Command-and-Control (C2) frameworks sit at the core of modern offensive cyber operations. All ransomware groups, access brokers, APT units, and red team, use these tools or similar. They are stable for how attackers maintain persistence, move laterally, and execute post-exploitation tasks.
In 2025, the underground has consolidated around a small set of dominant C2 frameworks, each offering different strengths: stealth, modularity, ease of use, or rapid iteration. The frameworks below are the actual heavy hitters the ones consistently seen in incident response reports, threat intelligence cases, and red team operations.
This article dives into the five most influential C2 frameworks used by threat actors and APTs today:
Cobalt Strike, Sliver, Brute Ratel, Mythic, and Havoc.
1. Cobalt Strike
If there’s one framework that continues to define the C2 landscape, it’s Cobalt Strike. Despite a decade of defensive research, signature development, and Microsoft’s tightening of licensing controls, Cobalt Strike remains the most deployed C2 platform in real-world intrusions. The reason is simple: cracked builds continue to circulate, and threat actors understand the ecosystem inside-out.
Why it dominates:
- Mature tradecraft – Operators know its indicators, malleable C2 profiles, and evasion patterns extremely well.
- Rich plugin ecosystem – BOF development drives constant expansion of capability.
- Operational stability – It’s predictable, battle-tested, and behaves consistently across environments.
Current trends:
- Legacy cracked 4.x versions remain heavily abused.
- Profile obfuscation is getting more sophisticated, with actors blending CS traffic into enterprise SaaS patterns.
- Shift to short-lived implants – Many groups now rotate beacons daily to avoid signature accumulation.
Behavioral IOCs
- SMB beaconing across segmented networks
- In-memory PE sections with RWX protections
- Reflective DLL injection artifacts
- Use of BOFs that trigger unusual syscalls (NtProtectVirtualMemory, NtWriteVirtualMemory)
Cobalt Strike is still king because attackers know how defenders detect it—and they engineer around that
2. Sliver
Sliver started as an open-source alternative to Cobalt Strike, but it has now become a standard for everything from small criminal crews to advanced threat actors. Transparency and community development have made Sliver extremely resilient to detection
Why it dominates:
- Open-source = infinite iteration
Malware authors fork it, patch detections, and customize payloads without constraint. - Strong implant variety
HTTP, mTLS, DNS, WireGuard, and custom C2 are all supported out of the box. - Rapid development cycle
New evasion techniques land faster than defenders can respond. Sliver when it first came out had EDR bypasses which were not detected.
Trends:
- Sliver forks are becoming harder to attribute; actors modify command operators, sleep logic, and network stagers.
- WireGuard C2 channels are increasingly used in hybrid offensive operations.
- IR analysts are reporting Sliver implants that look nothing like public builds, showing how far private forks have gone.
Behavioral IOCs:
- Go-based implant characteristics (Large binary size (3–15MB), Presence of Go runtime strings in memory, Predictable goroutine scheduling thead patterns).
- Frequent use of DLL sideloading
- Timestomping + process hollowing used together in initial access chains
3. Brute Ratel
Brute Ratel emerged specifically to evade EDR, and that design direction still defines it. Unlike the wide, open ecosystem around Cobalt Strike, Brute Ratel is intentionally licensing controls, watermarks, and tight access. But that hasn’t stopped cracked versions from circulating, and those versions dominate criminal enclaves.
Why it dominates:
- Extremely low detection surface
Its Badger agent is one of the hardest-to-detect C2 implants in the wild. - OPSEC-centric design
Everything from process injection to sleep obfuscation is tuned for stealth. - EDR bypasses baked in
Many in-memory loaders and execution chains remain relevant in 2025.
Trends:
- Ratel is often combined with BYOVD chains to kill EDR before deploying the Badger implant.
- Malware loaders designed specifically for Ratel (written in Nim, Rust, or .NET) are proliferating on Telegram.
- Hybrid operations – Some ransomware groups use Ratel for initial foothold then pivot to Sliver or CS
Behavioral IOCs:
- BYOVD sequence prior to C2 deployment (Load vulnerable driver, Kill EDR, Inject Badger).
- In-memory PE w/ section names removed.
- Use of FODHELPER or CMSTP for UAC bypass.
- Loader ecosystems (Nim, Rust, and .NET loaders commonly paired with Badger).
It remains one of the most dangerous commercial-grade C2 frameworks available even when accessed illegally.
4. Mythic
Mythic is the modern operator’s answer to heavily monitored enterprise environments. Designed as a modular, extensible C2 framework, Mythic excels in cloud-heavy infrastructures and zero-trust networks.
Why it dominates:
- Modular agents (“payload types”) – Apollo, Poseidon, Hermes, and custom agents allow highly tailored tradecraft.
- Strong OPSEC defaults – Domain fronting, encrypted channels, and structured callback logic reduce noise.
- Designed with cloud in mind – Many payloads already know how to interact with cloud metadata APIs, containers, and serverless functions.
Trends:
- Cloud-first operations – Adversaries increasingly target identity, containers, and cloud APIs before touching local hosts.
- Linux-first implants – Several payload types now outperform traditional Windows beacons.
Behavioral IOCs:
- Mythic tasking pattern – Operators use small, frequent tasks → creates a “heartbeat” beacon behavior.
- Python-based stagers are still seen in lower-tier deployments.
- Mythic is becoming the go-to framework for adversaries who want flexible, cross-platform post-exploitation without the legacy footprint.
5. Havoc
Havoc entered the scene as a modern, Cobalt-Strike-inspired framework with strong EDR bypasses and a polished UI. Although originally targeted at legitimate red teams, it’s now widely used by threat actors because of its.
It has a very low barrier to entry while still being powerful enough for advanced post-exploitation.
Why it dominates:
- Intuitive interface and workflow. Operators don’t need deep expertise to use it effectively.
- Demon implant is simple to modify. This lowers the skill barrier for creating private forks.
- Active development community. New modules, loaders, and bypasses appear frequently.
- Lower detection footprint compared to legacy tools.
Trends:
- Criminal groups are evolving headless (“API only”) Havoc variants for automated operations.
- Demon-based loaders show up in phishing campaigns, where initial access brokers sell footholds built on top of Havoc stagers.
- The framework is gaining traction in container breakout operations.
Behavioral IOCs:
- Headless automation – Operators using Havoc’s API produce rapid, repetitive task requests.
- Nim-based stagers with predictable AES key patterns.
- Process hollowing used heavily during lateral movement.
Havoc is basically the “entry-level C2 for serious criminals” easy enough for newcomers, powerful enough for professionals.
What’s Driving C2 Evolution in 2025
Across all these frameworks, several clear trends define modern C2 operations:
1. EDR Bypasses
Attackers design implants specifically to avoid triggering EDR heuristics. Techniques like BYOVD are not going away; if anything, they become popular.
2. Cloud pivot-first operations
Adversaries increasingly prioritize cloud identities, containers, and SaaS platforms rather than traditional endpoint dominance.
3. Short-lived infrastructure
Disposable C2 nodes, rotating domains, and proxy chains are now standard. Infrastructure rarely lasts more than 72 hours in serious ops.
4. Heavy modularity
Operators want agents they can upgrade in-memory, extend with plugins, or rewrite mid-operation.
5. Blending in with enterprise traffic
More C2 traffic now blends into:
- Microsoft 365
- Slack
- GitHub
- Cloud provider metadata traffic
- API-heavy applications
Conclusion
The underground C2 ecosystem might seem diverse on the surface, but in practice, it revolves around a small number of dominant frameworks. Cobalt Strike, Sliver, Brute Ratel, Mythic, and Havoc each own a specific niche:
- Cobalt Strike – Legacy dominance, unmatched ecosystem
- Sliver – Open-source weaponization at scale
- Brute Ratel – Stealth-first operations and EDR evasion
- Mythic – Cloud-aware, modular, hybrid-environment tooling
- Havoc – Modern, accessible, and rapidly evolving
Despite new C2 frameworks appearing every year, these five still form the backbone of real-world offensive operations. Whether you’re defending networks, threat hunting, or running red team campaigns, understanding how these frameworks function—and why they continue to dominate is essential.
Spend time setting them up, experimenting with them, and learning their behavioral IOCs. Criminal groups increasingly rely on custom or heavily modified private C2s, but those tools almost always inherit concepts, patterns, and operational habits from the well-known open-source frameworks.
If you understand how the common C2 ecosystems operate, you’ll be far better equipped to recognize the underlying tradecraft, spot the anomalies, and detect bespoke frameworks that don’t appear on any public list.