A C&C server is identified by malware researchers, clients, or partners to be linked to a phishing campaign or to malware targeting civil society groups; victims may be receiving malicious files through social media and/or chat tools; control servers may also hop from DNS domain to DNS domain
Edit me

Report and Disable Malicious C&C Server

What to do when a C&C server is used to spread malware or for a phishing campaign


  • When a website is being used for a phishing campaign or for spreading malware, it is important to take it down to stop it from harming more people.
  • If the C&C server is not disabled, the malware will continue to infect more devices and makes more victims from the targeted civil society community in danger.
  • If partner organizations have covert access to the C&C server, they may be able to find out who gets compromised in the community and notify them.


  1. Make sure you have the minimal information necessary for this case, at minimum one of the following:
    • IP of C&C server (ideally with the port that is used by the C&C server)
    • Sample of the malware
    • URL pointing to the C&C server

    This information can come from the partner or beneficiary sharing information about the C&C server or malicious website.

  2. Paste the URL in this page to receive all the contact points from the whois entries.

  3. Send to all contacts listed in point 2 an email notifying them of the malicious content found on one of their domains. An example of what this email could look like may be found in Article #209: Template - Phishing Link.

  4. Ask the client/partner for permission to share the indicators of compromise with the digital security community.

    You may use the template included in Article 261: Disable C&C server - email to client.

  5. When permission from client to share the indicators has been obtained, add them to MISP following the instructions in Article #355: How to Add an Event to CiviCERT’s MISP Instance.
  6. To disable the domain, contact immediately:
    • The registrar of the malicious domain to disable it
    • The hosting provider to disable the IP and malicious content

    You may use the following templates when contacting them:


Also see Article #258: Advanced Threats Triage Workflow.