RAT Beyond DoH: Next-gen C2 Evasion?

[roggermaistter]

Everyone's using DNS-over-HTTPS for C2 comms. It's getting noisy and blue teams are catching up with JARM/JA3 fingerprinting.

What's the next frontier for truly stealthy C2 channels?

I've been exploring using high-traffic, legitimate APIs (e.g., Slack status updates, GitHub gist comments). Low data rate, but nearly impossible to block without breaking business ops.

What are the wildest/most effective covert channels you've seen or theorized?

 

[dEEpEst]

Here are some methods for both Red Team and Blue Team

Courses Thread 'Next-Gen Covert Channels for Blue Team'

Jun 9, 2025

dEEpEst made a new blog post:

Next-Gen Covert Channels for Blue Team

Blue Team vs. Next-Gen Covert C2 Channels: Detection and Mitigation​

Introduction​

Red Teams are evolving toward covert command-and-control (C2) channels that bypass traditional methods like DNS-over-HTTPS (DoH), leveraging legitimate services (Slack, GitHub, YouTube...

Read the full blog post here...

• dEEpEst
• Replies: 0
• Forum: Defensive & Web Security

Hacking Thread 'Next-Gen Covert Channels for Red Team'

Jun 9, 2025

dEEpEst made a new blog post:

Next-Gen Covert Channels for Red Team

Beyond DNS-over-HTTPS: Next-Gen Covert Channels for Red Team Operations​

As defenders sharpen their tools against DNS-over-HTTPS (DoH) C2 traffic with JA3 fingerprints, behavioral analytics, and anomaly detection, Red Teams must pivot to new, stealthier command and control strategies. In this post, we dive deep...

Read the full blog post here...

• dEEpEst
• Replies: 0
• Forum: General Hacking

 

[roggermaistter]

Attack evolves toward perfect mimicry; defense toward paranoid behavioral analytics. Which one breaks first?

 

[dEEpEst]

Attack evolves toward perfect mimicry; defense toward paranoid behavioral analytics. Which one breaks first?

roggermaistterAttack breaks first if you look closely; defense breaks first if it grows too big.