T1071.001Web Protocols
T1071.001 — Web Protocols is a MITRE ATT&CK technique in the Command and Control tactic. Clankerusecase tracks 218 detection use cases covering it and 197 threat-intel articles citing it.
Command and Control
218Use cases
197Articles
0Sub-techniques
1Tactic
↑ Parent technique: T1071 · Application Layer Protocol
Use cases covering this technique (218)
Beaconing — periodic outbound to small set of destinations [WEEKLY] Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes [WEEKLY] Developer/AI tooling runtime spawns shell or egress LOLBin (unauth RCE post-expl) [WEEKLY] Developer package install spawning script-host with non-registry C2 within 5 minutes [WEEKLY] Internet-facing server process spawns interpreter then beacons to first-seen external host within 5 minutes [WEEKLY] Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution [WEEKLY] Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes [WEEKLY] npm Install-Time Lifecycle Hook Triggers Outbound Egress to Newly-Seen Domain (Shai-Hulud/Miasma/IronWorm pattern) [WEEKLY] Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access [WEEKLY] Package-manager install hook spawns interpreter that beacons to non-registry host within 120s [WEEKLY] Package Manager Install Hook Spawns Scripting Interpreter Then Touches Credential Files or Egresses Off-Registry [WEEKLY] Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes [WEEKLY] Package manager lifecycle hook spawns network-fetching shell or runtime [WEEKLY] Package manager lifecycle hook spawns runtime with outbound egress to non-registry host within 5 minutes [WEEKLY] Package manager spawns network-fetching child to public code-hosting within minutes of install [WEEKLY] Script Interpreter or Package-Install Hook Egress to Free-Tier Edge SaaS Within 5 Minutes of Process Start [WEEKLY] Self-hosted application service spawns shell or SSH within seconds of inbound unauthenticated API write [WEEKLY] Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain [WEEKLY] Supply-chain repo credential theft → outbound exfil to attacker infra Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint Cisco Secure Firewall - Connection to File Sharing Domain Cisco Secure Firewall - High EVE Threat Confidence Cisco Secure Firewall - Wget or Curl Download HTTP C2 Framework User Agent HTTP Malware User Agent HTTP PUA User Agent HTTP RMM User Agent HTTP Duplicated Header HTTP Possible Request Smuggling HTTP Rapid POST with Mixed Status Codes HTTP Request to Reserved Name on IIS Server HTTP Scripting Tool User Agent Detect web traffic to dynamic domain providers HTTP Suspicious Tool User Agent [LLM] Velvet Ant air-gap bridge — fcgiwrap/uptime spawning SSH from HTTP-driven FastCGI [LLM] GS-Netcat reverse shell — host beacons to gs.thc.org Global Socket relay [LLM] AUR build process egress to temp.sh or github.com/fardewoak/nodejs-argo [LLM] Atomic Arch: outbound HTTP upload to temp.sh from developer/build host [LLM] Atomic Arch: non-Tor-aware process connecting to local SOCKS proxy on 9050/9150 [LLM] Atomic Arch — DNS resolution and HTTP POST to temp.sh from non-browser developer workstation process [LLM] Atomic Arch — Tor client spawn or .onion endpoint contact from AUR-installing developer host [LLM] Agentjacking C2/exfiltration to advisory-tracker.com (Tenet Sentry-MCP attack) [LLM] Outbound public network from LangGraph runtime to non-allowlisted destination [LLM] Sniper Dz seized phishing infrastructure callback (post-takedown beacons) [LLM] Shell or recon binary spawned by Tomcat/Java on Ivanti Sentry (CVE-2026-10520 post-exploitation) [LLM] DNS/network contact with AudiA6 money-mule registration domains [LLM] MeshCentral agent disguised as Microsoft Azure binary calling azurenetfiles.net [LLM] Outbound connection or DNS resolution to imperva_artifactory.com (OpenClaw PoC C2) [LLM] npm/node install-time process beaconing to webhook.site, sfrclak.com or 142.11.206.73 [LLM] Miasma worm GitHub commit-search C2 magic strings on command line or script [LLM] Outbound JSON-RPC or LLM-API egress from network appliance / edge device [LLM] SPECTRALVIPER C2 callout to OceanLotus FireAnt infrastructure [LLM] Network egress to OceanLotus SPECTRALVIPER C2 IPs (2024-2026 campaigns) [LLM] Sustained low-volume beaconing to OceanLotus SPECTRALVIPER C2 (long-tail persistence) [LLM] build.rs invoking curl POST to Sentry envelope endpoint with code diff payload [LLM] Network egress to onering Sentry exfil ingest domain or project envelope path [LLM] Connection to RoguePlanet PoC C2 Domain projectnightcrawler.dev [LLM] Unauthenticated WebSocket / HTTP 101 upgrade to phoenix_storybook playground routes [LLM] BEAM process outbound to new public destination or non-standard port (post-RCE C2) [LLM] Outbound DNS / HTTP to Miasma C2 (git-service.com / m-kosche.com) [LLM] Miasma C2 / IOC domain resolution: check.git-service.com, t.m-kosche.com, git-service.com [LLM] GIFTEDCROOK / Gamaredon C2 callback to article IOCs (IPs + workers.dev / trycloudflare / .ru domains) [LLM] Hades C2: GitHub commit search for campaign markers TheBeautifulSnadsOfTime / firedalazer [LLM] Internal host outbound to CVE-2026-50751 Qilin actor IPs (post-bypass C2 / staging) [LLM] Connection to AI-brand phishing / installer C2 infrastructure (MSTI June 2026 IOCs) [LLM] Outbound endpoint connections to BRICKSTORM C2 IP 149.248.11.71 [LLM] Outbound connection to UNC3753 (Luna Moth) infrastructure IPs [LLM] Bright Data SDK control-plane beacon to proxyjs/clientsdk endpoints [LLM] ait-bsc outbound TCP to public/non-baseline destination (attacker-supplied loc port) [LLM] GitHub Actions runner: node from Claude Code Action egresses to non-Anthropic/non-GitHub endpoint [LLM] Mini Shai-Hulud npm worm exfiltration to t.m-kosche.com OpenTelemetry endpoint [LLM] KongTuke TDS C2 callout to 144.31.221.82:6060 with /capcha URL path [LLM] Same host calling KongTuke C2 from both powershell.exe and curl.exe within short window [LLM] Argamal Stage2 BITSAdmin Pull of zaesdl.dat from GitHub [LLM] Argamal RAT C2 Beacon — 186.158.223.35 / freeddns / kozow / ignorelist / UDP-57441 / TCP-3747 [LLM] Package manager runtime connecting to durabletask/axios supply-chain C2 IOCs [LLM] C2 beacon to audit.checkmarx[.]cx /v1/telemetry (TeamPCP Shai-Hulud Third Coming) [LLM] Egress to typosquatted C2 flipboxstudio.info (Laravel-Lang Composer SC) [LLM] FlutterShell macOS C2 contact (atsheisdomestic / etoftheappyrince / healightejustb) [LLM] FlutterShell adware redirector contact (ads-parkpro / sinterfumesco / softwe.art) [LLM] TeamPCP Checkmarx KICS supply-chain stealer C2 callback (audit.checkmarx.cx / 94.154.172.43) [LLM] C2 callback to moika.tech payload distribution infrastructure [LLM] Container egress to cryptominer pool / Kinsing C2 [LLM] Outbound HTTP beacon to vpmdhaj C2 (aab.sportsontheweb.net) [LLM] Cyberhaven trojanized Chrome extension C2 callback to cyberhavenext.pro [LLM] NoName057(16) DDoSia client check-in (/client/login, /client/get_targets) [LLM] axios RAT C2 callout to sfrclak.com / 142.11.206.73:8000 [LLM] Yamcs Java process beacons to webhook / interact / tunneling service (CVE-2026-46621 C2) [LLM] Reverse-shell /dev/tcp file descriptor from Yamcs java process tree [LLM] DNS/HTTPS exfil to sentry.anyclaw.store (Codex token C2 masquerading as Sentry) [LLM] HTTPS POST to /startlog with codexui User-Agent (Codex exfil over the wire) [LLM] Outbound recon callback from Yamcs host (curl/shell child of JVM to public IP) [LLM] Mini Shai-Hulud npm worm C2/exfil egress (masscan.cloud, git-tanstack.com, getsession.org) [LLM] BTMOB C2/phishing domain contact — arbsniper.com [LLM] Egress to BTMOB hosted C2 cluster (LATAM/Hetzner IPs, Google CDN excluded) [LLM] Laravel-Lang supply chain C2/exfil to flipboxstudio.info [LLM] C2 egress to flipboxstudio.info from Laravel-Lang composer dropper [LLM] nezha-agent outbound network connection to cloud instance-metadata service [LLM] Megalodon CI/CD exfil: outbound HTTPS to C2 216.126.225.129:8443 [LLM] Screening Serpens C2 — DNS/network to UNC1549 infrastructure (Feb-Apr 2026) [LLM] Endpoint DNS or web traffic to fake FIFA World Cup 2026 typosquat domain [LLM] Nx Console / Shai-Hulud C2 connection (t.m-kosche.com, check.git-service.com, filev2.getsession.org, api.masscan.cloud, 83.142.209.194) [LLM] Mini Shai-Hulud C2 callback to zero.masscan.cloud / 94.154.172.43 [LLM] TamperedChef C2 / distribution callback to appsuites.ai and sibling domains [LLM] DNS / Network egress to TeamPCP Nx Console C2 domain check.git-service.com [LLM] EchoCreep Discord API beacon from non-browser process (Webworm 2025) [LLM] GraphWorm OneDrive /createUploadSession C2 from non-Office process [LLM] WormFrp / Webworm Amazon S3 staging bucket access (wamanharipethe / whpjewellers) [LLM] Webworm 2025 IOC match — known C2 IPs (Vultr/IT7) and file hashes [LLM] TeamPCP rope.pyz Dropper Fetch from check.git-service.com C2 [LLM] Reverse shell from 9router-spawned shell — outbound TCP from node-child bash [LLM] DNS lookup for git-tanstack.com TeamPCP C2 staging domain [LLM] Outbound connection to TeamPCP C2 IP 83.142.209.194 [LLM] GlassFish java process outbound HTTP fetch to external host (gadget XML callback) [LLM] Mini Shai-Hulud / TeamPCP C2 beacon to api.masscan.cloud / git-tanstack.com / *.getsession.org [LLM] BadIIS C2 IP / domain beacon (lee.6686ty.vip, iis.01nmwe.xyz) [LLM] IIS worker (w3wp.exe) initiating outbound connection to public IP [LLM] Mini Shai-Hulud C2 exfil to t.m-kosche.com disguised as OpenTelemetry collector [LLM] Outbound C2 to t.m-kosche.com from CI/CD runner or any endpoint [LLM] node-ipc C2 callback to sh.azurestaticprovider.net (May 2026 npm supply-chain) [LLM] Mini Shai-Hulud C2 backchannel: python polling GitHub commit search for 'firedalazer' [LLM] Outbound network connection to mistralai 2.4.6 dropper C2 (83.142.209.194) [LLM] Arcane backend host outbound Git/HTTPS to non-allowlisted host on port 22/443 (CVE-2026-45625 credential sink) [LLM] Cisco Secure FMC anomalous outbound HTTP PUT (Interlock CVE-2026-20131 callback) [LLM] Outbound connection to Gremlin Stealer exfiltration host 194.87.92.109 [LLM] Outbound egress to node-ipc stealer infrastructure (azurestaticprovider[.]net / 37.16.75.69) [LLM] AdaptixC2 'shadowcore' / Mythic C2 traffic to UAT-8616 infrastructure 194.163.175.135 [LLM] AdaptixC2 'systemd-resolved' or Sliver 'CWan' implant on Linux / SD-WAN host [LLM] FrostyNeighbor C2 callout to needbinding/nebao/algsat/sardk/alexavegas/lavanille [LLM] Mini Shai-Hulud npm Worm C2 callback to Session Protocol CDN and masscan.cloud [LLM] Mini Shai-Hulud dead-drop git commit authored as claude@users.noreply.github.com [LLM] Malformed CL-STA-1132 attacker User-Agent (Mozilla/5.5 + Safari/532.31) [LLM] ScarCruft sqgame supply-chain delivery domain contact (BirdCall/RokRAT) [LLM] Outbound to elementary-data exfil C2 igotnofriendsonlineorirl-imgonnakmslmao.sky [LLM] TeamPCP @bitwarden/cli stealer exfil to audit.checkmarx.cx (94.154.172.43) [LLM] Mini Shai-Hulud 'OhNoWhatsGoingOnWithGitHub' dead-drop keyword in outbound URL [LLM] Exfil to skyhanni.cloud C2 with X-Rise-To-The-Trinny header [LLM] Qinglong cryptominer payload download from file.551911.xyz [LLM] Cyberhaven compromised Chrome extension C2 callback (cyberhavenext.pro) [LLM] Non-browser process posting to Slack Web API (LaxGopher C2) [LLM] Non-browser process posting to Discord API (RatGopher C2) [LLM] Beaconing to GopherWhisper C2 IP 43.231.113.50 (incl. SSLORDoor raw TLS/443) [LLM] Suspicious draft email manipulation against barrantaya.1010@outlook.com (BoxOfFriends Graph API C2) [LLM] GPT-Proxy backdoor C2 / Stage-2 download (sync.geeker.indevs.in, gibunxi4201/kube-node-diag) [LLM] Trust Wallet Shai-Hulud C2 callback to metrics-trustwallet.com / 138.124.70.40 [LLM] Outbound connection to Velora DEX npm supply-chain C2 89.36.224.5 [LLM] TeamPCP Trivy/KICS C2 callback to scan.aquasecurtiy.org / 45.148.10.212 [LLM] axios Supply Chain RAT C2 Callback to sfrclak.com (Port 8000) [LLM] hackerbot-claw payload host: DNS/HTTP egress to hackmoltrepeat.com (C2 + exfil) [LLM] hackerbot-claw token exfiltration: curl POST with GITHUB_TOKEN to recv.hackmoltrepeat.com [LLM] OpenClaw Gateway WebSocket listener / loopback connection on TCP 18789 [LLM] IoliteLabs IOC sweep: rraghh.com / oortt.com hostnames + campaign file hashes [LLM] Outbound connection to TeamPCP C2 83.142.209.203 / ringtone.wav stego payload fetch [LLM] WAV-disguised stager pull from TeamPCP loader 83.142.209.203:8080 [LLM] TeamPCP C2 / exfil egress to models.litellm.cloud, checkmarx.zone and AS205759 nodes [LLM] Outbound C2 to sfrclak.com / 142.11.206.73:8000 (Axios npm RAT beacon) [LLM] axios npm RAT C2 beacon to sfrclak.com / 142.11.206.73:8000 [LLM] Outbound DNS/HTTPS to TeamPCP exfil domain models.litellm.cloud (litellm PyPI compromise) [LLM] TeamPCP C2 egress to 83.142.209.203:8080 (telnyx WAV-stego dropper) [LLM] TeamPCP supply-chain C2 — outbound to checkmarx[.]zone / 83.142.209.11 [LLM] Trivy supply-chain C2 beacon to typosquat domain scan.aquasecurtiy.org [LLM] bittensor-wallet 4.0.2 backdoor C2 domain contact (opentensor-* lookalikes) [LLM] node.exe contacting Solana JSON-RPC endpoints (suspected blockchain dead-drop C2) [LLM] C2 beaconing to Vercel-hosted Cloudflare-impersonating domains (cloudflareguard / cloudflareinsights) [LLM] ForceMemo: Python process queries Solana mainnet RPC endpoint (blockchain dead-drop C2) [LLM] Outbound C2 callback to xygeni-action backdoor IP 91.214.78.178 from CI runner [LLM] Bash-spawned curl to xygeni-action C2 nip.io endpoint with /b/in /b/q /b/r path on CI runner [LLM] DNS / HTTPS egress to TeamPCP exfil infra (models.litellm.cloud, checkmarx.zone) [LLM] DNS/HTTP egress to CanisterWorm ICP canister C2 (tdtqy-oyaaa-aaaae-af2dq-cai) [LLM] GlassWorm hardcoded C2 IP egress (45.32.150.251 / 217.69.3.152) for Stage-2 fetch and exfil [LLM] GlassWorm Solana blockchain dead-drop C2 lookup via public RPC endpoints from Node [LLM] Outbound TCP beacon to BlokTrooper Socket.IO C2 195.201.104.53:6931/6936/6939 [LLM] Glassworm stage-2/stage-3 C2 callback to 45.32.150.251 or 217.69.3.152 [LLM] DRILLAPP C2 staging: msedge.exe contacting pastefy.app [LLM] DRILLAPP C2: msedge.exe egress to known DRILLAPP IPs or WebSocket to localhost:8000 [LLM] BeardShell C2: outbound to Icedrive cloud-storage API as non-browser process [LLM] Covenant C2: outbound to Filen cloud-storage API as non-browser process [LLM] PlugX C2 egress — connections to decoraat.net / decoorat.net / gesecole.net [LLM] Astro SSRF (CVE-2026-25545) — Node.js egress fetch for /404.html or /500.html with UA 'node' [LLM] PromptSpy VNC C2 egress to 54.67.2.84 [LLM] Outbound traffic to *.oastify.com (BurpSuite Collaborator) from corporate endpoint [LLM] Egress to sidoraress json-bigint-extend gambling backdoor C2 infrastructure [LLM] Inbound HTTP request bearing sidoraress backdoor x-operation operator tokens [LLM] CI runner anomalous outbound to raw.githubusercontent.com / gist.githubusercontent.com [LLM] Egress to Qix npm phishing/exfil infrastructure (npmjs.help, publicvm.com, BunnyCDN buckets) [LLM] Scavenger npm malware C2 beacon to firebase.su / dieorsuffer.com / smartscreen-api.com [LLM] Endpoint contact with attacker C2 setup-service.com (OpenClaw skill stager) [LLM] AI agent skill leaks Stripe key or card PAN/CVC verbatim in curl command line [LLM] Outbound connection to clawhub.ai or skills.sh from CLI agent (skill marketplace fetch) [LLM] Sandworm SOCKS5 C2 egress to 31.172.71[.]5 (Fornex) or progamevl.ru [LLM] GhostChat C2/staging infrastructure contact (hitpak.org, buildthenations.info, fkclb.com) [LLM] GhostChat C2 beacon URL pattern: hitpak.org/page.php?tynor=<host>sss<user> [LLM] ScreenConnect client beaconing to ClawdBot attacker relay (meeting.bulletmailer.net:8041) [LLM] G_Wagon C2 beacon: node.exe or python.exe egress to Appwrite storage buckets [LLM] Aikido npm phishing: direct outbound connection to RackGenius C2 (163.123.236.118) [LLM] C2 beacon or stage-2 fetch to updatenet[.]work / 172.86.73.139 / dothebest[.]store [LLM] Bun/Node bursty PUT to api.github.com /contents from infected host (Sha1-Hulud exfil) [LLM] MuddyViper C2 fingerprint: 'A WinHTTP Example Program/1.0' UA + distinctive URI paths [LLM] Outbound exfiltration to webhook.site from npm / node / bun process tree [LLM] Outbound exfiltration to Shai-Hulud webhook.site/bb8ca5f6 C2 endpoint [LLM] PlushDaemon EdgeStepper hijacking infrastructure (wcsset.com / 47.242.198.250 / 8.212.132.120) contact [LLM] LittleDaemon / DaemonicLogistics update-hijack URL pattern (popup_4.2.0.2246.dll, /update/updateInfo.bzp, /update/file6.bdat, /update/file2. [LLM] TEA Protocol (tea.xyz) DNS resolution from developer or build endpoint [LLM] ScoringMathTea C2 beacon to compromised WordPress hosts (Lazarus DreamJob IOCs) [LLM] Connection to Beamglea phishing credential-harvesting domains [LLM] DNS or HTTP egress to giftshop.club exfil domain [LLM] GhostAction C2 egress to Plesk-hosted exfiltration infrastructure [LLM] Shai-Hulud worm C2 exfiltration to webhook.site UUID bb8ca5f6 [LLM] Egress to websocket-api2.publicvm.com (Qix campaign credential exfil C2) [LLM] Node process creating GitHub repo via api.github.com (s1ngularity exfil channel) [LLM] Scavenger C2 callback: ifyouseethisyouareultragay[.]com / pokerainteasy[.]su [LLM] Scavenger Stealer C2 beacon to corroborated infrastructure (datahog.su / datalytica.su / smartscreen-api.com) [LLM] Egress to Solidity Language Cursor extension C2 infrastructure (angelic.su / lmfao.su / staketree.net / ab498.pythonanywhere.com / 144.172.1 [LLM] BoltDB Go backdoor C2 callback to 49.12.198.231:20022 [LLM] Outbound fetch of file.sh via attacker-controlled commit d8daa0b... on raw.githubusercontent.com [LLM] Polyfill malware C2: contact with googie-anaiytics homograph or kuurza redirect [LLM] Moq SponsorLink email exfil egress to cdn.devlooped.com / SponsorLink blobArticles citing this technique (197)
crit 400+ AUR Packages Hijacked: What the “Atomic Arch” Campaign Means for Supply-Chain Security art-14
crit ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities art-37
crit [GHSA / CRITICAL] GHSA-jpvj-wpmj-h7rv: Supply chain compromise via malicious @cap-js/openapi art-123
high Node-gyp Supply Chain Compromise: A Self-Propagating npm Worm That Hides in binding.gyp art-130
crit Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload art-219
med Foul play: Fake FIFA websites target soccer fans looking for World Cup tickets, merchandise art-220
high GitHub breached via a malicious VS Code extension: why developer devices are the real target art-238
crit The AntV Supply Chain Campaign Expands: Microsoft's `durabletask` PyPI Package Compromised art-248
high Microsoft's durabletask package on PyPi Compromised. Mini Shai Hulud attacks again... again! art-254
crit From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat art-265
crit [GHSA / CRITICAL] GHSA-wx9m-wx4f-4cmg: Malicious dropper in mistralai 2.4.6 PyPI package art-272
crit Malicious node-ipc versions published to npm in suspected maintainer account compromise art-284
high Malicious Release of elementary-data PyPI Package Steals Cloud Credentials from Data Engineers art-352
high CanisterWorm: How a Self-Propagating npm Worm Is Spreading Backdoors Across the Ecosystem art-429
crit Malicious Polymarket Bot Hides in Hijacked dev-protocol GitHub Org and Steals Wallet Keys art-433
crit ForceMemo: Hundreds of GitHub Python Repos Compromised via Account Takeover and Force-Push art-434
high DRILLAPP: new backdoor targeting Ukrainian entities with possible links to Laundry Bear art-470
high 20+ Popular NPM Packages Compromised (Chalk, Debug, Strip-ANSI, Color-Convert, Wrap-ANSI...) art-537
low Snyk @ RSAC 2025 art-911