Cyber Security News

New Report of of 1M+ Malware Samples Show Application Layer Abused for Stealthy C2

A recent analysis of over one million malware samples by Picus Security has revealed a growing trend in the exploitation of application layer protocols for stealthy command-and-control (C2) operations.

These findings, detailed in the Red Report 2025, underscore the increasing sophistication of cyber adversaries who leverage widely used protocols to evade detection and maintain persistence in target environments.

Application Layer Protocols: A Key Enabler for Modern Malware

The application layer, the topmost layer of the OSI model, is critical for enabling communication between software applications across diverse platforms.

Adversaries exploit this layer by embedding malicious commands and data within legitimate traffic, effectively blending their activities into routine network communications.

This tactic is mapped to MITRE ATT&CK Technique T1071 and its sub-techniques, which cover various protocols such as HTTP/S, DNS, FTP, and WebSockets.

The report highlights that adversaries increasingly prefer application layer protocols due to their ubiquity and inherent trust.

For example, HTTPS traffic is encrypted, making it difficult for traditional security tools to inspect malicious payloads.

Similarly, DNS tunneling and WebSockets provide continuous communication channels that are hard to distinguish from legitimate activity.

Case Studies: Malware Leveraging Application Layer Protocols

Several notable malware campaigns from 2024 illustrate how these techniques are being operationalized:

  1. WezRat Malware: This malware uses HTTPS for encrypted C2 communication. By disguising its traffic as legitimate web requests, WezRat exfiltrates data and fetches commands without triggering alarms.
  2. Glutton Malware: Operating over HTTP, this modular malware polls C2 servers using standard GET/POST requests to download additional payloads. Its reliance on clear-text HTTP allows it to mimic routine web traffic while embedding malicious commands.
  3. RevC2 Backdoor: Leveraging WebSockets, RevC2 establishes a full-duplex communication channel with its C2 server. This persistent connection enables real-time data exchange while evading detection tools that monitor traditional HTTP traffic.
  4. ZLoader: The latest version of this malware employs DNS tunneling for encrypted C2 communications. By encoding data into DNS packets, ZLoader bypasses conventional network defenses while maintaining a covert channel.

Picus Security analysis revealed that 93% of malicious actions observed in 2024 were preventable with existing security measures.

However, the rise in “whispering channels,” such as HTTPS and DNS-over-HTTPS (DoH), highlights the need for advanced detection tools capable of analyzing encrypted traffic without compromising privacy.

These findings emphasize the importance of adopting proactive security strategies.

Organizations must enhance monitoring capabilities for application-layer traffic and implement robust defenses against protocol abuse.

Techniques such as deep-packet inspection (DPI), behavioral analytics, and encrypted traffic analysis are critical to countering these evolving threats.

As adversaries continue to refine their methods, leveraging trusted protocols for stealthy operations will likely remain a cornerstone of sophisticated cyberattacks in the years ahead.

Are you from SOC/DFIR Team? - Join 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox - Try for Free

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

New Mamona Ransomware Targets Windows Systems Using Abused Ping Command

Cybersecurity researchers are raising the alarm about a newly discovered commodity ransomware strain dubbed Mamona, which…

1 minute ago

Malicious Python Package Impersonates Discord Developers to Deploy Remote Commands

A seemingly innocuous Python package named ‘discordpydebug’ surfaced on the Python Package Index (PyPI) under…

3 minutes ago

New Supply Chain Attack Compromises Popular npm Package with 45,000 Weekly Downloads

An advanced supply chain attack has targeted the well-known npm package rand-user-agent, which receives about…

10 minutes ago

Threat Actors Leverage Multimedia Systems in Stealthy Vishing Attacks

Threat actors have begun exploiting multimedia systems as a pivotal component of their voice phishing…

18 minutes ago

Hackers Exploit PDF Invoices to Target Windows, Linux, and macOS Systems

A recent discovery by the FortiMail Incident Response team has revealed a highly sophisticated email…

33 minutes ago

Indirect Prompt Injection Exploits LLMs’ Lack of Informational Context

A new wave of cyber threats targeting large language models (LLMs) has emerged, exploiting their…

45 minutes ago