A recent analysis of over one million malware samples by Picus Security has revealed a growing trend in the exploitation of application layer protocols for stealthy command-and-control (C2) operations.
These findings, detailed in the Red Report 2025, underscore the increasing sophistication of cyber adversaries who leverage widely used protocols to evade detection and maintain persistence in target environments.
Application Layer Protocols: A Key Enabler for Modern Malware
The application layer, the topmost layer of the OSI model, is critical for enabling communication between software applications across diverse platforms.
Adversaries exploit this layer by embedding malicious commands and data within legitimate traffic, effectively blending their activities into routine network communications.
This tactic is mapped to MITRE ATT&CK Technique T1071 and its sub-techniques, which cover various protocols such as HTTP/S, DNS, FTP, and WebSockets.
The report highlights that adversaries increasingly prefer application layer protocols due to their ubiquity and inherent trust.
For example, HTTPS traffic is encrypted, making it difficult for traditional security tools to inspect malicious payloads.
Similarly, DNS tunneling and WebSockets provide continuous communication channels that are hard to distinguish from legitimate activity.
Case Studies: Malware Leveraging Application Layer Protocols
Several notable malware campaigns from 2024 illustrate how these techniques are being operationalized:
- WezRat Malware: This malware uses HTTPS for encrypted C2 communication. By disguising its traffic as legitimate web requests, WezRat exfiltrates data and fetches commands without triggering alarms.
- Glutton Malware: Operating over HTTP, this modular malware polls C2 servers using standard GET/POST requests to download additional payloads. Its reliance on clear-text HTTP allows it to mimic routine web traffic while embedding malicious commands.
- RevC2 Backdoor: Leveraging WebSockets, RevC2 establishes a full-duplex communication channel with its C2 server. This persistent connection enables real-time data exchange while evading detection tools that monitor traditional HTTP traffic.
- ZLoader: The latest version of this malware employs DNS tunneling for encrypted C2 communications. By encoding data into DNS packets, ZLoader bypasses conventional network defenses while maintaining a covert channel.
Picus Security analysis revealed that 93% of malicious actions observed in 2024 were preventable with existing security measures.
However, the rise in “whispering channels,” such as HTTPS and DNS-over-HTTPS (DoH), highlights the need for advanced detection tools capable of analyzing encrypted traffic without compromising privacy.
These findings emphasize the importance of adopting proactive security strategies.
Organizations must enhance monitoring capabilities for application-layer traffic and implement robust defenses against protocol abuse.
Techniques such as deep-packet inspection (DPI), behavioral analytics, and encrypted traffic analysis are critical to countering these evolving threats.
As adversaries continue to refine their methods, leveraging trusted protocols for stealthy operations will likely remain a cornerstone of sophisticated cyberattacks in the years ahead.
Are you from SOC/DFIR Team? - Join 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox - Try for Free