{ "id": "0526728e-954b-4437-9e12-3629b9e1852b", "created_at": "2026-04-06T00:19:11.322738Z", "updated_at": "2026-04-10T03:37:33.403909Z", "deleted_at": null, "sha1_hash": "8ce74542576ea47e7fffe9a0590a1b2e62b508e9", "title": "Using AI to Detect Malicious C2 Traffic", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 81965, "plain_text": "Using AI to Detect Malicious C2 Traffic\r\nBy Ajaya Neupane, Stefan Achleitner\r\nPublished: 2021-05-24 · Archived: 2026-04-05 22:01:43 UTC\r\nExecutive Summary\r\nSophisticated malware, such as Emotet and Sality, and advanced persistent threats (APTs), such as the recent\r\nSolarStorm attack, emphasize the necessity for advanced detection methods to identify novel, unknown types of\r\nmalicious network traffic.\r\nCurrent intrusion prevention systems (IPS) typically work based on signature matching and monitoring network\r\ntraffic for known patterns in the data packets. Such static methods fall short in detecting unknown types of\r\nmalware-generated network traffic, which calls for more advanced detection techniques that incorporate\r\ninspection of the overall packet structure, rather than specific static patterns.\r\nIn a blog on data leakage from Android apps, Unit 42 researchers demonstrated that unknown traffic types that\r\nleak sensitive user information could be detected using machine learning techniques.\r\nBased on command and control (C2) traffic from malware, such as Sality and Emotet, this blog analyzes how deep\r\nlearning models are further able to identify modified and incomplete C2 traffic packets. This analysis illustrates\r\nthat the usage of machine learning techniques in IPS can discover yet unseen variants of C2 traffic and can help\r\ndetect advanced attack campaigns.\r\nPalo Alto Networks Next-Generation Firewall customers are protected from such types of attacks by IPS and\r\nAppID in our Threat Prevention security subscription and with malware analysis and prevention through our\r\nWildFire security subscription.\r\nC2 Attacks\r\nOne of the most damaging aspects of malicious network attacks is accomplished through C2. After malware\r\ninfects a computer, it establishes a connection to the attacker's server -- the so-called C2 server -- to perform\r\nadditional tasks that may include downloading other malicious software, data theft or establishing remote control.\r\nIn the following sections, we introduce several malicious C2 traffic types, which we use as samples to show how\r\nan advanced machine learning system can detect such traffic. The discussed malware serves as examples to\r\nillustrate the effectiveness of our machine learning AI in the detection of C2 traffic. The detection capabilities of\r\nour AI are not limited to the presented malware samples, but can be applied to general C2 detection.\r\nSality\r\nThe Sality malware was first discovered in 2003 and became more advanced over the years due to the continuous\r\ndevelopment of new features and capabilities. Sality spreads itself by infecting and modifying executable files and\r\nhttps://unit42.paloaltonetworks.com/c2-traffic/\r\nPage 1 of 7\n\ncopying itself to removable drives and shared folders.\r\nOnce the malware infects a computer system, it attempts to open connections to remote sites, download additional\r\nmalicious files and leak data from the host machine. Although Sality has been around for a while, the continued\r\ndevelopment and addition of new features make it an effective and complex malware.\r\nThe following two HTTP packet headers (Figures 1 and 2) show C2 traffic used by Sality to connect to the remote\r\nsite padrup[.]com.\r\nGET /sobaka1.gif?12db3cf=98861835 HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)\r\nHost: padrup[.]com\r\nCache-Control: no-cache\r\nCookie: jsessionid=85b50d8fab658ecb9f79aa4de6039c87\r\nFigure 1. Sality C2 traffic.\r\nGET /sobaka.aspx?24c1882=115624326 HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)\r\nHost: padrup[.]com\r\nCache-Control: no-cache\r\nCookie: jsessionid=a2b0f43b9876d289325c3f13a7f8f95b\r\nFigure 2. Sality C2 traffic.\r\nC2 traffic from Sality, such as the packets shown in Figures 1 and 2, communicates with various C2 servers\r\nworldwide to perform tasks such as downloading and installing additional malware or leaking sensitive data.\r\nEmotet\r\nEmotet malware has been known since 2014 as banking malware. Typically, Emotet is distributed with Microsoft\r\nWord documents containing embedded macros to infect vulnerable hosts. C2 traffic from Emotet malware\r\ntransmits encoded or otherwise encrypted data over the HTTP protocol. In Figures 3 and 4, we show HTTP packet\r\nheaders from Emotet C2 traffic.\r\nPOST /r1s4dvgwanu1ov8qku/e6qj08nos8kh/o7rhpr2xi05tkkp/ HTTP/1.1\r\nDNT: 0\r\nReferer: 90.[]160[.]138[.]175/r1s4dvgwanu1ov8qku/e6qj08nos8kh/o7rhpr2xi05tkkp/\r\nContent-Type: multipart/form-data; boundary=----------------------1BetPUScZnIzXogZ6qQcQ8\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR\r\n2.0.50727; .NET CLR 3.5.30729; .NET CLR 3[.]0[.]30729; Media Center PC 6.0; .NET CLR 1.1.4322;\r\n.NET4.0C; .NET4.0E; InfoPath.3)\r\nHost: 90[.]160[.]138[.]175\r\nContent-Length: 5556\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nhttps://unit42.paloaltonetworks.com/c2-traffic/\r\nPage 2 of 7\n\nFigure 3. Emotet C2 traffic.\r\nPOST /kl4or/ok48hg/a5msy52s4i4uuac7dm/pzudacb2/a51azs1nbhzmu5m/p0f6wimb1tcqvn0/ HTTP/1.1\r\nDNT: 0\r\nReferer: 184[.]66[.]18[.]83/kl4or/ok48hg/a5msy52s4i4uuac7dm/pzudacb2/a51azs1nbhzmu5m/p0f6wimb1tcqvn0/\r\nContent-Type: multipart/form-data; boundary=---------O8dHD39IM\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR\r\n2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 1.1.4322; .NET4.0C;\r\n.NET4.0E; InfoPath.3)\r\nHost: 184[.]66[.]18[.]83\r\nContent-Length: 6916\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nFigure 4. Emotet C2 traffic.\r\nFurther details about Emotet’s C2 traffic and how to analyze it can be found in Unit 42’s posts, Wireshark\r\nTutorial: Examining Emotet Infection Traffic and Attack Chain Overview: Emotet in December 2020 and January\r\n2021.\r\nDetecting C2 Traffic\r\nThe goal of an IPS is to accurately identify connections to a C2 server. Due to the dynamic nature of the internet\r\nand the fast-changing assignment of IP addresses and domain names, this is very challenging to achieve, and\r\ndefenders often lag behind attackers.\r\nAn approach typically used in today’s security industry is to identify C2 traffic, such as network packets from\r\nEmotet, as shown above, with static signatures that match a specific pattern in the traffic. This approach has the\r\nadvantage of being accurate, but it is not flexible in detecting variations or unknown types of traffic. Detecting\r\npackets (shown in Figure 3) are especially problematic since there are no reliable patterns in the packet that could\r\nbe used in a signature. For example, the Uniform Resource Identifier (URI) path from an Emotet packet (shown\r\nbelow) appears to contain random strings, which might transmit encoded information, but would not be a reliable\r\npattern to be used in a signature:\r\nPOST /r1s4dvgwanu1ov8qku/e6qj08nos8kh/o7rhpr2xi05tkkp/ HTTP/1.1\r\nA similar case can be observed in the user-agent field, which shows generic values from a web browser, as well as\r\nthe hostname, which consists of a specific IP address:\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR\r\n2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 1.1.4322; .NET4.0C;\r\n.NET4.0E; InfoPath.3)\r\nHost: 90[.]160[.]138[.]175\r\nNeither fields represent ideal candidates for signature generation.\r\nhttps://unit42.paloaltonetworks.com/c2-traffic/\r\nPage 3 of 7\n\nOther types of C2 packets can be reliably identified with traffic patterns. Such reliable patterns are typically\r\ncharacter strings that uniquely identify a certain type of C2 traffic and are not found in other (i.e. benign) traffic\r\nsessions. Still, this approach has the same disadvantage as IP/domain name-based detection due to the inherent\r\nchallenges of maintaining an up-to-date and complete set of traffic patterns.\r\nDue to these shortcomings, the application of machine learning is imperative to achieve flexible and reliable\r\ndetection of C2 traffic. This is critical for detecting novel types of network-based attacks.\r\nC2 Detection with Deep Learning\r\nIt is crucial to detect these malicious C2 traffic sessions promptly. As mentioned above, this is traditionally done\r\nthrough the usage of static signatures on payloads and URLs. However, these signatures are not exhaustive and\r\ncan not detect novel C2 sessions. For these reasons, we researched a deep learning model that can automatically\r\nextract the important features from a vast amount of data to detect malicious C2 sessions.\r\nOur deep learning model leverages advanced machine learning algorithms to learn the content and context from a\r\nnetwork session and determine if it connects to a malicious C2 server. Our detection module determines the\r\nprobability of the session being malicious. Based on the predetermined threshold, we can classify if a given\r\nsession is malicious or not. For this blog, we tested a model trained on ~60 million HTTP session headers with\r\n~36 million benign and ~24 million malicious sessions. This dataset was collected in 2019.\r\nThe hyperparameters for training the deep learning model are computed so the false positive rate of the model\r\nremains below 0.025%. We tested this model for over four months and observed that the average false positive\r\nrate remained below 0.02% with more than 98% precision.\r\nHow Does a Deep Learning Model Detect the Traffic Packets Shown Above?\r\nDeep learning models extract features implicitly from the training data. Thus, it may not be possible to ascertain\r\nprecisely which feature or sequence of features from a packet header triggers detection.\r\nDeep neural networks have many parameters to obtain a highly expressive data representation compared to\r\ntraditional statistical models. By presenting a deep learning model with millions of known malicious data packets,\r\na neural network is trained to recognize the general structure of a C2 traffic packet. Consequently, the factors\r\ninvolved in packet classification do not depend on a single field (such as the host name), but on various features --\r\nthe combination of characters and words or the structure of the packet. The features that distinguish a benign\r\npacket from a malicious one are automatically recognized by the neural network during the training process of\r\nmillions of labeled data points.\r\nTo better understand how a detection decision is made, we re-create the packet headers by removing some critical\r\ninformation (e.g., hostname, URI paths) and evaluate these re-created headers with our deep learning model. We\r\nsummarized our results for different types of malicious C2 traffic in Table 1 and Table 2.\r\nIn Table 1, we present the probability with which our model could detect a session as malicious by testing the full\r\nHTTP header, as well as the header without the uri-path, hostname, user-agent or referer. These context-fields\r\nwere removed one at a time. We observed that the model could detect all four C2 sessions with high confidence\r\nhttps://unit42.paloaltonetworks.com/c2-traffic/\r\nPage 4 of 7\n\nwhen all header field information was present. We also see that the model was not reliant on one specific context-field and could detect malicious C2 detection without some of them present.\r\nMalware C2\r\nFull\r\nheader\r\nWithout uri-pathWithout\r\nhostname\r\nWithout user-agentWithout\r\nreferer\r\nEmotet C2\r\ntraffic 1\r\n99.72 99.86 96.28 97.37 99.55\r\nEmotet C2\r\ntraffic 2\r\n99.79 99.91 98.04 95.48 99.76\r\nSality C2 traffic\r\n1\r\n99.99 99.99 99.98 99.99 NA\r\nSality C2 traffic\r\n2\r\n99.99 99.99 99.98 99.99 NA\r\nTable 1. Performance of our deep learning model on session headers with different levels of information (the\r\nvalues in the table show the model confidence of a session being malicious; NA = the packet didn’t have this\r\nfield).\r\nAs we discussed above, a significant challenge in detecting C2 traffic with static signatures is differentiating\r\nreliable patterns from the network traffic. But, this is not the only pitfall signatures face in the detection of C2\r\ntraffic. A slight modification of C2 malware traffic could render a signature ineffective. Consider the Sality C2\r\npacket shown in Figure 1. The pattern ‘GET /sobaka1.gif’ is a potential candidate to be used in a signature in an\r\nIPS. An advanced malware may frequently change the command pattern in its traffic payload to bypass packet\r\ninspection by an IPS.\r\nWe simulate such behavior by modifying packet headers and analyze how the detection output of our deep\r\nlearning model changes. Consider the example below. We changed the uri-path in the Sality C2 packet shown in\r\nFigure 1 from ‘sobaka1.gif?12db3cf=98861835’ to ‘/nobata2.gif?52ad3pf=77952613’ and our model was still able\r\nto detect the packet header as malicious with 99.9% confidence. The full modified packet header is shown in\r\nFigure 5.\r\nGET /nobata2.gif?52ad3pf=77952613 HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)\r\nHost: padrup[.]com\r\nCache-Control: no-cache\r\nCookie: jsessionid=85b50d8fab658ecb9f79aa4de6039c87\r\nFigure 5. Modified packet header of Sality C2 traffic.\r\nIn Table 2, we present the prediction results of our model on changing values of different context fields, one at a\r\ntime, in the request header. We observed that our model could detect the C2 sessions with modified values in the\r\nhttps://unit42.paloaltonetworks.com/c2-traffic/\r\nPage 5 of 7\n\ncontext-fields. This shows that our deep learning model is not relying on one specific context-field value, but is\r\nlearning from the overall structure of the request header.\r\nMalware C2\r\nFull\r\nheader\r\nModified\r\nuripath\r\nModified\r\nhost\r\nModified user-agentModified\r\nreferer\r\nEmotet C2\r\ntraffic 1\r\n99.72 99.72 98.60 98.86 99.63\r\nEmotet C2\r\ntraffic 2\r\n99.79 99.92 99.94 99.99 99.94\r\nSality C2 traffic\r\n1\r\n99.99 99.99 99.96 99.95 NA\r\nSality C2 traffic\r\n2\r\n99.99 99.99 99.85 99.97 NA\r\nTable 2. Performance of our deep learning model on session headers with changes made on different context-fields of a request header (the values in the table shows the model confidence of a session being malicious; NA =\r\nthe packet didn’t have this field).\r\nIn addition to specific payload patterns in packet headers, the ordering of fields can play a role in detecting C2\r\nsessions with deep learning. In Table 3, we show how our model performs when the packets arrive in different\r\ncontext-field structures. For evaluation, we organized the context fields -- host name (H), referer (R) for Emotet\r\ncache-control (C) for Sality and user-agent (UA) in different arrangements. We found that our deep learning model\r\ncould identify the payloads correctly even when the packet structure was changed.\r\nMalware C2 Full header (UP|H|R/C|UA) (UP|H|UA|R/C) (UP|UA|H|R/C)\r\nEmotet C2 traffic 1 99.72 99.65 98.84 99.50\r\nEmotet C2 traffic 2 99.79 98.27 99.51 99.74\r\nSality C2 traffic 1 99.99 99.90 99.99 99.99\r\nSality C2 traffic 2 99.99 99.93 99.98 99.98\r\nTable 3. Performance of our deep learning model on session headers with reordered context-fields (H = Host\r\nname, UA = User-Agent, UP = Uri-Path, R = Referer/C=Cache-Control) (the values in the table shows the model\r\nconfidence of a session being malicious; NA = the packet didn’t have this field).\r\nOverall, the results presented above demonstrate the strength of our deep learning model on detecting the\r\nmalicious C2 sessions of the malware families like Emotet and Sality. These malware families might connect to\r\ndifferent host servers and transfer additional information to conduct attacks, making it challenging to capture them\r\nwith static signatures.\r\nhttps://unit42.paloaltonetworks.com/c2-traffic/\r\nPage 6 of 7\n\nConclusion\r\nOur research on using deep learning for C2 traffic detection shows the potential and necessity to use advanced\r\nmachine learning for intrusion detection and prevention. For novel attacks and zero-day vulnerabilities, it is\r\ncritical to rely on systems that can identify attacks based on known traffic features and identify unknown types of\r\nmalicious network traffic to detect and prevent advanced threat campaigns at an early stage. The results Unit 42\r\nsees in various research projects directly contribute to Threat Prevention and WildFire security subscriptions to\r\nensure the protection of our Next-Generation Firewall customers.\r\nSource: https://unit42.paloaltonetworks.com/c2-traffic/\r\nhttps://unit42.paloaltonetworks.com/c2-traffic/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://unit42.paloaltonetworks.com/c2-traffic/" ], "report_names": [ "c2-traffic" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434751, "ts_updated_at": 1775792253, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8ce74542576ea47e7fffe9a0590a1b2e62b508e9.pdf", "text": "https://archive.orkl.eu/8ce74542576ea47e7fffe9a0590a1b2e62b508e9.txt", "img": "https://archive.orkl.eu/8ce74542576ea47e7fffe9a0590a1b2e62b508e9.jpg" } }