Identifying and tracking malware C2 communication across encrypted traffic
Detecting malware C2 communication in encrypted traffic
A security analyst was investigating suspicious behaviour on the network. The initial indicator was minor — anomalous connection patterns on a single endpoint. Nothing that would have triggered an automated alert.
They pulled the flow data. The endpoint had been making encrypted outbound connections to an external server at regular intervals. The payload was sealed — TLS 1.3, nothing to inspect. Under conventional analysis the connections looked like background application traffic. Unremarkable.
JA4 fingerprinting identifies the threat without decryption
The FlowProbe had captured the JA4 fingerprint from the TLS handshake of every one of those connections. The analyst queried it against JA4DB. It matched a known malware family — a specific C2 communication pattern associated with a remote access tool that had been observed in prior campaigns against telecommunications infrastructure.
The payload was never touched. The fingerprint was enough.
They ran the same fingerprint query across the full network. Six other endpoints had made connections carrying the same fingerprint in the previous nineteen days. Four of them had made no other suspicious indicators. They would not have been found any other way.
The malware was rotating the IP address of its C2 server every 48 hours. The fingerprint didn’t rotate with it. Every connection — regardless of destination IP, regardless of TLS configuration change — carried the same behavioural signature. The analyst could see the full timeline of C2 activity across all seven endpoints, from first contact to the point of discovery.
Complete containment across all affected endpoints
Containment was complete. The board wanted to know how many systems were affected. The answer was exact. Not estimated. Not probable. Exact — because the fingerprint data was there for every connection, at full fidelity, from day one.
Advanced persistent threat tracking
Detecting Persistent C2 Activity Despite IP Rotation and TLS Evasion
A threat actor had been operating inside a carrier network for several weeks. They were careful. Every 48 hours they rotated their C2 infrastructure — new IP addresses, modified TLS configurations, different cipher selections. Each rotation broke the existing detection signatures. The security team kept losing them.
JA4+ Fingerprinting Detects Malware C2 Infrastructure Despite IP and TLS Rotation
The FlowProbe had been capturing JA4+ fingerprints across the full traffic stream throughout. While the IP addresses changed and the TLS configurations changed, the behavioural signature of the client — the way the malicious tool constructed its handshakes, the specific combination of extensions and cipher preferences — did not change. JA4 sorts cipher suites and extensions before fingerprinting, which means randomisation and GREASE values don’t affect it. The fingerprint persisted across every rotation.
Complete Malware Containment Through Persistent JA4+ C2 Tracking
The analyst pulled the fingerprint from the first detected connection and ran it against the full historical dataset in TDAC. Every connection that threat actor had made — across all their rotations, from the earliest recorded contact — was visible. The timeline was complete.
They weren’t tracking an IP address anymore. They were tracking a tool. And the tool hadn’t changed.
The attacker’s full infrastructure was mapped. Every endpoint they had touched. Every rotation they had made. The scope of the compromise was understood completely before containment began — which meant containment was complete the first time.
Every TLS handshake, TCP connection and QUIC flow leaves a fingerprint before a single byte of payload is exchanged. The FlowProbe captures and analyses these at wire speed across the full 400G stream using JA4+ — a suite of network fingerprinting methods developed by FoxIO. JA4 identifies the application or library making the connection from the TLS client handshake — across both TCP and QUIC traffic. JA4S captures the server response. JA4T reads the TCP SYN packet — identifying operating system, device type, and whether traffic is passing through a proxy, VPN or tunnel. JA4TS completes the server side. All four. Every flow. Nothing sampled. Every fingerprint is cross-referenced against JA4DB — FoxIO's community-maintained database of known fingerprints. A match tells you the specific application, library, device or known threat actor. Not a hash. An answer. Fingerprints feed into TDAC for investigation and timeline reconstruction. Into IntSOC for autonomous threat hunting. The analyst investigating an incident has the complete historical picture. The system hunting for active threats doesn't wait for an analyst to start.
