I assume the goal is to make it so the c2 server(s) are basically indistinguishable from any other node, perhaps by making much more inter-node traffic than is strictly necessary. Couple this with almost all the participating IP addresses belonging to innocent parties (since it’s malware) and I’m not sure how one would identify the true origin of commands
I assume the goal is to make it so the c2 server(s) are basically indistinguishable from any other node, perhaps by making much more inter-node traffic than is strictly necessary. Couple this with almost all the participating IP addresses belonging to innocent parties (since it’s malware) and I’m not sure how one would identify the true origin of commands