This is an update to an original article I wrote mid-summer of 2024... oh what a ways we've come. Enjoy!!

TL;DR

Key Points

• Prioritize detection of modular, cloud-integrated C2 frameworks (Sliver, Havoc, Mythic, Brute Ratel C4, Cobalt Strike)
• Monitor for abuse of PowerShell/Python, in-memory payloads, and cloud APIs (Microsoft Graph, SharePoint)
• Update IR playbooks and conduct red team exercises using emerging C2 tools
• Harden EDR/XDR, restrict scripting, and enforce memory integrity controls
• Track operational overlap and tool-sharing between APT and cybercriminal groups

The story in 60 seconds

Attackers are moving away from legacy C2 tools like Cobalt Strike and Metasploit, favoring modular, open-source, and commercial frameworks—Sliver, Havoc, Mythic, and Brute Ratel C4. These frameworks offer encrypted, multi-protocol C2, in-memory payloads, and seamless integration with cloud APIs, complicating detection and response.

Recent campaigns (Ivanti zero-days, ClickFix, GOFFEE) show threat actors embedding C2 traffic within trusted cloud services, automating post-exploitation, and sharing tools across APT and cybercriminal lines. This operational convergence is accelerating, with attackers customizing agents and leveraging micro-service architectures for resilience.

Defenders must adapt by prioritizing behavioral analytics, hardening endpoints, and updating IR playbooks. The next wave of C2 frameworks is expected to leverage AI, expand multi-channel comms, and deepen OPSEC, raising the bar for detection and response.

AlphaHunt

Stop doomscrolling, start decisioning. We chewed through the muck so your team doesn’t have to. → Subscribe! • Forward to your on-call lead.

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Why it matters

SOC

• Watch for encrypted C2 over HTTP(S), DNS, and cloud APIs (Microsoft Graph, SharePoint)
• Flag reflective DLL injection, in-memory payloads, and non-standard C2 channels
• Alert on anomalous PowerShell/Python activity, especially tied to cloud service use

IR

• Preserve memory dumps and process trees for in-memory/reflective payload analysis
• Triage for persistence via renamed system daemons or cloud API abuse
• Collect forensic evidence of token manipulation and lateral movement

SecOps

• Deploy and tune EDR/XDR for in-memory and reflective injection detection
• Restrict PowerShell/Python execution; enforce application whitelisting
• Enable network segmentation and monitor for suspicious cloud service traffic

Strategic

• Invest in behavioral analytics and cloud monitoring capabilities
• Update incident response and tabletop exercises for new C2 frameworks
• Track convergence of APT and cybercrime TTPs for attribution and risk assessment

See it in your telemetry

Network

• Detect encrypted C2 over HTTP(S), DNS, and cloud APIs (Microsoft Graph, SharePoint)
• Monitor for non-standard C2 channels (Slack, Telegram, custom TCP)
• Flag anomalous traffic patterns from edge/gateway devices (Ivanti, VPNs)

Endpoint

• Alert on reflective DLL injection, in-memory payloads, and process injection (T1055)
• Monitor PowerShell/Python execution, especially with cloud service access
• Track creation of suspicious daemons or renamed system files

High Impact, Quick Wins

• Deploy YARA rules and threat intel for Sliver, Havoc, Mythic, Brute Ratel C4, and Cobalt Strike artifacts
• Restrict and monitor scripting interpreters (PowerShell, Python) on endpoints
• Conduct red team exercises using emerging C2 frameworks to validate detection and response

Ready to level up your intelligence game?

Sign Up!

Research

Top 5 Emerging and Popular C2 Frameworks (2025–2026)

This analysis identifies and details the top 5 most prominent and rapidly emerging Command and Control (C2) frameworks leveraged by both nation-state/APT and cybercriminal threat actors as of late 2025 and projected into 2026. Each section provides a technical overview, unique features, adoption and trending patterns, and operational impact. All URLs have been validated for relevance and authority.

1. Sliver

Technical Overview & Unique Features:

• Sliver is an open-source, cross-platform C2 framework supporting Windows, Linux, and macOS.
• Features include modular implants, encrypted communications (MTLS, HTTP(S), DNS), dynamic operator collaboration, and in-memory payloads.
• Its rapid development and open-source nature allow for frequent updates and customization.

Adoption & Trends:

• Sliver has become a leading alternative to Cobalt Strike, widely adopted by both APT and cybercriminal actors.
• The four most frequently used frameworks — Sliver, Metasploit, Havoc, and Brute Ratel C4 — can work with exploits out of the box because their agents provide a variety of post-compromise capabilities.
• Wiz researchers found that in the recent attacks on the Ivanti zero-days, the threat actor used Sliver, a C2 framework that's popular with both red teams and cybercriminals.

Operational Impact:

• Sliver’s modularity and encrypted traffic present detection challenges for SOC analysts.
• Its use in high-profile edge device exploits and ransomware campaigns is increasing.

2. Havoc

Technical Overview & Unique Features:

• Havoc is an open-source C2 framework with a focus on stealth and evasion, supporting Windows and Linux.
• Features include a modular “Demon” agent, reflective loading, encrypted communications, and integration with Microsoft Graph API for covert C2.
• Supports advanced post-exploitation, file operations, token manipulation, and Kerberos attacks.

Adoption & Trends:

• Havoc is rapidly gaining popularity among both APT and cybercriminal groups, especially for phishing and initial access.
• The threat actor hides each malware stage behind a SharePoint site and uses a modified version of Havoc Demon in conjunction with the Microsoft Graph API to obscure C2 communications within trusted, well-known services.
• Sliver, Havoc, Metasploit, Mythic, Brute Ratel C4, and Cobalt Strike (in that order) have emerged as the most frequently used command-and-control (C2) frameworks in malicious attacks in Q2 2025, per data from Kaspersky.

Operational Impact:

• Havoc’s use of trusted cloud APIs and modular payloads complicates detection and response.
• SOC analysts must monitor for abuse of legitimate services and unusual PowerShell or Python activity.

3. Mythic

Technical Overview & Unique Features:

• Mythic is a modern, open-source C2 platform with a web-based UI, multi-user support, and a microservice architecture.
• Supports multiple agent types (Python, Go, .NET, Swift, C), encrypted communications, and advanced modular payloads.
• Notable for its support of Beacon Object Files (BOFs) and flexible communication profiles (HTTP, TCP, Slack, Telegram).

Adoption & Trends:

• Mythic is increasingly used for both red teaming and real-world attacks, especially where stealth and modularity are required.
• Our payload requirements are supported by the Mythic framework. Its microservice architecture makes it easy to add arbitrary server-side functionality. For example, the module assembly process takes place inside a container and is fully defined by us.
• Kaspersky researchers analyze GOFFEEs campaign in H2 2024: the updated infection scheme, new PowerModul implant, switch to a binary Mythic agent.

Operational Impact:

• Mythic’s modularity and support for custom communication channels make detection difficult.
• SOC teams should monitor for non-standard C2 channels and BOF-based post-exploitation.

4. Brute Ratel C4

Technical Overview & Unique Features:

• Brute Ratel C4 is a commercial C2 framework designed for red teaming, but increasingly abused by threat actors.
• Features include advanced evasion, in-memory execution, reflective DLL injection, and support for multiple communication protocols.
• Known for its OPSEC-focused design and ability to bypass EDR/AV solutions.

Adoption & Trends:

• Brute Ratel C4 is now among the top C2 frameworks used in APT and ransomware campaigns.
• The four most frequently used frameworks — Sliver, Metasploit, Havoc, and Brute Ratel C4 — can work with exploits out of the box because their agents provide a variety of post-compromise capabilities.
• Attackers are increasingly customizing their C2 agents to automate malicious activities and hinder detection.

Operational Impact:

• Brute Ratel’s advanced evasion and OPSEC features make it a high-priority detection target for SOCs.
• Analysts should monitor for reflective DLL injection and unusual in-memory activity.

5. Cobalt Strike

Technical Overview & Unique Features:

• Cobalt Strike is a commercial adversary simulation tool, long favored by both red teams and threat actors.
• Features include the Beacon agent, malleable C2 profiles, in-memory execution, and support for multiple communication protocols.
• Recent versions and cracked builds are still widely abused, but detection has improved.

Adoption & Trends:

• While detection of Cobalt Strike has improved, it remains a staple in both APT and ransomware operations, often in combination with other frameworks.
• Cobalt Strike is a commercial software framework that enables security professionals like red team members to simulate attackers embedding themselves in a network.
• UNC5221 Focuses on Ivanti Products as Cobalt Strike Is Most Frequently Associated with Post-Exploitation Activity. The threat actors ...

Operational Impact:

• Cobalt Strike’s malleable profiles and in-memory techniques require advanced behavioral analytics for detection.
• SOCs should monitor for Beacon traffic, malleable C2 profiles, and post-exploitation activity.

Comparison to Previous Years

• Cobalt Strike and Metasploit remain in use but are increasingly supplanted by open-source and customizable frameworks like Sliver, Havoc, Mythic, and Brute Ratel C4 due to improved detection of legacy tools.
• The trend is toward modular, OPSEC-focused, and cloud-integrated frameworks, with increased abuse of legitimate APIs and cloud services for C2.
• Attackers are customizing C2 agents and automating malicious activities to hinder detection and response.

Areas for Further Inquiry

• The operational overlap and tool-sharing between APT and cybercriminal groups using these frameworks.
• The evolution of detection and response strategies for modular, cloud-integrated C2 frameworks.
• The impact of AI-driven automation on C2 operations and detection.

Recommendations, Actions, Suggested Pivots, Forecasts, Next Steps and References..

(Specially baked, for Paid Subscribers..)