In this hands-on workshop, participants will learn how attackers exploit legitimate cloud-based APIs to establish stealthy command-and-control (C2) channels. Through guided exercises, attendees will implement real-world techniques for abusing APIs such as GitHub Gists, Telegram Bots, Discord Webhooks, and Google Apps Script to bypass traditional security defenses. This session blends theory with practical application, demonstrating the challenges of detecting API-based malware communication while providing defenders with the tools needed to counter these threats.

Module 1: Understanding API-based C2 (30 min)
Overview of modern malware communication methods.
Case studies on API abuse by APT groups.
Limitations of traditional network-based detection systems.

Module 2: Setting Up API-based C2 Channels (45 min)
Hands-on exercise: Establishing a covert C2 using GitHub Gists.
Configuring Telegram Bot API as a remote shell.
Sending and receiving commands via Discord Webhooks.
Encrypting C2 communications to evade detection.

Module 3: Building a Dropper and Malware Loader (45 min)
Writing a simple C/C++ dropper to retrieve and execute payloads.
Obfuscation techniques to evade static analysis.
Bypassing signature-based detections with encryption and packing.

Module 4: Evasion Techniques & Detection Countermeasures (45 min)
Bypassing Endpoint Detection & Response (EDR) and Machine Learning (ML) defenses.
Implementing polymorphic techniques for API-based malware.
Hands-on: Detecting and mitigating API-based C2 in enterprise environments.

Final Q&A and Discussion (15 min)
Open discussion on emerging threats in cloud-based malware.
Recommendations for security practitioners to improve defenses.