C2 (command and control) is the communication channel an adversary uses to remotely send instructions to and pull data from a device they've compromised, often through malware like a RAT, so they can control the machine without physical access.
C2 is short for command and control (sometimes written C&C or C2). It's the link an attacker keeps open between their own system and a device they've broken into. Once malware lands on a target, the malware "phones home" to the attacker's server. From there the adversary can send commands and receive stolen data, all without ever touching the device physically.
Think of C2 like a remote control for a hijacked machine. The CED (EK 4.1.C.1) describes exactly this when it says an adversary can "take control of the device to issue their own commands including commands to steal or destroy information." That control has to travel over some channel, and C2 is that channel. A remote access trojan (RAT) is the classic tool that establishes one: it gives the attacker an ongoing connection so they can turn on a webcam, log keystrokes, or wipe the drive on demand.
C2 lives in Unit 4: Securing Devices, specifically topic 4.1 (Device Vulnerabilities and Attacks). It directly supports [AP Cybersecurity 4.1.C], which asks you to explain how adversaries exploit device vulnerabilities to cause loss, damage, disruption, or destruction. C2 is the mechanism behind "taking control of the device" in EK 4.1.C.1. It also feeds [AP Cybersecurity 4.1.D] on assessing risk, because a device with an active C2 channel means an attacker can impersonate users, remotely control the machine, or trigger ransomware (EK 4.1.D.1). If you can name how the attacker maintains control after the initial breach, you can reason about why the risk is high.
Keep studying AP Cybersecurity Unit 4
Visual cheatsheet
view galleryRemote Access Trojan / RAT (Unit 4)
A RAT is the malware that builds the C2 channel. The trojan gets in disguised as harmless software, then opens a backdoor so the attacker can issue commands remotely. C2 is the connection; the RAT is what creates and uses it.
Malware as a tool in an attack chain (Unit 4)
EK 4.1.B.2 says malware is usually one step toward a bigger goal, not the goal itself. C2 is the step that turns a one-time infection into ongoing access, which is why it's so dangerous compared to a virus that just damages a file.
Device risk assessment (Unit 4)
C2 raises the risk level under [AP Cybersecurity 4.1.D] because it lets an attacker do everything EK 4.1.D.1 lists: remote control, ransomware, or wiping memory. A compromised server with a C2 channel is far higher risk than an isolated personal laptop.
Expect C2 to show up in scenario-style MCQ stems describing an attacker who maintains remote access to a device after the initial infection. The right answer usually involves identifying that a backdoor or RAT has established command and control. On free-response, you'd use C2 to explain HOW an adversary causes damage after exploiting a vulnerability, tying it to [AP Cybersecurity 4.1.C], and to justify a high risk rating under [AP Cybersecurity 4.1.D]. The move to practice: don't just say "the device was hacked," explain that the attacker keeps a control channel open to issue ongoing commands.
These travel together but aren't the same thing. A RAT is the malware that breaks in and opens the door. C2 (command and control) is the communication channel the attacker uses through that door to send commands and pull data. The RAT is the tool; C2 is what the tool enables.
C2 stands for command and control, the channel an attacker uses to remotely send instructions to and steal data from a compromised device.
C2 is what turns a one-time infection into ongoing remote control, which is why it makes a device's risk level high under [AP Cybersecurity 4.1.D].
A RAT establishes the C2 channel, so on the exam you'll often see the two concepts paired in the same scenario.
C2 is the mechanism behind EK 4.1.C.1's warning that an adversary can take control of a device to issue their own commands.
When explaining an attack on the FRQ, name C2 to show HOW the attacker keeps access, not just that the device got infected.
C2 means command and control. It's the communication channel an attacker uses to remotely control a device they've compromised, sending it commands and receiving stolen data, often through malware like a RAT.
No. A RAT (remote access trojan) is the malware that opens the backdoor, while C2 is the channel the attacker uses through that backdoor to issue commands. Think of the RAT as the tool and C2 as what it lets the attacker do.
Because an active C2 channel means the attacker can do everything EK 4.1.D.1 lists: remotely control the machine, run ransomware, impersonate a user, or wipe the drive. Ongoing control is far more dangerous than a single hit of damage.
Malware usually isn't the end goal (EK 4.1.B.2). C2 is the step after the initial infection that gives the attacker persistent remote access, letting them carry out the rest of their plan over time.
It can appear in Unit 4 scenarios about device attacks. You'd use it to explain how an adversary maintains control of a device under [AP Cybersecurity 4.1.C] and to justify a risk rating under [AP Cybersecurity 4.1.D].
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.