{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,28]],"date-time":"2026-04-28T15:39:07Z","timestamp":1777390747711,"version":"3.51.4"},"reference-count":123,"publisher":"MDPI AG","issue":"3","license":[{"start":{"date-parts":[[2023,9,1]],"date-time":"2023-09-01T00:00:00Z","timestamp":1693526400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"Jubail Industrial College (JIC)"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["JCP"],"abstract":"<jats:p>The widespread adoption of cloud-based and public legitimate services (CPLS) has inadvertently opened up new avenues for cyber attackers to establish covert and resilient command-and-control (C&amp;C) communication channels. This abuse poses a significant cybersecurity threat, as it allows malicious traffic to blend seamlessly with legitimate network activities. Traditional detection systems are proving inadequate in accurately identifying such abuses, emphasizing the urgent need for more advanced detection techniques. In our study, we conducted an extensive systematic literature review (SLR) encompassing the academic and industrial literature from 2008 to July 2023. Our review provides a comprehensive categorization of the attack techniques employed in CPLS abuses and offers a detailed overview of the currently developed detection strategies. Our findings indicate a substantial increase in cloud-based abuses, facilitated by various attack techniques. Despite this alarming trend, the focus on developing detection strategies remains limited, with only 7 out of 91 studies addressing this concern. Our research serves as a comprehensive review of CPLS abuse for the C&amp;C infrastructure. By examining the emerging techniques used in these attacks, we aim to make a significant contribution to the development of effective botnet defense strategies.<\/jats:p>","DOI":"10.3390\/jcp3030027","type":"journal-article","created":{"date-parts":[[2023,9,1]],"date-time":"2023-09-01T09:24:53Z","timestamp":1693560293000},"page":"558-590","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":12,"title":["Abuse of Cloud-Based and Public Legitimate Services as Command-and-Control (C&amp;C) Infrastructure: A Systematic Literature Review"],"prefix":"10.3390","volume":"3","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-6701-0279","authenticated-orcid":false,"given":"Turki","family":"Al lelah","sequence":"first","affiliation":[{"name":"School of Computer Science and Informatics, Cardiff University, Cardiff CF24 4AG, UK"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2701-7809","authenticated-orcid":false,"given":"George","family":"Theodorakopoulos","sequence":"additional","affiliation":[{"name":"School of Computer Science and Informatics, Cardiff University, Cardiff CF24 4AG, UK"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Philipp","family":"Reinecke","sequence":"additional","affiliation":[{"name":"School of Computer Science and Informatics, Cardiff University, Cardiff CF24 4AG, UK"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Amir","family":"Javed","sequence":"additional","affiliation":[{"name":"School of Computer Science and Informatics, Cardiff University, Cardiff CF24 4AG, UK"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Eirini","family":"Anthi","sequence":"additional","affiliation":[{"name":"School of Computer Science and Informatics, Cardiff University, Cardiff CF24 4AG, UK"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2023,9,1]]},"reference":[{"key":"ref_1","first-page":"1","article-title":"Peer-to-Peer Botnets: Overview and Case Study","volume":"7","author":"Grizzard","year":"2007","journal-title":"HotBots"},{"key":"ref_2","doi-asserted-by":"crossref","unstructured":"Abu Rajab, M., Zarfoss, J., Monrose, F., and Terzis, A. (2006, January 25\u201327). A multifaceted approach to understanding the botnet phenomenon. Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement, Rio de Janeiro, Brazil.","DOI":"10.1145\/1177080.1177086"},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"357","DOI":"10.2298\/SJEE2003357R","article-title":"Malware Command and Control Over Social Media: Towards the Server-less Infrastructure","volume":"17","year":"2020","journal-title":"Serbian J. Electr. Eng."},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"113383","DOI":"10.1016\/j.eswa.2020.113383","article-title":"Detection of malicious social bots: A survey and a refined taxonomy","volume":"151","author":"Latah","year":"2020","journal-title":"Expert Syst. Appl."},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"378","DOI":"10.1016\/j.comnet.2012.07.021","article-title":"Botnets: A survey","volume":"57","author":"Silva","year":"2013","journal-title":"Comput. Netw."},{"key":"ref_6","first-page":"51","article-title":"Trends and challenges of botnet architectures and detection techniques","volume":"5","author":"Limarunothai","year":"2015","journal-title":"J. Inf. Sci. Technol."},{"key":"ref_7","unstructured":"Fedynyshyn, G., Chuah, M.C., and Tan, G. (2011, January 2\u20134). Detection and classification of different botnet C&C channels. Proceedings of the Autonomic and Trusted Computing: 8th International Conference, ATC 2011, Banff, AB, Canada."},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Dietrich, C.J., Rossow, C., Freiling, F.C., Bos, H., Van Steen, M., and Pohlmann, N. (2011, January 6\u20137). On Botnets that use DNS for Command and Control. Proceedings of the 2011 Seventh European Conference on Computer Network Defense, Gothenburg, Sweden.","DOI":"10.1109\/EC2ND.2011.16"},{"key":"ref_9","unstructured":"Gu, G., Perdisci, R., Zhang, J., and Lee, W. (August, January 28). BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection. Proceedings of the USENIX Security Symposium. USENIX Association, San Jose, CA, USA."},{"key":"ref_10","unstructured":"Micro, T. (2020, April 11). Taxonomy of Botnet Threats. Whitepaper, November 2006. Available online: https:\/\/sites.cs.ucsb.edu\/~kemm\/courses\/cs595G\/TM06.pdf."},{"key":"ref_11","unstructured":"Liu, L., Chen, S., Yan, G., and Zhang, Z. (2008, January 15\u201318). Bottracer: Execution-based bot-like malware detection. Proceedings of the Information Security: 11th International Conference, ISC 2008, Taipei, Taiwan."},{"key":"ref_12","unstructured":"Pernet, C., Cao, E., Horejsi, J., Chen, J.C., and Sanchez, W.G. (2020, April 11). New SLUB Backdoor Uses GitHub, Communicates via Slack. Available online: https:\/\/www.trendmicro.com\/en_gb\/research\/19\/c\/new-slub-backdoor-uses-github-communicates-via-slack.html."},{"key":"ref_13","unstructured":"Cherepanov, A. (2020, April 11). The Rise of TeleBots: Analyzing Disruptive KillDisk Attacks|WeLiveSecurity. Available online: https:\/\/www.welivesecurity.com\/2016\/12\/13\/rise-telebots-analyzing-disruptive-killdisk-attacks\/."},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"898","DOI":"10.1109\/SURV.2013.091213.00134","article-title":"A Taxonomy of Botnet Behavior, Detection, and Defense","volume":"16","author":"Khattak","year":"2014","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"ref_15","unstructured":"Kuitert, S. (2009). War on Botnets. Int. J. Inf. Technol. Eng. Res., Available online: https:\/\/citeseerx.ist.psu.edu\/document?repid=rep1&type=pdf&doi=c72b4812cfaf65c88e45e7d8b53fffb355505cd0."},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Singh, K., Srivastava, A., Giffin, J., and Lee, W. (2008, January 24\u201327). Evaluating email\u2019s feasibility for botnet command and control. Proceedings of the 2008 IEEE International Conference on Dependable Systems and Networks with FTCS and DCC (DSN), Anchorage, AK, USA.","DOI":"10.1109\/DSN.2008.4630106"},{"key":"ref_17","unstructured":"Kitchenham, B., and Charters, S. (2007). Guidelines for Performing Systematic Literature Reviews in Software Engineering, Durham University. Technical Report EBSE-2007-01, EBSE."},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Compagno, A., Conti, M., Lain, D., Lovisotto, G., and Mancini, L.V. (2015, January 28\u201330). Boten ELISA: A novel approach for botnet C&C in online social networks. Proceedings of the 2015 IEEE Conference on Communications and Network Security (CNS), Florence, Italy.","DOI":"10.1109\/CNS.2015.7346813"},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Nagaraja, S., Houmansadr, A., Piyawongwisal, P., Singh, V., Agarwal, P., and Borisov, N. (2011). Stegobot: A Covert Social Network Botnet, Springer. International Workshop on Information Hiding.","DOI":"10.1007\/978-3-642-24178-9_21"},{"key":"ref_20","unstructured":"(2020, April 11). Operation Ghost: The Dukes Aren\u2019t Back\u2014They Never Left|WeLiveSecurity. Available online: https:\/\/www.welivesecurity.com\/2019\/10\/17\/operation-ghost-dukes-never-left\/."},{"key":"ref_21","unstructured":"(2020, April 11). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group|FireEye. Available online: https:\/\/www.fireeye.com\/current-threats\/apt-groups\/rpt-apt29.html."},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Lee, H., Kang, T., Lee, S., Kim, J., and Kim, Y. (2013, January 19\u201321). Punobot: Mobile botnet using push notification service in android. Proceedings of the International Workshop on Information Security Applications, Jeju Island, Republic of Korea.","DOI":"10.1007\/978-3-319-05149-9_8"},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"427","DOI":"10.1007\/s11859-013-0952-6","article-title":"An adaptive push-styled command and control mechanism in mobile botnets","volume":"18","author":"Chen","year":"2013","journal-title":"Wuhan Univ. J. Nat. Sci."},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Sebastian, S., Ayyappan, S., and Vinod, P. (2014, January 24\u201327). Framework for design of Graybot in social network. Proceedings of the 2014 International Conference on Advances in Computing, Communications and Informatics (ICACCI), Delhi, India.","DOI":"10.1109\/ICACCI.2014.6968575"},{"key":"ref_25","unstructured":"(2020, April 11). DaaC2\u2014Using Discord as a C2|Crawl3r. Available online: https:\/\/crawl3r.github.io\/2020-01-25\/DaaC2."},{"key":"ref_26","unstructured":"(2020, April 11). GitHub\u2014Crawl3r\/DaaC2: Discord as a C2. Available online: https:\/\/github.com\/crawl3r\/DaaC2."},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Ji, Y., He, Y., Jiang, X., and Li, Q. (2014, January 16\u201319). Towards social botnet behavior detecting in the end host. Proceedings of the 2014 20th IEEE International Conference on Parallel and Distributed Systems (ICPADS), Hsinchu, Taiwan.","DOI":"10.1109\/PADSW.2014.7097824"},{"key":"ref_28","doi-asserted-by":"crossref","unstructured":"Dong, Y., Dai, J., and Sun, X. (2018, January 8\u201310). A Mobile Botnet that Meets up at Twitter. Proceedings of the International Conference on Security and Privacy in Communication Systems, Singapore.","DOI":"10.1007\/978-3-030-01704-0_1"},{"key":"ref_29","unstructured":"Boutin, J.I. (2020, April 11). Turla\u2019s Watering Hole Campaign: An Updated Firefox Extension Abusing Instagram|WeLiveSecurity. Available online: https:\/\/www.welivesecurity.com\/2017\/06\/06\/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram\/."},{"key":"ref_30","unstructured":"Singel, R. (2020, April 11). Hackers Use Twitter to Control Botnet|WIRED. Available online: https:\/\/www.wired.com\/2009\/08\/botnet-tweets\/."},{"key":"ref_31","first-page":"11","article-title":"Social Networking for Botnet Command and Control","volume":"6","author":"Singh","year":"2013","journal-title":"Int. J. Comput. Netw. Inf. Secur."},{"key":"ref_32","doi-asserted-by":"crossref","unstructured":"Kartaltepe, E.J., Morales, J.A., Xu, S., and Sandhu, R. (2010). Social Network-Based Botnet Command-and-Control: Emerging Threats and Countermeasures, Springer. Applied Cryptography and Network Security.","DOI":"10.1007\/978-3-642-13708-2_30"},{"key":"ref_33","unstructured":"Chen, J. (2020, April 11). Blackgear Cyberespionage Campaign Resurfaces. Available online: https:\/\/www.trendmicro.com\/en_us\/research\/18\/g\/blackgear-cyberespionage-campaign-resurfaces-abuses-social-media-for-cc-communication.html."},{"key":"ref_34","first-page":"1343","article-title":"Inclusion of Unicode standard seamless characters to expand Arabic text steganography for secure individual uses","volume":"34","author":"Alanazi","year":"2020","journal-title":"J. King Saud Univ.-Comput. Inf. Sci."},{"key":"ref_35","unstructured":"Carr, N., Goody, K., Miller, S., and Vengerik, B. (2020, April 11). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation|Mandiant. Available online: https:\/\/www.mandiant.com\/resources\/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation."},{"key":"ref_36","unstructured":"Griffin, N. (2020, April 11). Carbanak Group Uses Google for Malware Command-and-Control|Forcepoint. Available online: https:\/\/www.forcepoint.com\/blog\/x-labs\/carbanak-group-uses-google-malware-command-and-control."},{"key":"ref_37","unstructured":"Constantin, L. (2020, April 11). Malware Uses Google Docs as Proxy to Command and Control Server. Available online: https:\/\/www.pcworld.com\/article\/455736\/malware-uses-google-docs-as-proxy-to-command-and-control-server.html."},{"key":"ref_38","unstructured":"Brook, C. (2020, April 11). Windows 8 Malware Using Google Docs to Target Brazilians|Threatpost. Available online: https:\/\/threatpost.com\/windows-8-malware-using-google-docs-target-brazilians-111912\/77227\/."},{"key":"ref_39","unstructured":"Mercer, W., Rascagneres, P., Ventura, V., and Kuhla, E. (2020, April 11). Cisco Talos Intelligence Group\u2014Comprehensive Threat Intelligence: JhoneRAT: Cloud Based Python RAT Targeting Middle Eastern Countries. Available online: https:\/\/blog.talosintelligence.com\/2020\/01\/jhonerat.html."},{"key":"ref_40","unstructured":"Passilly, T., and Tartare, M. (2022, January 17). The SideWalk May Be as Dangerous as the CROSSWALK|WeLiveSecurity. Available online: https:\/\/www.welivesecurity.com\/2021\/08\/24\/sidewalk-may-be-as-dangerous-as-crosswalk\/."},{"key":"ref_41","unstructured":"(2022, January 17). Ousaban: Private Photo Collection Hidden in a CABinet|WeLiveSecurity. Available online: https:\/\/www.welivesecurity.com\/2021\/05\/05\/ousaban-private-photo-collection-hidden-cabinet\/."},{"key":"ref_42","unstructured":"Hr\u010dka, V. (2020, April 11). Stantinko Botnet Adds Cryptomining to Its Pool of Criminal Activities|WeLiveSecurity. Available online: https:\/\/www.welivesecurity.com\/2019\/11\/26\/stantinko-botnet-adds-cryptomining-criminal-activities\/."},{"key":"ref_43","unstructured":"Jarkko, K. (2020, April 11). News from the Lab Archive: January 2004 to September 2015. Available online: https:\/\/archive.f-secure.com\/weblog\/archives\/00002803.html."},{"key":"ref_44","unstructured":"Biasini, N., Brumaghin, E., and Lister, N. (2022, January 17). Cisco Talos Intelligence Group\u2014Comprehensive Threat Intelligence: Threat Spotlight: Astaroth\u2014Maze of Obfuscation and Evasion Reveals Dark Stealer. Available online: https:\/\/blog.talosintelligence.com\/2020\/05\/astaroth-analysis.html."},{"key":"ref_45","unstructured":"Cimpanu, C. (2022, January 17). Astaroth Malware Hides Command Servers in YouTube Channel Descriptions|ZDNet. Available online: https:\/\/www.zdnet.com\/article\/astaroth-malware-hides-command-servers-in-youtube-channel-descriptions\/."},{"key":"ref_46","unstructured":"Lancaster, T., and Yates, M. (2020, April 11). Confucius Says\u2026Malware Families Get Further by Abusing Legitimate Websites. Available online: https:\/\/unit42.paloaltonetworks.com\/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites\/."},{"key":"ref_47","unstructured":"Grunzweig, J., and Miller-Osborn, J. (2020, April 11). SunOrcal Adds GitHub and Steganography to its Repertoire, Expands to Vietnam and Myanmar. Available online: https:\/\/unit42.paloaltonetworks.com\/unit42-sunorcal-adds-github-steganography-repertoire-expands-vietnam-myanmar\/."},{"key":"ref_48","unstructured":"(2020, April 11). GitHub\u2014PaulSec\/Twittor: A Fully Featured Backdoor That Uses Twitter as a C&C Server. Available online: https:\/\/github.com\/PaulSec\/twittor."},{"key":"ref_49","unstructured":"Lunghi, D., Horejsi, J., and Pernet, C. (2020, April 11). Untangling the Patchwork Cyberespionage Group. Available online: https:\/\/www.trendmicro.com\/en_gb\/research\/17\/l\/untangling-the-patchwork-cyberespionage-group.html."},{"key":"ref_50","unstructured":"(2022, January 17). ESET_Threat_Report_Q22020.pdf. Available online: https:\/\/www.welivesecurity.com\/wp-content\/uploads\/2020\/07\/ESET_Threat_Report_Q22020.pdf."},{"key":"ref_51","unstructured":"Falcone, R., and Lee, B. (2020, April 11). DarkHydrus Delivers New Trojan That Can Use Google Drive for C2 Communications. Available online: https:\/\/unit42.paloaltonetworks.com\/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications\/."},{"key":"ref_52","unstructured":"Kwiatkowski, I., Aime, F., and Delcher, P. (2022, January 17). Holy Water: Ongoing Targeted Water-Holing Attack in Asia|Securelist. Available online: https:\/\/securelist.com\/holy-water-ongoing-targeted-water-holing-attack-in-asia\/96311\/."},{"key":"ref_53","unstructured":"(2022, January 17). Targeted Attacks Using Fake Flash against Tibetans|Volexity. Available online: https:\/\/www.volexity.com\/blog\/2020\/03\/31\/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign\/."},{"key":"ref_54","unstructured":"Hacquebord, F., and Remorin, L.A. (2022, January 17). Pawn Storm\u2019s Lack of Sophistication as a Strategy. Available online: https:\/\/www.trendmicro.com\/en_us\/research\/20\/l\/pawn-storm-lack-of-sophistication-as-a-strategy.html."},{"key":"ref_55","unstructured":"Dahan, A. (2020, April 11). Operation Cobalt Kitty: A Large-Scale APT in Asia Carried out by the OceanLotus Group. Available online: https:\/\/www.cybereason.com\/blog\/operation-cobalt-kitty-apt."},{"key":"ref_56","unstructured":"(2020, April 11). APT32, SeaLotus, OceanLotus, APT-C-00, Group G0050. Available online: https:\/\/attack.mitre.org\/groups\/G0050\/."},{"key":"ref_57","unstructured":"(2020, April 11). APT17: Hiding in Plain Sight\u2014FireEye and Microsoft Expose Obfuscation Tactic|FireEye. Available online: https:\/\/www.fireeye.com\/current-threats\/apt-groups\/rpt-apt17.html."},{"key":"ref_58","unstructured":"Grunzweig, J. (2020, April 11). The TopHat Campaign: Attacks within the Middle East Region Using Popular Third-Party Services. Available online: https:\/\/unit42.paloaltonetworks.com\/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services\/."},{"key":"ref_59","unstructured":"(2020, April 11). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang|Anomali Labs. Available online: https:\/\/www.anomali.com\/blog\/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang."},{"key":"ref_60","unstructured":"Lambert, T. (2022, January 17). Threat Hunting in Linux For Rocke Cryptocurrency Mining Malware. Available online: https:\/\/redcanary.com\/blog\/rocke-cryptominer\/."},{"key":"ref_61","doi-asserted-by":"crossref","first-page":"270","DOI":"10.1016\/j.pmcj.2017.03.007","article-title":"CloudBot: Advanced mobile botnets using ubiquitous cloud technologies","volume":"41","author":"Chen","year":"2017","journal-title":"Pervasive Mob. Comput."},{"key":"ref_62","unstructured":"(2023, May 26). Information on Attacks Involving 3CX Desktop App. Available online: https:\/\/www.trendmicro.com\/en_us\/research\/23\/c\/information-on-attacks-involving-3cx-desktop-app.html."},{"key":"ref_63","unstructured":"Porolli, M. (2023, May 26). POLONIUM Targets Israel with Creepy Malware. Available online: https:\/\/www.welivesecurity.com\/2022\/10\/11\/polonium-targets-israel-creepy-malware\/."},{"key":"ref_64","unstructured":"WeLiveSecurity (2023, May 26). Who\u2019s Swimming in South Korean Waters? Meet ScarCruft\u2019s Dolphin. Available online: https:\/\/www.welivesecurity.com\/2022\/11\/30\/whos-swimming-south-korean-waters-meet-scarcrufts-dolphin\/."},{"key":"ref_65","unstructured":"TrendMicro (2022, January 17). BIOPASS RAT New Malware Sniffs Victims via Live Streaming. Available online: https:\/\/www.trendmicro.com\/en_us\/research\/21\/g\/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html."},{"key":"ref_66","unstructured":"Nazario, J. (2020, April 11). Twitter Based Botnet Command and Control. Arbor Networks Security. Available online: http:\/\/asert.arbornetworks.com\/2009\/08\/twitter-based-botnet-command-channel."},{"key":"ref_67","doi-asserted-by":"crossref","first-page":"2157","DOI":"10.1002\/sec.1475","article-title":"Understanding a prospective approach to designing malicious social bots","volume":"9","author":"He","year":"2016","journal-title":"Secur. Commun. Netw."},{"key":"ref_68","unstructured":"(2022, January 17). The Tetrade: Brazilian Banking Malware Goes Global|Securelist. Available online: https:\/\/securelist.com\/the-tetrade-brazilian-banking-malware\/97779\/."},{"key":"ref_69","unstructured":"Folt\u00fdn, T. (2020, April 11). Turla: In and out of Its Unique Outlook Backdoor|WeLiveSecurity. Available online: https:\/\/www.welivesecurity.com\/2018\/08\/22\/turla-unique-outlook-backdoor\/."},{"key":"ref_70","unstructured":"Faou, M. (2022, January 17). From Agent.BTZ to ComRAT v4: A Ten-Year Journey|WeLiveSecurity. Available online: https:\/\/www.welivesecurity.com\/2020\/05\/26\/agentbtz-comratv4-ten-year-journey\/."},{"key":"ref_71","unstructured":"(2020, April 11). GitHub\u2014Maldevel\/Gdog: A Fully Featured Windows Backdoor That Uses Gmail as a C&C Server. Available online: https:\/\/github.com\/maldevel\/gdog."},{"key":"ref_72","unstructured":"(2020, April 11). Cloud Atlas: RedOctober APT Is Back in Style|Securelist. Available online: https:\/\/securelist.com\/cloud-atlas-redoctober-apt-is-back-in-style\/68083\/."},{"key":"ref_73","unstructured":"(2020, April 11). Casbaneiro: Dangerous Cooking with a Secret Ingredient|WeLiveSecurity. Available online: https:\/\/www.welivesecurity.com\/2019\/10\/03\/casbaneiro-trojan-dangerous-cooking\/."},{"key":"ref_74","unstructured":"(2022, January 17). Numando: Count Once, Code Twice|Welivesecurity. Available online: https:\/\/www.welivesecurity.com\/2021\/09\/17\/numando-latam-banking-trojan\/."},{"key":"ref_75","unstructured":"Faou, M. (2022, January 17). Turla Crutch: Keeping the \u201cBack Door\u201d Open|WeLiveSecurity. Available online: https:\/\/www.welivesecurity.com\/2020\/12\/02\/turla-crutch-keeping-back-door-open\/."},{"key":"ref_76","unstructured":"(2022, January 17). APT-31 Leverages COVID-19 Vaccine Theme|Zscaler Blog. Available online: https:\/\/www.zscaler.com\/blogs\/security-research\/apt-31-leverages-covid-19-vaccine-theme-and-abuses-legitimate-online."},{"key":"ref_77","unstructured":"(2022, January 17). Raccoon Stealer\u2019s Abuse of Google Cloud Services and Multiple Delivery Techniques\u2014TrendLabs Security Intelligence Blog. Available online: https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/raccoon-stealers-abuse-of-google-cloud-services-and-multiple-delivery-techniques\/."},{"key":"ref_78","unstructured":"Faou, M., and Dumont, R. (2020, April 11). A Dive into Turla PowerShell Usage|WeLiveSecurity. Available online: https:\/\/www.welivesecurity.com\/2019\/05\/29\/turla-powershell-usage\/."},{"key":"ref_79","unstructured":"(2020, April 11). GitHub\u2014Coalfire-Research\/Slackor: A Golang Implant That Uses Slack as a Command and Control Server. Available online: https:\/\/github.com\/Coalfire-Research\/Slackor."},{"key":"ref_80","unstructured":"L\u00e9veill\u00e9, M.E.M. (2023, May 26). I See What you Did There: A Look at the CloudMensis macOS Spyware. Available online: https:\/\/www.welivesecurity.com\/2022\/07\/19\/i-see-what-you-did-there-look-cloudmensis-macos-spyware\/."},{"key":"ref_81","unstructured":"(2020, April 11). Command and Control\u2014DropBox\u2014Penetration Testing Lab. Available online: https:\/\/pentestlab.blog\/2017\/08\/29\/command-and-control-dropbox\/."},{"key":"ref_82","unstructured":"(2022, January 17). Introduction to Callidus. Available online: https:\/\/3xpl01tc0d3r.blogspot.com\/2020\/03\/introduction-to-callidus.html."},{"key":"ref_83","unstructured":"Baltazar, R.J., Costoya, J., and Flores, R. (2009). The Heart of KOOBFACE: C&C and Social Network Propagation, Trend Micro, Incorporated. Trend Micro Threat Research."},{"key":"ref_84","doi-asserted-by":"crossref","unstructured":"Faghani, M.R., and Nguyen, U.T. (May, January 29). Socellbot: A new botnet design to infect smartphones via online social networking. Proceedings of the 2012 25th IEEE Canadian Conference on Electrical and Computer Engineering (CCECE), Montreal, QC, Canada.","DOI":"10.1109\/CCECE.2012.6334962"},{"key":"ref_85","unstructured":"(2020, April 11). Threat Analysis: ROKRAT Malware\u2014VMware Security Blog\u2014VMware. Available online: https:\/\/blogs.vmware.com\/security\/2018\/02\/threat-analysis-rokrat-malware.html."},{"key":"ref_86","unstructured":"Mercer, W., and Paul Rascagneres, J.A. (2020, April 11). Cisco Talos Intelligence Group\u2014Comprehensive Threat Intelligence: ROKRAT Reloaded. Available online: https:\/\/blog.talosintelligence.com\/2017\/11\/ROKRAT-Reloaded.html."},{"key":"ref_87","unstructured":"(2020, April 11). TeleCrypt\u2014The Ransomware Abusing Telegram API\u2014Defeated!|Malwarebytes Labs. Available online: https:\/\/blog.malwarebytes.com\/threat-analysis\/2016\/11\/telecrypt-the-ransomware-abusing-telegram-api-defeated\/."},{"key":"ref_88","unstructured":"Nigam, R., and Wilhoit, K. (2020, April 11). TeleRAT: Another Android Trojan Leveraging Telegram\u2019s Bot API to Target Iranian Users. Available online: https:\/\/unit42.paloaltonetworks.com\/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users\/."},{"key":"ref_89","unstructured":"Tama\u00f1a, N. (2020, April 11). Backdoor Uses Evernote as Command-and-Control Server\u2014TrendLabs Security Intelligence Blog. Available online: https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/backdoor-uses-evernote-as-command-and-control-server\/."},{"key":"ref_90","unstructured":"Pernet, C., Cao, E., Horejsi, J., Chen, J.C., and Sanchez, W.G. (2020, April 11). SLUB Gets Rid of GitHub, Intensifies Slack Use\u2014TrendLabs Security Intelligence Blog. Available online: https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/slub-gets-rid-of-github-intensifies-slack-use\/."},{"key":"ref_91","unstructured":"(2020, April 11). GitHub\u2014Bkup\/SlackShell: PowerShell to Slack C2. Available online: https:\/\/github.com\/bkup\/SlackShell."},{"key":"ref_92","unstructured":"(2020, April 11). GitHub\u2014Praetorian-Inc\/Slack-c2bot: Slack C2bot That Executes Commands and Returns the Output. Available online: https:\/\/github.com\/praetorian-inc\/slack-c2bot."},{"key":"ref_93","unstructured":"(2020, April 11). Using Slack Web Services as a C2 Channel (ATT&CK T1102)\u2014Praetorian. Available online: https:\/\/www.praetorian.com\/blog\/using-slack-as-c2-channel-mitre-attack-web-service-t1102\/."},{"key":"ref_94","doi-asserted-by":"crossref","unstructured":"Zhao, S., Lee, P.P., Lui, J.C., Guan, X., Ma, X., and Tao, J. (2012, January 3). Cloud-based push-styled mobile botnets: A case study of exploiting the cloud to device messaging service. Proceedings of the 28th Annual Computer Security Applications Conference, Orlando, FL, USA.","DOI":"10.1145\/2420950.2420968"},{"key":"ref_95","unstructured":"Menrige, M. (2020, April 11). PlugX RAT with \u201cTime Bomb\u201d Abuses Dropbox for Command-and-Control Settings\u2014TrendLabs Security Intelligence Blog. Available online: https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/plugx-rat-with-time-bomb-abuses-dropbox-for-command-and-control-settings\/."},{"key":"ref_96","unstructured":"(2020, April 11). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets|Mandiant. Available online: https:\/\/www.mandiant.com\/resources\/china-based-threat."},{"key":"ref_97","unstructured":"Arsene, L. (2022, January 17). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Available online: https:\/\/www.bitdefender.com\/blog\/labs\/iranian-chafer-apt-targeted-air-transportation-and-government-in-kuwait-and-saudi-arabia\/."},{"key":"ref_98","unstructured":"(2022, January 17). IndigoZebra APT Continues to Attack Central Asia with Evolving Tools\u2014Check Point Research. Available online: https:\/\/research.checkpoint.com\/2021\/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools\/."},{"key":"ref_99","unstructured":"(2020, April 11). GitHub\u2014Arno0x\/DBC2: DBC2 (DropboxC2) is a Modular Post-Exploitation Tool, Composed of an Agent Running on the Victim\u2019s Machine, a Controler, Running on Any Machine, Powershell Modules, and Dropbox Servers as a Means of Communication. Available online: https:\/\/github.com\/Arno0x\/DBC2."},{"key":"ref_100","unstructured":"Chandel, R. (2020, April 11). Command and Control with DropboxC2. Available online: https:\/\/www.hackingarticles.in\/command-and-control-with-dropboxc2\/."},{"key":"ref_101","unstructured":"(2020, April 11). GitHub\u20140x09AL\/DropboxC2C: DropboxC2C Is a Post-Exploitation Agent Which Uses Dropbox Infrastructure for Command and Control Operations. Available online: https:\/\/github.com\/0x09AL\/DropboxC2C."},{"key":"ref_102","unstructured":"Champion, A. (2022, January 17). Attack Detection Fundamentals: C2 and Exfiltration\u2014Lab #3. Available online: https:\/\/labs.f-secure.com\/blog\/attack-detection-fundamentals-c2-and-exfiltration-lab-3\/."},{"key":"ref_103","unstructured":"GitHub\u2014FSecureLABS\/C3: Custom Command and Control (C3) (2022, January 17). A Framework for Rapid Prototyping of Custom C2 Channels, While Still Providing Integration with Existing Offensive Toolkits. Available online: https:\/\/github.com\/FSecureLABS\/C3."},{"key":"ref_104","unstructured":"Hyv\u00e4rinen, N. (2020, April 11). The Dukes: 7 Years of Russian Cyber-Espionage\u2014F-Secure Blog. Available online: https:\/\/blog.f-secure.com\/the-dukes-7-years-of-russian-cyber-espionage\/."},{"key":"ref_105","unstructured":"(2022, January 17). North Korean APT InkySquid Infects Victims Using Browser Exploits|Volexity. Available online: https:\/\/www.volexity.com\/blog\/2021\/08\/17\/north-korean-apt-inkysquid-infects-victims-using-browser-exploits\/."},{"key":"ref_106","unstructured":"(2020, April 11). GitHub\u2014Byt3bl33d3r\/gcat: A PoC Backdoor That Uses Gmail as a C&C Server. Available online: https:\/\/github.com\/byt3bl33d3r\/gcat."},{"key":"ref_107","unstructured":"Ivanov, A., and Sinitsyn, F. (2020, April 11). The First Cryptor to Exploit Telegram|Securelist. Available online: https:\/\/securelist.com\/the-first-cryptor-to-exploit-telegram\/76558\/."},{"key":"ref_108","doi-asserted-by":"crossref","unstructured":"Thomas, K., and Nicol, D.M. (2010, January 19\u201320). The Koobface botnet and the rise of social malware. Proceedings of the 2010 5th International Conference on Malicious and Unwanted Software, Nancy, France.","DOI":"10.1109\/MALWARE.2010.5665793"},{"key":"ref_109","unstructured":"Ben Koehl, J.H. (2022, January 17). Microsoft Security\u2014Detecting Empires in the Cloud\u2014Microsoft Security Blog. Available online: https:\/\/www.microsoft.com\/security\/blog\/2020\/09\/24\/gadolinium-detecting-empires-cloud\/."},{"key":"ref_110","unstructured":"Williams, J. (2020, April 11). DropSmack: How Cloud Synchronization Services Render Your Corporate Firewall Worthless. Available online: https:\/\/docs.huihoo.com\/blackhat\/europe-2013\/bh-eu-13-dropsmack-jwilliams-wp.pdf."},{"key":"ref_111","unstructured":"Wang, Z., Liu, C., Cui, X., Yin, J., Liu, J., Wu, D., and Liu, Q. (2022). Information and Communications Security, Springer."},{"key":"ref_112","unstructured":"(2020, April 11). How New Chat Platforms Can Be Abused by Cybercriminals\u2014Noticias de Seguridad\u2014Trend Micro ES. Available online: https:\/\/www.trendmicro.com\/vinfo\/es\/security\/news\/cybercrime-and-digital-threats\/how-new-chat-platforms-abused-by-cybercriminals."},{"key":"ref_113","doi-asserted-by":"crossref","unstructured":"Ahmadi, M., Biggio, B., Arzt, S., Ariu, D., and Giacinto, G. (2016, January 24). Detecting misuse of google cloud messaging in android badware. Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices, Vienna, Austria.","DOI":"10.1145\/2994459.2994469"},{"key":"ref_114","doi-asserted-by":"crossref","unstructured":"Vo, N.H., and Pieprzyk, J. (2010, January 19\u201320). Protecting web 2.0 services from botnet exploitations. Proceedings of the 2010 Second Cybercrime and Trustworthy Computing Workshop, Ballarat, VIC, Australia.","DOI":"10.1109\/CTC.2010.10"},{"key":"ref_115","doi-asserted-by":"crossref","unstructured":"Ghanadi, M., and Abadi, M. (2014, January 9\u201311). Socialclymene: A negative reputation system for covert botnet detection in social networks. Proceedings of the 7\u2019th International Symposium on Telecommunications (IST\u20192014), Tehran, Iran.","DOI":"10.1109\/ISTEL.2014.7000840"},{"key":"ref_116","unstructured":"Burghouwt, P., Spruit, M., and Sips, H. (2011). Information Systems Security, Springer."},{"key":"ref_117","doi-asserted-by":"crossref","first-page":"230","DOI":"10.1016\/j.cose.2016.01.007","article-title":"Combating the evasion mechanisms of social bots","volume":"58","author":"Ji","year":"2016","journal-title":"Comput. Secur."},{"key":"ref_118","unstructured":"Shuai, W., Xiang, C., Peng, L., and Dan, L. (2012). International Conference on Trustworthy Computing and Services, Springer."},{"key":"ref_119","unstructured":"Arzt, S. (2017). Static Data Flow Analysis for Android Applications. [Ph.D. Thesis, Darmstadt University of Technology]."},{"key":"ref_120","unstructured":"Singh, A. (2012). Social Networking for Botnet Command and Control. [Master\u2019s Thesis, San Jose State University]."},{"key":"ref_121","unstructured":"Burghouwt, P., Spruit, M., and Sips, H. (2013). International Symposium on Cyberspace Safety and Security, Springer."},{"key":"ref_122","doi-asserted-by":"crossref","first-page":"556","DOI":"10.1016\/j.comnet.2012.06.006","article-title":"Design and analysis of a social botnet","volume":"57","author":"Boshmaf","year":"2013","journal-title":"Comput. Netw."},{"key":"ref_123","unstructured":"Ji, Y., He, Y., Zhu, D., Li, Q., and Guo, D. (2014). Information Security Practice and Experience, Springer."}],"container-title":["Journal of Cybersecurity and Privacy"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2624-800X\/3\/3\/27\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T20:44:28Z","timestamp":1760129068000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2624-800X\/3\/3\/27"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,9,1]]},"references-count":123,"journal-issue":{"issue":"3","published-online":{"date-parts":[[2023,9]]}},"alternative-id":["jcp3030027"],"URL":"https:\/\/doi.org\/10.3390\/jcp3030027","relation":{},"ISSN":["2624-800X"],"issn-type":[{"value":"2624-800X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,9,1]]}}}