Web Service

Adversaries may use an existing, legitimate external Web service as a means for relaying commands to a compromised system.

These commands may also include pointers to command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.

Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).

ID: T1481
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Platforms: Android, iOS
Version: 1.0
Created: 01 February 2019
Last Modified: 01 February 2019
Provided by LAYER 8

Procedure Examples

ID Name Description

ANDROIDOS_ANSERVER.A uses encrypted content within a blog site for part of its command and control. Specifically, the encrypted content contains URLs for other servers to be used for other aspects of command and control.[1]

S0422 Anubis

Anubis can retrieve the C2 address from Twitter and Telegram.[2][3]

S0655 BusyGasper

BusyGasper can be controlled via IRC using freenode.net servers.[4]

S0485 Mandrake

Mandrake has used Firebase for C2.[5]

S0539 Red Alert 2.0

Red Alert 2.0 can fetch a backup C2 domain from Twitter if the primary C2 is unresponsive.[6]


TERRACOTTA has used Firebase for C2 communication.[7]

S0302 Twitoor

Twitoor can be controlled via Twitter.[8]

S0318 XLoader for Android

XLoader for Android has fetched its C2 address from encoded Twitter names, as well as Instagram and Tumblr.[9]


This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.