Modular C2 Frameworks Quietly Redefine Threat Operations for 2025–2026
Attackers are rapidly shifting to modular, cloud-integrated C2 frameworks—Sliver, Havoc, Mythic, Brute Ratel C4, and Cobalt Strike—blurring lines between APT and cybercrime. These tools’ stealth, automation, and cloud API abuse are outpacing legacy detection, demanding urgent defensive adaptation.

This is an update to an original article I wrote mid-summer of 2024... oh what a ways we've come. Enjoy!!
TL;DR
Key Points
- Prioritize detection of modular, cloud-integrated C2 frameworks (Sliver, Havoc, Mythic, Brute Ratel C4, Cobalt Strike)
- Monitor for abuse of PowerShell/Python, in-memory payloads, and cloud APIs (Microsoft Graph, SharePoint)
- Update IR playbooks and conduct red team exercises using emerging C2 tools
- Harden EDR/XDR, restrict scripting, and enforce memory integrity controls
- Track operational overlap and tool-sharing between APT and cybercriminal groups
The story in 60 seconds
Attackers are moving away from legacy C2 tools like Cobalt Strike and Metasploit, favoring modular, open-source, and commercial frameworks—Sliver, Havoc, Mythic, and Brute Ratel C4. These frameworks offer encrypted, multi-protocol C2, in-memory payloads, and seamless integration with cloud APIs, complicating detection and response.
Recent campaigns (Ivanti zero-days, ClickFix, GOFFEE) show threat actors embedding C2 traffic within trusted cloud services, automating post-exploitation, and sharing tools across APT and cybercriminal lines. This operational convergence is accelerating, with attackers customizing agents and leveraging micro-service architectures for resilience.
Defenders must adapt by prioritizing behavioral analytics, hardening endpoints, and updating IR playbooks. The next wave of C2 frameworks is expected to leverage AI, expand multi-channel comms, and deepen OPSEC, raising the bar for detection and response.
AlphaHunt
Stop doomscrolling, start decisioning. We chewed through the muck so your team doesn’t have to. → Subscribe! • Forward to your on-call lead.
(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))
Why it matters
SOC
- Watch for encrypted C2 over HTTP(S), DNS, and cloud APIs (Microsoft Graph, SharePoint)
- Flag reflective DLL injection, in-memory payloads, and non-standard C2 channels
- Alert on anomalous PowerShell/Python activity, especially tied to cloud service use
IR
- Preserve memory dumps and process trees for in-memory/reflective payload analysis
- Triage for persistence via renamed system daemons or cloud API abuse
- Collect forensic evidence of token manipulation and lateral movement
SecOps
- Deploy and tune EDR/XDR for in-memory and reflective injection detection
- Restrict PowerShell/Python execution; enforce application whitelisting
- Enable network segmentation and monitor for suspicious cloud service traffic
Strategic
- Invest in behavioral analytics and cloud monitoring capabilities
- Update incident response and tabletop exercises for new C2 frameworks
- Track convergence of APT and cybercrime TTPs for attribution and risk assessment
See it in your telemetry
Network
- Detect encrypted C2 over HTTP(S), DNS, and cloud APIs (Microsoft Graph, SharePoint)
- Monitor for non-standard C2 channels (Slack, Telegram, custom TCP)
- Flag anomalous traffic patterns from edge/gateway devices (Ivanti, VPNs)
Endpoint
- Alert on reflective DLL injection, in-memory payloads, and process injection (T1055)
- Monitor PowerShell/Python execution, especially with cloud service access
- Track creation of suspicious daemons or renamed system files
High Impact, Quick Wins
- Deploy YARA rules and threat intel for Sliver, Havoc, Mythic, Brute Ratel C4, and Cobalt Strike artifacts
- Restrict and monitor scripting interpreters (PowerShell, Python) on endpoints
- Conduct red team exercises using emerging C2 frameworks to validate detection and response
Ready to level up your intelligence game?
Research
Top 5 Emerging and Popular C2 Frameworks (2025–2026)
This analysis identifies and details the top 5 most prominent and rapidly emerging Command and Control (C2) frameworks leveraged by both nation-state/APT and cybercriminal threat actors as of late 2025 and projected into 2026. Each section provides a technical overview, unique features, adoption and trending patterns, and operational impact. All URLs have been validated for relevance and authority.
1. Sliver
Technical Overview & Unique Features:
- Sliver is an open-source, cross-platform C2 framework supporting Windows, Linux, and macOS.
- Features include modular implants, encrypted communications (MTLS, HTTP(S), DNS), dynamic operator collaboration, and in-memory payloads.
- Its rapid development and open-source nature allow for frequent updates and customization.
Adoption & Trends:
- Sliver has become a leading alternative to Cobalt Strike, widely adopted by both APT and cybercriminal actors.
- The four most frequently used frameworks — Sliver, Metasploit, Havoc, and Brute Ratel C4 — can work with exploits out of the box because their agents provide a variety of post-compromise capabilities.
- Wiz researchers found that in the recent attacks on the Ivanti zero-days, the threat actor used Sliver, a C2 framework that's popular with both red teams and cybercriminals.
Operational Impact:
- Sliver’s modularity and encrypted traffic present detection challenges for SOC analysts.
- Its use in high-profile edge device exploits and ransomware campaigns is increasing.
2. Havoc
Technical Overview & Unique Features:
- Havoc is an open-source C2 framework with a focus on stealth and evasion, supporting Windows and Linux.
- Features include a modular “Demon” agent, reflective loading, encrypted communications, and integration with Microsoft Graph API for covert C2.
- Supports advanced post-exploitation, file operations, token manipulation, and Kerberos attacks.
Adoption & Trends:
- Havoc is rapidly gaining popularity among both APT and cybercriminal groups, especially for phishing and initial access.
- The threat actor hides each malware stage behind a SharePoint site and uses a modified version of Havoc Demon in conjunction with the Microsoft Graph API to obscure C2 communications within trusted, well-known services.
- Sliver, Havoc, Metasploit, Mythic, Brute Ratel C4, and Cobalt Strike (in that order) have emerged as the most frequently used command-and-control (C2) frameworks in malicious attacks in Q2 2025, per data from Kaspersky.
Operational Impact:
- Havoc’s use of trusted cloud APIs and modular payloads complicates detection and response.
- SOC analysts must monitor for abuse of legitimate services and unusual PowerShell or Python activity.
3. Mythic
Technical Overview & Unique Features:
- Mythic is a modern, open-source C2 platform with a web-based UI, multi-user support, and a microservice architecture.
- Supports multiple agent types (Python, Go, .NET, Swift, C), encrypted communications, and advanced modular payloads.
- Notable for its support of Beacon Object Files (BOFs) and flexible communication profiles (HTTP, TCP, Slack, Telegram).
Adoption & Trends:
- Mythic is increasingly used for both red teaming and real-world attacks, especially where stealth and modularity are required.
- Our payload requirements are supported by the Mythic framework. Its microservice architecture makes it easy to add arbitrary server-side functionality. For example, the module assembly process takes place inside a container and is fully defined by us.
- Kaspersky researchers analyze GOFFEEs campaign in H2 2024: the updated infection scheme, new PowerModul implant, switch to a binary Mythic agent.
Operational Impact:
- Mythic’s modularity and support for custom communication channels make detection difficult.
- SOC teams should monitor for non-standard C2 channels and BOF-based post-exploitation.
4. Brute Ratel C4
Technical Overview & Unique Features:
- Brute Ratel C4 is a commercial C2 framework designed for red teaming, but increasingly abused by threat actors.
- Features include advanced evasion, in-memory execution, reflective DLL injection, and support for multiple communication protocols.
- Known for its OPSEC-focused design and ability to bypass EDR/AV solutions.
Adoption & Trends:
- Brute Ratel C4 is now among the top C2 frameworks used in APT and ransomware campaigns.
- The four most frequently used frameworks — Sliver, Metasploit, Havoc, and Brute Ratel C4 — can work with exploits out of the box because their agents provide a variety of post-compromise capabilities.
- Attackers are increasingly customizing their C2 agents to automate malicious activities and hinder detection.
Operational Impact:
- Brute Ratel’s advanced evasion and OPSEC features make it a high-priority detection target for SOCs.
- Analysts should monitor for reflective DLL injection and unusual in-memory activity.
5. Cobalt Strike
Technical Overview & Unique Features:
- Cobalt Strike is a commercial adversary simulation tool, long favored by both red teams and threat actors.
- Features include the Beacon agent, malleable C2 profiles, in-memory execution, and support for multiple communication protocols.
- Recent versions and cracked builds are still widely abused, but detection has improved.
Adoption & Trends:
- While detection of Cobalt Strike has improved, it remains a staple in both APT and ransomware operations, often in combination with other frameworks.
- Cobalt Strike is a commercial software framework that enables security professionals like red team members to simulate attackers embedding themselves in a network.
- UNC5221 Focuses on Ivanti Products as Cobalt Strike Is Most Frequently Associated with Post-Exploitation Activity. The threat actors ...
Operational Impact:
- Cobalt Strike’s malleable profiles and in-memory techniques require advanced behavioral analytics for detection.
- SOCs should monitor for Beacon traffic, malleable C2 profiles, and post-exploitation activity.
Comparison to Previous Years
- Cobalt Strike and Metasploit remain in use but are increasingly supplanted by open-source and customizable frameworks like Sliver, Havoc, Mythic, and Brute Ratel C4 due to improved detection of legacy tools.
- The trend is toward modular, OPSEC-focused, and cloud-integrated frameworks, with increased abuse of legitimate APIs and cloud services for C2.
- Attackers are customizing C2 agents and automating malicious activities to hinder detection and response.
Areas for Further Inquiry
- The operational overlap and tool-sharing between APT and cybercriminal groups using these frameworks.
- The evolution of detection and response strategies for modular, cloud-integrated C2 frameworks.
- The impact of AI-driven automation on C2 operations and detection.
Recommendations, Actions, Suggested Pivots, Forecasts, Next Steps and References..
(Specially baked, for Paid Subscribers..)