||Variants of Anchor can use DNS tunneling to communicate with C2.
||APT18 uses DNS for C2 communications.
||APT39 has used remote access tools that leverage DNS in communications with C2.
||APT41 used DNS for C2 communications.
||BONDUPDATER can use DNS and TXT records within its DNS tunneling protocol for command and control.
||Brute Ratel C4
||Brute Ratel C4 can use DNS over HTTPS for C2.
||Chimera has used Cobalt Strike to encapsulate C2 in DNS traffic.
||Cobalt Group has used DNS tunneling for C2.
||Cobalt Strike can use a custom command and control protocol that can be encapsulated in DNS. All protocols use their standard assigned ports.
||Cobian RAT uses DNS for C2.
||DanBot can use use IPv4 A records and IPv6 AAAA DNS records in C2 communications.
||Denis has used DNS tunneling for C2 communications.
||DnsSystem can direct queries to custom DNS servers and return C2 commands using TXT records.
||Ebury has used DNS requests over UDP port 53 for C2.
||FIN7 has performed C2 using DNS via A, OPT, and TXT records.
||Gelsemium has the ability to use DNS in communication with C2.
||Goopy has the ability to communicate with its C2 over DNS.
||Green Lambert can use DNS for C2 communications.
||Helminth can use DNS for C2.
||Heyoka Backdoor can use DNS tunneling for C2 communications.
||HTTPBrowser has used DNS for command and control.
||InvisiMole has used a custom implementation of DNS tunneling to embed C2 communications in DNS requests and replies.
||Ke3chang malware RoyalDNS has used DNS for C2.
||Variants of Kevin can communicate over DNS through queries to the server for constructed domain names with embedded information.
||LazyScripter has leveraged dynamic DNS providers for C2 communications.
||Matryoshka uses DNS for C2.
||Milan has the ability to use DNS for C2 communications.
||Mori can use DNS tunneling to communicate with C2.
||Mythic supports DNS-based C2 profiles.
||NanHaiShu uses DNS for the C2 communications.
||OilRig has used DNS for C2 including the publicly available
requestbin.net tunneling service.
||Pisloader uses DNS as its C2 protocol.
||PlugX can be configured to use DNS for command and control.
||POWERSOURCE uses DNS TXT records for C2.
||POWRUNER can use DNS for C2 communications.
||QUADAGENT uses DNS for C2 communications.
||RDAT has used DNS to communicate with the C2.
||Remsec is capable of using DNS for C2.
||ShadowPad has used DNS tunneling for C2 communications.
||Shark can use DNS in C2 communications.
||Sliver can support C2 communications over DNS.
||SombRAT can communicate over DNS with the C2 server.
||SOUNDBITE communicates via DNS for C2.
||SUNBURST used DNS for C2 traffic designed to mimic normal SolarWinds API communications.
||SysUpdate has used DNS TXT requests as for its C2 communication.
||TEXTMATE uses DNS TXT records for C2.
||Tropic Trooper‘s backdoor has communicated to the C2 over the DNS protocol.
||WellMess has the ability to use DNS tunneling for C2 communications.