In offensive security, a Command and Control (C2) system is fundamental for coordinating and maintaining persistent communication with compromised devices during an operation. Through these systems, an operator can send commands, receive results, and deploy additional payloads stealthily and in a controlled manner. Traditionally, C2s have been based on explicit client-server architectures, where a central server manages the control of multiple distributed agents. However, these approaches are often detectable by modern defense solutions due to anomalous traffic patterns, known domains, or exposed persistent infrastructure.

What is Command and Control (C2)?

A C2, or Command and Control system, is the central and strategic component that allows an attacker to exercise operational control over a compromised network. Its main function is to facilitate bidirectional communication between the attacker and compromised devices, commonly referred to as agents or bots. Through C2, the attacker can send specific commands to these agents—such as credential collection, lateral movement, data exfiltration, or additional payload execution—and receive the results of these actions in real-time.

C2 Assets Include:

Team Server: Centralized node where all agents and control logic are hosted.
Agents: Software residing on victim machines that connects to the Team Server.
Network Infrastructure: Domains, servers, VPN, and mechanisms to hide C2 origin.

Advantages of Serverless C2

Serverless C2s utilize legitimate and highly resilient platforms to camouflage communications, making detection and dismantling by traditional defenses difficult. A Serverless C2 avoids using a traditional Team Server, leveraging public and trusted platforms such as:

Reddit
Azure Storage
AWS S3 / Lambda
Google Docs / Drive

Reddit-based C2 Architecture

The architecture leverages Reddit as a covert communication channel between the operator (controller) and agents deployed in compromised systems. Command exchange and results are performed through posting and reading content in a private subreddit, taking advantage of the platform's infrastructure and reputation.

Components:

Two Reddit accounts:
- Controller: /u/Character_Mixture441
- Agent: /u/Horror_Ad_625
Two Reddit applications: each account uses its own app with API keys

Creating a Reddit Application

Architecture Diagram

The following diagram illustrates the communication flow between agents and the control server through Reddit:

Communication Cycle

Command Sending: The controller encrypts the command using XOR with a shared key, followed by Base64 encoding.
Agent Reading and Execution: Agents monitor the subreddit for new posts, decrypt commands, and execute them.
Agent Response: Output is encrypted and posted as comments on the original command post.
Controller Reading: The controller monitors comments, decrypts responses, and presents readable results.

Communication between Agent and Controller — Communication example between Agent and Controller

Example of encrypted C2 communication on Reddit — Example of an output posted as comment after command execution

Important Note: This article is for educational purposes only and does not promote malicious use of these techniques. The content aims to foster understanding of advanced offensive security approaches from an academic perspective.

Source Code

To access the source code for this implementation, visit our official GitHub repository:
🔗 https://github.com/secrasolutions/RedditC2Serverless

Secra Solutions - Improving your security

C2 Serverless With Reddit