Your C2 infrastructure is the backbone of any red team operation. Get it wrong and you get burned on day one — the blue team identifies your callback IP, null-routes it, and your operation collapses. This post covers the architecture decisions that determine whether your operation runs for days or weeks.
Layered Redirector Architecture
Direct C2 callbacks are indefensible. A proper architecture uses at least two layers of redirectors between the implant and your team server.
Implant → CDN / Domain Fronting
→ Short-haul redirector (cloud VPS)
→ Long-haul redirector (different provider, different geo)
→ Team server (never directly exposed)Each hop uses a different provider, different autonomous system, and ideally a different country. Burning one redirector doesn't expose the team server or the next hop.
Malleable C2 Profiles
Default C2 beacon traffic is heavily signatured. Every major NDR vendor has detections for default Cobalt Strike, Havoc, and Sliver profiles. A malleable profile that mimics legitimate traffic — Microsoft Teams, Office 365, CDN traffic — dramatically reduces detection probability.
Infrastructure Categorisation
All domains and IPs should be pre-categorised before the engagement begins. Uncategorised domains trigger alerts in virtually every enterprise proxy solution. Aged domains with established reputation — registered 60-90 days prior with legitimate content and crawlable pages — generate significantly less noise than freshly registered domains.
Sleep and Jitter
Beacons with predictable callback intervals are trivially detectable via network flow analysis. A beacon calling back every 60 seconds produces a perfect sinusoidal pattern in NetFlow data. Use aggressive sleep times (30-60 minutes) with high jitter values (50%+) during business hours, and longer sleeps overnight.