T1071.005 Publish/Subscribe Protocols is a sub-technique of Application Layer Protocols (T1071) in the MITRE ATT&CK framework, under the Command and Control tactic. It refers to messaging frameworks that facilitate communication between different components in a distributed system.
Protocols like MQTT, XMPP, and AMQP use the publish/subscribe model, where messages are organized into topics. A centralized message broker manages the flow of information, ensuring that publishers send messages to the correct topics and that subscribers receive only the messages relevant to the topics they are subscribed to. These protocols enable efficient, scalable communication in complex, distributed environments.
To read about other sub-techniques of the T1071 Application Layer Protocols technique, you can visit the related hub blog.
Adversaries exploit publish/subscribe protocols like MQTT, XMPP, and AMQP to create covert communication channels with compromised systems. By embedding malicious commands in legitimate-looking traffic, they use a centralized broker to route messages and evade detection. These protocols blend with normal traffic, making it difficult to identify malicious behavior. Their asynchronous, scalable nature also helps attackers maintain persistent C2 operations across multiple systems, often bypassing traditional security measures.
For example, a March 2025 analysis of IOCONTROL, a malware strain attributed to the Cyber Av3ngers hacktivist group, revealed that the malware uses the MQTT protocol for its command-and-control (C2) communications [1]. This technique allows IOCONTROL to discreetly interact with its C2 server by using MQTT to send and receive commands. After compromising a system, IOCONTROL first establishes a connection to the C2 server by querying DNS to resolve the IP address of a broker, typically hosted via cloud services. The malware queries a domain like CloudFlare to resolve the IP:
|
DnsQuery_A("cloudflare.com", &broker_ip); |
Once the IP is resolved, the malware establishes an MQTT connection to the broker and begins sending system information back to the attacker. The data includes details like the kernel version, hostname, and user identity, which is sent in a structured beacon packet over the established MQTT connection:
|
{ |
By using MQTT, a lightweight protocol designed for IoT communications, IOCONTROL can blend in with normal network traffic and evade traditional detection methods. The malware also includes a mechanism for persistent communication, enabling it to remain connected to the C2 server, waiting for further instructions. This allows attackers to not only exfiltrate critical data but also execute arbitrary commands remotely.
In addition to the beaconing process, IOCONTROL can receive commands from the C2 server via MQTT messages. These commands are typically encoded and sent as text in the form of JSON, which the malware decodes and executes on the infected system. The MQTT communication allows attackers to maintain control over compromised devices while minimizing the risk of detection by traditional network defenses.
For instance, reported in December 2024, IOCONTROL is a sophisticated malware targeting critical infrastructure, including IoT and OT devices like IP cameras, routers, PLCs, and HMIs [2]. It utilizes the MQTT protocol over port 8883 for encrypted C2 communications, embedding unique device IDs into MQTT credentials for precise control. Additionally, it employs DNS over HTTPS to resolve C2 domains, evading network traffic monitoring tools.
On the other hand, WailingCrab is a multi-component malware distributed via phishing emails with malicious attachments. Since mid-2023, its backdoor component has communicated with its C2 server using the MQTT protocol [3]. By leveraging a legitimate third-party broker, broker.emqx[.]io, WailingCrab conceals the true address of its C2 server, enhancing its stealth. This approach allows the malware's C2 communications to blend with legitimate IoT traffic, complicating detection efforts. These cases illustrate how threat actors exploit publish/subscribe protocols to establish covert and resilient C2 channels, often integrating seamlessly with legitimate network traffic to evade detection.
[1] “IOCONTROL Malware: A New Threat Targeting Critical Infrastructure,” Flashpoint, Mar. 25, 2025. Available: https://flashpoint.io/blog/iocontrol-malware/. [Accessed: Dec. 08, 2025]
[2] B. Toulas, “New IOCONTROL malware used in critical infrastructure attacks,” BleepingComputer, Dec. 12, 2024. Available: https://www.bleepingcomputer.com/news/security/new-iocontrol-malware-used-in-critical-infrastructure-attacks/. [Accessed: Dec. 18, 2024]
[3] C. Hammond, O. Villadsen, and K. Metrick, “Stealthy WailingCrab Malware misuses MQTT Messaging Protocol,” Security Intelligence, Nov. 21, 2023. Available: https://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/. [Accessed: Dec. 18, 2024]