building-c2-redirector-infrastructure
Building C2 Redirector Infrastructure
Authorized Use Only: This skill is for authorized red-team engagements, adversary-emulation exercises, and defensive research only. Command-and-control infrastructure is dual-use; deploying redirectors to control malware on systems you are not explicitly authorized to test is illegal. Operate only inside an agreed scope with a signed rules-of-engagement document, and decommission infrastructure when the engagement ends.
Overview
A C2 redirector is an intermediary host that sits between victim implants and the real team server. Beacons connect to the redirector's public domain/IP; the redirector inspects each request and either proxies legitimate C2 traffic back to the hidden team server or diverts everything else (scanners, blue-team analysts, sandboxes) to a benign decoy site. This protects the team server from discovery, takedown, and attribution, and lets operators rotate the public edge without rebuilding the backend. The technique maps to MITRE ATT&CK T1090.002 (Proxy: External Proxy) — adversaries route C2 through an intermediary node to obscure the true origin.
Redirectors come in two flavors. Dumb pipes (socat, iptables NAT) blindly forward a port and provide separation but no filtering. Smart/filtering redirectors (nginx proxy_pass, Apache mod_rewrite with [P], or purpose-built tools like RedWarden) parse HTTP requests and only forward traffic that matches the implant's Malleable C2 profile — correct URI, User-Agent, headers — while sending everything else a 302 to a real website. The filtering logic is derived directly from the C2 framework's traffic profile, so the two must stay in lock-step. Tools such as cs2modrewrite automate generating Apache/nginx rules from a Cobalt Strike Malleable C2 profile.
This skill covers building both dumb and filtering redirectors with nginx and Apache, deriving filter rules from a malleable profile, layering TLS with Let's Encrypt, and applying OPSEC controls (categorized domains, domain fronting/CDN fronting, header validation, geo/UA filtering) for resilient, low-attribution infrastructure.
When to Use
- Standing up red-team C2 that must survive blue-team triage and domain takedown requests.
- Separating a hidden team server from any internet-facing host during an engagement.
- Filtering implant traffic so only profile-matching requests reach the backend, diverting scanners.
- Adding TLS termination, domain categorization, and CDN/domain fronting to an HTTP(S) listener.
- Teaching defenders how external-proxy C2 (T1090.002) is constructed so they can detect it.