Koadic C&C Stager Connection

Koadic is a post-exploitation framework that is often associated with malicious activity. Koadic implementation occurs in three phases: initial staging, the creation of a persistent connection to the Koadic command-and-control (C&C) server, and implant execution, where the victim performs tasks provided by the C&C server.

In the initial staging phase, a Koadic payload, referred to as a stager, is run on the victim device. The stager connects the victim to the Koadic command-and-control (C&C) server through a series of GET and POST requests.

In the second phase, the victim is now considered a Koadic zombie and sends an HTTP POST request to establish an HTTP connection that remains open to receive instructions from the Koadic C&C server. Unlike other C&C frameworks that maintain persistence with periodic beacon messages, a Koadic C&C server reduces the amount of identifiable network traffic by relying on this single open HTTP connection to communicate with the victim.

In the third phase, the Koadic server provides instructions to the victim. The server sends a response over the open HTTP connection that prompts the victim to open a new HTTP connection with a GET request. The Koadic server responds with an executable payload of JavaScript or VBScript code called an implant. The victim runs the implant to perform a task such as user enumeration, phishing, privilege escalation, or remote command execution. Then the victim sends the output of the task back to the server in a POST request.