Hackers Turn AWS X-Ray into Command-and-Control Platform

Red team researchers have unveiled XRayC2, a sophisticated command-and-control framework that weaponizes Amazon Web Services’ X-Ray distributed application tracing service to establish covert communication channels.

This innovative technique demonstrates how attackers can abuse legitimate cloud monitoring infrastructure to bypass traditional network security controls.

Diagram explaining command and control (C2) servers used by attackers to control infected devices and exfiltrate data

Exploiting Cloud Infrastructure for Stealth Operations

The XRayC2 toolkit transforms AWS X-Ray from a performance monitoring tool into a bidirectional communication platform for malicious activities, as per reported by Security Researcher.

Traditional command-and-control infrastructure typically relies on attacker-controlled servers, which create numerous detection opportunities including suspicious domains, unknown IP addresses, unusual network patterns, and certificate anomalies.

Visual overview of various cyber attack vectors targeting AWS cloud services illustrated by service icons and attack names

By leveraging AWS X-Ray’s legitimate cloud infrastructure, attackers can blend their malicious traffic with ...