||APT-C-36 has used port 4050 for C2 communications.
||An APT32 backdoor can use HTTP over a non-standard TCP port (e.g 14146) which is specified in the backdoor configuration.
||APT33 has used HTTP over TCP ports 808 and 880 for command and control.
||BADCALL communicates on ports 443 and 8000 with a FakeTLS method.
||Bankshot binds and listens on port 1058 for HTTP traffic while also utilizing a FakeTLS method.
||BendyBear has used a custom RC4 and XOR encrypted protocol over port 443 for C2.
||During C0018, the threat actors opened a variety of ports, including ports 28035, 32467, 41578, and 46892, to establish RDP connections.
||Cyclops Blink can use non-standard ports for C2 not typically associated with HTTP or HTTPS traffic.
||DarkVishnya used ports 5190 and 7900 for shellcode listeners, and 4444, 4445, 31337 for shellcode C2.
||Derusbi has used unencrypted HTTP on port 443 for C2.
||Emotet has used HTTP over ports such as 20, 22, 7080, and 50000, in addition to using ports commonly associated with HTTP/S.
||FIN7 has used port-protocol mismatches on ports such as 53, 80, 443, and 8080 during C2.
||GoldenSpy has used HTTP over ports 9005 and 9006 for network traffic, 9002 for C2 requests, 33666 as a WebSocket, and 8090 to download files.
||GravityRAT has used HTTP over a non-standard port, such as TCP port 46769.
||HARDRAIN binds and listens on port 443 with a FakeTLS method.
||HOPLIGHT has connected outbound over TCP port 443 with a FakeTLS method.
||Some Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic, creating port-protocol mismatches.
||MacMa has used TCP port 5633 for C2 Communication.
||Magic Hound malware has communicated with its C2 server over TCP ports 4443 and 10151 using HTTP.
||Metamorfo has communicated with hosts over raw TCP on port 9999.
||MoonWind communicates over ports 80, 443, 53, and 8080 via raw sockets instead of the protocols usually associated with the ports.
||njRAT has used port 1177 for HTTP C2 communications.
||During Operation Wocao, the threat actors used uncommon high ports for its backdoor C2, including ports 25667 and 47000.
||PingPull can use HTTPS over port 8080 for C2.
||PoetRAT used TLS to encrypt communications over port 143
||QuasarRAT can use port 4782 on the compromised host for TCP callbacks.
||RedLeaves can use HTTP over non-standard ports, such as 995, for C2.
||Rocke‘s miner connects to a C2 server using port 51640.
||RTM used Port 44443 for its VNC module.
||Sandworm Team has used port 6789 to accept connections on the group’s SSH server.
||Silence has used port 444 when sending data about the system from the client to the server.
|StrongPity has used HTTPS over port 1402 in C2 communication.
||SUGARUSH has used port 4585 for a TCP connection to its C2.
||TEMP.Veles has used port-protocol mismatches on ports such as 443, 4444, 8531, and 50501 during C2.
||Some TrickBot samples have used HTTP over ports 447 and 8082 for C2. Newer versions of TrickBot have been known to use a custom communication protocol which sends the data unencrypted over port 443.
||TYPEFRAME has used ports 443, 8080, and 8443 with a FakeTLS method.
||WellMail has been observed using TCP port 25, without using SMTP, to leverage an open port for secure command and control communications.
||WIRTE has used HTTPS over ports 2083 and 2087 for C2.
||ZxShell can use ports 1985 and 1986 in HTTP/S communication.