APT12 has used blogs and WordPress for C2 infrastructure.[1]
APT29 has used social media platforms to hide communications to C2 servers.[3]
APT37 leverages social networking sites and cloud platforms (AOL, Twitter, Yandex, Mediafire, pCloud, Dropbox, and Box) for C2.[4][5]
APT39 has communicated with C2 through files uploaded to and downloaded from DropBox.[6]
BADNEWS can use multiple C2 channels, including RSS feeds, Github, forums, and blogs.[7][8][9]
BLACKCOFFEE has also obfuscated its C2 traffic as normal traffic to sites such as Github.[10][11]
The CALENDAR malware communicates through the use of events in Google Calendar.[14][15]
Carbanak has used a VBScript named "ggldr" that uses Google Apps Script, Sheets, and Forms services for C2.[16]
One variant of CloudDuke uses a Microsoft OneDrive account to exchange commands and stolen data with its operators.[17]
Comnie uses blogs and third-party sites (GitHub, tumbler, and BlogSpot) to avoid DNS-based blocking of their communication to the command and control server.[18]
ComRAT has the ability to use the Gmail web UI to receive commands and exfiltrate information.[19][20]
CozyCar uses Twitter as a backup C2 channel to Twitter accounts specified in its configuration file.[21]
Crutch can use Dropbox to receive commands and upload stolen data.[22]
DOGCALL is capable of leveraging cloud storage APIs such as Cloud, Box, Dropbox, and Yandex for C2.[4][23]
FIN7 used legitimate services like Google Docs, Google Scripts, and Pastebin for C2.[25]
GLOOXMAIL communicates to servers operated by Google using the Jabber/XMPP protocol.[14][26]
Grandoreiro can utilize web services including Google sites to send and receive C2 data.[27][28]
KARAE can use public cloud-based storage providers for command and control.[4]
Kazuar has used compromised WordPress blogs as C2 servers.[29]
LOWBALL uses the Dropbox cloud storage service for command and control.[30]
Magic Hound malware can use a SOAP Web service to communicate with its C2 server.[31]
MuddyWater has used web services including OneHub to distribute remote access tools.[32]
Orz has used Technet and Pastebin web pages for command and control.[33]
PowerStallion uses Microsoft OneDrive as a C2 server via a network drive mapped with net use.[34]
Revenge RAT used blogpost.com as its primary command and control server during a campaign.[35]
RogueRobin has used Google Drive as a Command and Control channel. [36]
ROKRAT leverages legitimate social networking sites and cloud platforms (Twitter, Yandex, and Mediafire) for C2 communications.[37][38]
Sandworm Team has used the Telegram Bot API from Telegram Messenger to send and receive commands to its Python backdoor. Sandworm Team also used legitimate M.E.Doc software update check requests for sending and receiving commands and hosted malicious payloads on putdrive.com.[39][40]
A Turla JavaScript backdoor has used Google Apps Script as its C2 server.[41][42]
UBoatRAT has used GitHub and a public blog service in Hong Kong for C2 communications.[43]
yty communicates to the C2 server by retrieving a Google Doc.[44]
ZIRCONIUM has used Dropbox for C2 allowing upload and download of files as well as execution of arbitrary commands.[45][46]