duplex communication channel with its C2 server. This persistent connection enables real-time data exchange while evading detection tools that monitor traditional HTTP traffic.
  4. ZLoader: The latest version of this malware employs DNS tunneling for encrypted C2 communications. By encoding data into DNS packets, ZLoader bypasses conventional network defenses while maintaining a covert channel.

Picus Security analysis revealed that 93% of malicious actions observed in 2024 were preventable with existing security measures.

However, the rise in “whispering channels,” such as HTTPS and DNS-over-HTTPS (DoH), highlights the need for advanced detection tools capable of analyzing encrypted traffic without compromising privacy.

These findings emphasize the importance of adopting proactive security strategies.

Organizations must enhance monitoring capabilities for application-layer traffic and implement robust defenses against protocol abuse.

Techniques such as deep-packet inspection (DPI), behavioral analytics, and encrypted traffic analysis are critical to countering these evolving threats.

As adversaries continue to refine their methods, leveraging trusted protocols for stealthy operations will likely remain a cornerstone of sophisticated cyberattacks in the years ahead.

Are you from SOC/DFIR Team? - Join 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox - Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Hackers Exploit Host Header Injection to Breach Web Applications

Cybersecurity researchers have reported a significant rise in web breaches triggered by a lesser-known...

Hackers Exploit Windows Remote Management to Evade Detection in AD Networks

A new wave of cyberattacks is targeting Active Directory (AD) environments by abusing Windows...

Researchers Uncover Remote Code Execution Flaw in macOS – CVE-2024-44236

Security researchers Nikolai Skliarenko and Yazhi Wang of Trend Micro’s Research Team have disclosed...

Apache ActiveMQ Vulnerability Allows Attackers to Induce DoS Condition

Critical vulnerability in Apache ActiveMQ (CVE-2024-XXXX) exposes brokers to denial-of-service (DoS) attacks by allowing...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hackers Exploit Host Header Injection to Breach Web Applications

Cybersecurity researchers have reported a significant rise in web breaches triggered by a lesser-known...

Hackers Exploit Windows Remote Management to Evade Detection in AD Networks

A new wave of cyberattacks is targeting Active Directory (AD) environments by abusing Windows...

Researchers Uncover Remote Code Execution Flaw in macOS – CVE-2024-44236

Security researchers Nikolai Skliarenko and Yazhi Wang of Trend Micro’s Research Team have disclosed...