Using Hinge as a Command and Control Server

One could probably use matrix (perhaps might need account creation?) or session or simplex (their accounts are sort of like addresses, easy to make compartively to matrix)

I have built dead simple bots on both session/simplex trying both of them out and session was the more ergonomic one to build on but simplex is more decentralized considering session's more crypto related and wants to ask you for money for node whereas simplex doesn't

Although on the other hand, simplex wants to do client side verification on their official client and their bot creation was really painful to start with so but I do feel like its more decentralized but not sure, Both have consequences but honestly I just really end up shilling signal in the end for most people's usual use cases which is communication but its super great to know that there are alternatives.

Matrix is really cool as well. especially cinny's ui (https://cinny.in)

probably not so useful in practise, but still fun and interesting.

Yes, centralised C2 is definitely still a thing in the malware space, for commodity malware it works well enough that there's little real incentive to move to anything more complex.

> I would have assumed that this function mainly migrated onto one of the popular blockchains with clients using one of thousands of available gateways for reading.

Why would you want to use blockchains for this? DHT has been used for distributed c&c for ages and is generally a much lighter option.

But no, P2P C&C is still not really typical. In practice, there's mostly not that much need for it. Also, FWIW, for practically all use-cases P2P C&C discovery is a vastly better option.

Regarding your first point, extraction of the headers could be trivially automated. Also, using Hinge's CDN (which I think is CloudFlare and/or AWS) is more viable imo, as you don't need to provide headers to GET the files. If that also applies to user-uploaded videos then I do think there's some meat on this bone. But as the other user who replied to you pointed out, this was mostly for nerdy delight.

Also thanks for bringing up the blockchain C2 use, that's cool and news to me.

In most red team contexts, the implants don't talk directly to the actual C2 - the implants talk to listening posts (often behind redirectors/transient reverse proxies) and then the listening posts request commands from the C2 server.

I think this is one of those things where if you're married (like me) you only have the most peripheral sense of the popularity of these things and if you're single they potentially occupy way too much of your thoughtspace.

I want to thank you and the other user (hobofan) for pointing out the use of crypto currencies as C2s. I do bioinformatics for a living, not infosec, so that's another fun little rabbit hole for me to go on...

Many networks block non-http/s traffic.

There are much lighter alternatives though, why would you want to bother with cryptocurrencies when you could just use DHT?

I mean, even just shipping a Tor client embedded in your malware seems like a much better idea.

>just rely on explorers to query your own wallet

This kind of defeats the point, you get exactly 0 censorship resistance like this.

You don't have to do that? I touched upon it in the first section of the post. All you need is a valid phone number, which you can use throwaway trial SIM cards for.

In 2025/2026 it’s not hard to generate fake videos that bypass these security gates.

Command and Control Server (C2) refers to the infrastructure required to command and control malware of various forms.

The author basically found a creative use of Hinge’s infrastructure and proved it could be used to control malware.

> Congratulations! You're now using Hinge to distribute unassuming abstract expressionist pixel art.

creative platform use