Researchers at Kaspersky Lab have published an in-depth study on how to detect the presence of Mythic within corporate networks—one of the most widely used tools employed by attackers to manage compromised systems.
Mythic belongs to the class of so-called post-exploitation frameworks. These platforms allow adversaries to retain control over breached machines and gradually expand their foothold inside an organization. Whereas attackers once favored proprietary commercial tools such as Cobalt Strike, recent years have seen a marked shift toward open-source alternatives—Mythic, Sliver, and Havoc among them. These frameworks are now actively used by APT groups, including those targeting Russian companies.
The researchers highlight a revealing pattern: while the developers of such tools devote considerable effort to evading antivirus software and endpoint protection systems, they pay far less attention to concealing network activity. Yet malicious agents inevitably need to communicate with command-and-control servers—and it is precisely this communication that can be observed and traced.
Mythic supports a wide array of communication channels, including HTTP, WebSocket, TCP, SMB, DNS, and even MQTT. Moreover, its agents can obscure their traffic by leveraging popular intermediary services such as Discord and GitHub. In these cases, commands and execution results are disguised as ordinary messages or comments, rendering the activity almost indistinguishable from legitimate use.
However diverse these techniques may be, they share a common trait: the data is encoded according to a specific scheme in which every message begins with a unique agent identifier formatted as a UUID. This recurring pattern became the foundation for detection logic. The researchers developed a set of Suricata signatures designed to identify these distinctive structures in network packets, enabling the detection of Mythic communications over SMB, TCP, HTTP, HTTPS, and WebSocket.
Encrypted traffic presents a greater challenge. When agents communicate with Discord or GitHub over HTTPS and defenders lack the ability to decrypt the traffic, detection must rely on behavioral analysis—monitoring unusually frequent connections to these services or excessive DNS queries. This approach is inherently less precise and requires careful tuning to the specifics of a given environment to avoid false positives.
A significant limitation applies to the SMB protocol: when SMB version 3 encryption is enabled, signature-based inspection becomes infeasible, while behavioral methods tend to generate excessive noise, as SMB is widely used for legitimate purposes in corporate networks.
