National Cyber Warfare Foundation (NCWF)

Dead-Drop Resolvers: Malware s Quiet Rendezvous and Why Adaptive Defense Matters


0 user ratings
2025-10-21 23:24:05
milo
Blue Team (CND)

At this weekend’s BSides NYC, Dr. Jonathan Fuller, CISO of the U.S. Military Academy at West Point, delivered an extremely clear talk on how modern malware hides its command-and-control (C2) infrastructure through dead-drop resolvers. Fuller, who co-authored Georgia Tech’s VADER project, described how adversaries increasingly use public platforms-GitHub, Dropbox, Pastebin, even blockchain transactions-as-covert meeting points between infected hosts and remote operators. Rather than embedding a C2 address directly in their code, attackers plant an encrypted message on one of these benign services. The malware later retrieves and decodes it, discovering where to connect next. It’s simple, elegant, and devastatingly effective at evading traditional defenses.



This technique, formally captured in the MITRE ATT&CK framework as Web Service: Dead Drop Resolver, represents a new generation of stealth. It allows attackers to rotate C2 servers without redeploying malware and to hide in plain sight within trusted domains. Fuller’s work-and the broader VADER research-reveals just how pervasive this pattern has become, uncovering thousands of active samples across multiple malware families. Real-world incidents back this up: Secureworks’ analysis of Drokbk found attackers using GitHub repositories as disposable message boards for resolvers, while others have used blockchain metadata as immutable storage for the same purpose.


The pattern is clear: adversaries are increasingly weaponizing the very web services defenders rely upon.


Traditional defenses are largely blind to this. Static detection fails because the resolver payloads are obfuscated; URL blocking doesn’t work when attackers change platforms daily; sandboxing often misses the fleeting moment when a sample decodes its C2. The challenge isn’t just technical-it’s conceptual. Malware has become a process of adaptation, not a fixed artifact. To detect it, defenders need systems that can see when “normal” behavior subtly diverges from the baseline.


That’s where our Log Language Model (LogLM) provides a crucial new layer of defense. Trained on billions of NetFlow and application logs, Tempo learns what normal digital interactions look like-how entities on a network typically communicate, what timing and data patterns are expected, and when they shift. When malware begins making short, structured calls to public storage sites or decodes data in ways unseen before, Tempo recognizes that behavioral anomaly-even without knowing the specific payload or domain. In essence, DeepTempo acts as the connective tissue between static controls and adaptive threats, detecting the pattern of behavior that makes dead-drop resolvers effective in the first place.


Dead-drop resolvers are only one branch of a growing tree of covert C2 techniques. Steganography hides commands within images and text, blockchain transactions embed them immutably, and DNS tunneling conceals them within ordinary queries. Each shares a key trait: their content looks legitimate, but their sequence and intent deviate from normal activity. That is precisely where behavioral models like Tempo excel-learning the context of communication, not just its content.


The message from Fuller’s BSides talk is one we at DeepTempo take seriously: adversaries will continue to innovate faster than static defenses can adapt. Foundation models trained on real behavioral data, such as our LogLM-offer a path forward. They allow defenders to see patterns that weren’t explicitly labeled, to surface early warnings that rules and signatures miss, and to adapt as attackers evolve. In a world where malware hides its tracks in plain sight, visibility itself becomes the new perimeter.



Originally published at https://www.deeptempo.ai.





Dead-Drop Resolvers: Malware’s Quiet Rendezvous and Why Adaptive Defense Matters was originally published in DeepTempo on Medium, where people are continuing the conversation by highlighting and responding to this story.


The post Dead-Drop Resolvers: Malware’s Quiet Rendezvous and Why Adaptive Defense Matters appeared first on Security Boulevard.



Evan Powell

Source: Security Boulevard
Source Link: https://securityboulevard.com/2025/10/dead-drop-resolvers-malwares-quiet-rendezvous-and-why-adaptive-defense-matters/


Comments
new comment
Nobody has commented yet. Will you be the first?
 
Forum
Blue Team (CND)



Copyright 2012 through 2025 - National Cyber Warfare Foundation - All rights reserved worldwide.