|Anchor can use secondary C2 servers for communication after establishing connectivity and relaying victim information to primary C2 servers.
|AppleSeed can use a second channel for C2 when the primary channel is in upload mode.
|APT41 used the Steam community page as a fallback mechanism for C2.
|Bazar has the ability to use an alternative C2 server if the primary server fails.
|BISCUIT malware contains a secondary fallback command and control server that is contacted after the primary command and control server.
|BlackEnergy has the capability to communicate over a backup channel via plus.google.com.
|Bumblebee can use backup C2 servers if the primary server fails.
|Cardinal RAT can communicate over multiple C2 host and port combinations.
|CharmPower can change its C2 channel once every 360 loops by retrieving a new domain from the actors’ S3 bucket.
|CHOPSTICK can switch to a new C2 channel if the current one is broken.
|Crutch has used a hardcoded GitHub repository as a fallback channel.
|Derusbi uses a backup communication method with an HTTP beacon.
|DustySky has two hard-coded domains for C2 servers; if the first does not respond, it will try the second.
|Ebury has implemented a fallback mechanism to begin using a DGA when the attacker hasn’t connected to the infected system for three days.
|Exaramel for Linux
|Exaramel for Linux can attempt to find a new C2 server if it receives an error.
|FatDuke has used several C2 servers per targeted organization.
|FIN7‘s Harpy backdoor malware can use DNS as a backup channel for C2 if HTTP fails.
|Gelsemium can use multiple domains and protocols in C2.
|HOPLIGHT has multiple C2 channels in place in case one fails.
|InvisiMole has been configured with several servers available for alternate C2 communications.
|JHUHUGIT tests if it can reach its C2 server by first attempting a direct connection, and if it fails, obtaining proxy settings and sending the connection through a proxy, and finally injecting code into a running browser if the proxy method fails.
|Kazuar can accept multiple URLs for C2 servers.
|Kevin can assign hard-coded fallback domains for C2.
|Kwampirs uses a large list of C2 servers that it cycles through until a successful connection is established.
|Lazarus Group malware SierraAlfa sends data to one of the hard-coded C2 servers chosen at random, and if the transmission fails, chooses a new C2 server to attempt the transmission again.
|Linfo creates a backdoor through which remote attackers can change C2 servers.
|Machete has sent data over HTTP if FTP failed, and has also used a fallback server.
|MiniDuke uses Google Search to identify C2 servers if its primary C2 method via Twitter is not working.
|Mis-Type first attempts to use a Base64-encoded network protocol over a raw TCP socket for C2, and if that method fails, falls back to a secondary HTTP-based protocol to communicate to an alternate C2 server.
|Mythic can use a list of C2 URLs as fallback mechanisms in case one IP or domain gets blocked.
|NETEAGLE will attempt to detect if the infected host is configured to a proxy. If so, NETEAGLE will send beacons via an HTTP POST request; otherwise it will send beacons via UDP/6000.
|During Night Dragon, threat actors used company extranet servers as secondary C2 servers.
|OilRig malware ISMAgent falls back to its DNS tunneling mechanism if it is unable to reach the C2 server over HTTP.
|PipeMon can switch to an alternate C2 domain when a particular date has been reached.
|QUADAGENT uses multiple protocols (HTTPS, HTTP, DNS) for its C2 server as fallback channels if communication with one is unsuccessful.
|RainyDay has the ability to switch between TCP and HTTP for C2 if one method is not working.
|RDAT has used HTTP if DNS C2 communications were not functioning.
|S-Type primarily uses port 80 for C2, but falls back to ports 443 or 8080 if initial communication fails.
|Shark can update its configuration to use a different C2 server.
|ShimRat has used a secondary C2 location if the first was unavailable.
|SideTwist has primarily used port 443 for C2 but can use port 80 as a fallback.
|SslMM has a hard-coded primary and backup C2 string.
|Stuxnet has the ability to generate new C2 domains.
|TAINTEDSCRIBE can randomly pick one of five hard-coded IP addresses for C2 communication; if one of the IP fails, it will wait 60 seconds and then try another IP address.
|TinyTurla can go through a list of C2 server IPs and will try to register with each until one responds.
|TrickBot can use secondary C2 servers for communication after establishing connectivity and relaying victim information to primary C2 servers.
|Valak can communicate over multiple C2 hosts.
|WinMM is usually configured with primary and backup domains for C2 communications.
|The C2 server used by XTunnel provides a port number to the victim to use as a fallback in case the connection closes on the currently used port.