Encrypted Data Exfiltration and C2 Callbacks: How Attackers Hide in Plain Sight

Command-and-Control Communication Explained

After achieving initial access to a network, attackers need a persistent communication channel to their infrastructure — a command-and-control (C2) channel. Through this channel, they receive instructions, download additional tools, move laterally through the network, and ultimately exfiltrate stolen data. The sophistication of modern C2 lies in making this communication indistinguishable from legitimate traffic. If your security team can't identify the C2 channel, they can't detect the breach, interrupt the attacker's operations, or prevent data exfiltration.

HTTPS: Hiding Exfiltration in Encrypted Web Traffic

Over 95% of web traffic is now encrypted with TLS/HTTPS. Attackers exploit this by routing C2 communications and data exfiltration through HTTPS connections to attacker-controlled servers, often using domain fronting techniques that make the traffic appear to be directed at legitimate services like Azure, AWS, or Google Cloud. Traditional firewalls and intrusion detection systems see an encrypted HTTPS connection to a CDN endpoint — they cannot inspect the content without TLS interception, and even with TLS interception, domain-fronted traffic appears legitimate at every inspection layer. The encryption that protects your users' privacy also protects the attacker's exfiltration.

DNS Over HTTPS: The Invisible Exfiltration Channel

DNS-over-HTTPS (DoH) resolves domain names over encrypted HTTPS connections rather than traditional plaintext DNS. While designed for privacy, DoH creates a powerful exfiltration channel. Attackers encode stolen data within DNS queries sent to attacker-controlled DoH resolvers. Because the queries are encrypted, they bypass DNS monitoring, DNS filtering, and DNS-based threat intelligence feeds. A device querying a DoH resolver hosted on a major cloud provider is virtually invisible to network security tools. Groups including the Godlua and OilRig APTs have been documented using DNS tunnelling over encrypted channels for both C2 and exfiltration.

Legitimate Cloud Services as C2 Infrastructure

Attackers increasingly use legitimate cloud services as their C2 and exfiltration infrastructure, making detection extraordinarily difficult:

• Microsoft OneDrive and SharePoint: Malware families like Graphite and SideWinder use Microsoft Graph API for C2, appearing as normal Office 365 traffic
• Google Drive: The ELBRUS group and others use Google Drive for both C2 communication and data exfiltration — your DLP cannot distinguish malicious uploads from normal business use
• Slack and Discord: Malware uses these platforms' webhook and bot APIs for command-and-control, hiding in the noise of legitimate corporate communications
• GitHub: Attackers host encoded C2 instructions in public repositories, with malware polling for updates disguised as normal git operations
• Cloudflare Workers and AWS Lambda: Serverless functions used as C2 relay points, benefiting from the cloud provider's trusted IP reputation

Why Traditional Firewalls Cannot See This Traffic

Next-generation firewalls were designed to inspect traffic at the network boundary, applying rules based on IP addresses, domains, ports, and protocols. Against encrypted exfiltration through legitimate cloud services, every firewall rule passes: the destination IP belongs to Microsoft, the domain resolves to googleapis.com, the port is 443, and the protocol is HTTPS. Even deep packet inspection sees only TLS-encrypted traffic to a trusted endpoint. The fundamental limitation is architectural — firewalls inspect traffic at the network boundary, but the decision to exfiltrate data happens at the device level. This is why device-level egress controls are essential.

How BlackFog Detects and Blocks Encrypted Exfiltration

BlackFog monitors data egress at the device level — before data reaches the network, before it's encrypted, and before it enters any cloud service. By analysing the behaviour of applications and processes on the endpoint — which processes are accessing which data, where they are sending it, and whether that destination is consistent with the organisation's legitimate operations — BlackFog can identify and block exfiltration regardless of the encryption or transport method. A process compressing customer records and uploading them to a personal OneDrive folder is blocked. A DNS-over-HTTPS tunnel encoding data to an unknown resolver is blocked. The traffic never leaves the device.