The Tracker Show: A Methodological Approach to Malware C2 Interaction and Campaign Intelligence — The LummaStealer Case Study

This thesis presents a comprehensive methodology to analyze, replicate, and trace malware command and control (C2) communications, focusing on the LummaStealer family as a case study. Starting with reverse engineering, network traffic inspection, and dynamic debugger-assisted analysis, several malware samples are dissected to analyze and model the structure and behavior of their C2 communication protocol. Once the communication phases are understood, each interaction phase is extracted and classified from the pcap traces generated by the sandbox. These interactions are modeled and stored in a structured format within a MongoDB database. Each C2 server is represented as a document that includes general metadata and two distinct types of embedded documents: sandbox interactions and real interactions. Each of these documents, in turn, contains its own metadata and a collection of sub-documents representing the individual commands observed during communication. This hierarchical structure allows for detailed tracking and comparison of C2 behavior in different execution contexts. A dedicated component, called Interactor, automatically plays the communication sequences to live C2 servers, simulating the infected legitimate clients. The system dynamically replaces the exfiltrated data with fake but realistic content to preserve the integrity of the interaction and avoid detection. The results of these live interactions are stored in the corresponding real interaction document of each C2 entry in the database, along with previously collected sandbox interactions. This structured archive is further exploited by a Django-based dashboard that visualizes the evolution of the C2 infrastructure and Malware-as-a-Service (MaaS) campaigns. Through heatmaps, network graphs, and payload distribution diagrams, the system allows analysts to monitor active servers, identify dominant clients, and observe behavioral changes in campaigns over time. This approach enables long-term monitoring of malware ecosystems and provides a scalable and reusable framework applicable to other malware families. By interacting directly with the adversary infrastructure, it enriches threat intelligence with dynamic and behavioral insights, reduces the reliance on static indicators, and remains adaptive to changes in content delivered by C2 servers. This allows for the timely discovery of second-stage payloads and continuous adjustment to evolving threats.