C2, short for command-and-control, is the communication path malware uses to receive instructions from operators and send back stolen data or status updates. It can be a single server, a rotating set of domains, or a peer-to-peer mesh where infected hosts relay traffic for each other. Attackers rely on C2 to task malware, update payloads, and maintain access after the initial compromise.
For defenders, C2 is important because it often leaves network patterns that can be hunted: regular beaconing, rare outbound destinations, unusual DNS activity, or connections to infrastructure that should not exist in the environment. Blocking or disrupting C2 can stop an attack even when the malware is already on the host. Security teams often combine network telemetry, proxy logs, and endpoint detection to spot and contain C2 traffic before the operator can move deeper.



