Trap – A New Technique to Detect Stealthy Beacon Traffic

A new detection method called Jitter-Trap that turns cybercriminals’ own evasion tactics against them, offering new hope in the battle against sophisticated post-exploitation attacks. 

Released on June 18, 2025, this technique focuses on identifying stealthy beacon communications that traditional security measures often miss.

Jitter-Trap to Detect Stealthy Traffic

The Jitter-Trap technique exploits a fundamental weakness in how threat actors attempt to hide their command and control (C2) communications. 

Beacons used by frameworks like Cobalt Strike, Sliver, Empire, and Mythic employ “jitter” parameters to add randomness to their communication intervals, believing this makes them appear more natural.

However, Varonis researchers discovered that this randomness creates detectable patterns. When analyzing time differences between consecutive requests, beacon traffic with jitter configurations forms uniform distributions that are statistically identifiable. 

The research team used distribution tests, including Kolmogorov-Smirnov and chi-square tests, to detect these signatures.

For example, a Bing Search Malleable C2 profile configured with 60 60-second sleep time and 20% jitter creates values ranging from 48-72 seconds, forming a telltale uniform distribution pattern that differs significantly from legitimate polling traffic.

The detection method analyzes several key behavioral characteristics of beacon traffic. Sleep parameters define fixed intervals for beacon check-ins, while jitter adds variability to obscure predictable patterns. 

Varonis found that traffic with jitter characteristics appears in only 3.95% of benign communications, compared to 8.25% for non-jittered polling traffic.

Recent Cobalt Strike samples analyzed by the team showed various configurations, including beacons with sleep times ranging from 16,000 to 112,922 milliseconds, all configured with non-default jitter settings. 

These samples maintained low detection rates among security agents while exhibiting the uniform distribution patterns that Jitter-Trap can identify.

The technique also analyzes URL randomness, where frameworks like PoshC2 and Sliver generate semi-random URLs for each request. 

This creates unusually high ratios of distinct URLs to total requests, another behavioral anomaly that distinguishes malicious traffic from legitimate web applications.

Defense Strategies

Security professionals can integrate Jitter-Trap methodology into existing threat hunting programs to enhance detection capabilities against advanced persistent threats. 

The technique is particularly valuable because it operates at the behavioral level, making it resistant to traditional evasion methods like obfuscation and encryption.

Organizations should implement distribution analysis algorithms alongside conventional security measures, focusing on time interval patterns and URL diversity ratios. 

This multi-layered approach transforms attackers’ evasion techniques into detection opportunities, significantly improving cybersecurity posture against sophisticated beacon-based attacks.

Power up early threat detection, escalation, and mitigation with ANY.RUN’s Threat Intelligence Lookup. Get 50 trial searches.