How C2 Servers Use Custom TCP Protocols to Evade Detection

This report examines the growing trend of malware and APT actors using non-HTTP/S TCP-based command-and-control channels, outlines common protocols and unconventional methods (DNS over TCP, custom TCP protocols, Tor, cloud services, steganography, P2P), cites examples including APT29, APT41, and APT34 and several RATs/backdoors, presents Malware Patrol telemetry showing increased TCP-based C2 usage, and recommends detection and mitigation measures such as broader network monitoring, egress filtering, DPI, EDR correlation, behavioral/ML anomaly detection, threat intelligence integration, deception, and proactive threat hunting.