With persistence established, attackers need a communication channel to issue commands and receive data. Modern C2 infrastructure is sophisticated: Domain Generation Algorithms (DGAs) produce rotating domain names to evade blocking, while legitimate platforms like Slack, GitHub, and Google Drive are increasingly abused to blend malicious traffic with normal activity. Attackers favor HTTPS for encryption and DNS tunneling to move data through rarely-inspected protocols. Beacon intervals are randomized to defeat anomaly detection. Defenders counter C2 through network traffic analysis, DNS monitoring, TLS inspection, and threat intelligence feeds that flag known malicious infrastructure.