Advanced persistent threat (APT) attackers increasingly are camouflaging their activities. They use tools that exist in the targeted host, operating via commonly used network ports. At least three APT groups, including the ones behind the Operation Shady RAT campaign, use HTML comments to hide their C&C. “They’re hiding in plain sight,” says Shawn Bracken, chief scientist at HBGary, who studies these attacks firsthand in forensic investigations. The attackers use real systems admin tools resident in targeted operating systems.”]
Source: https://www.darkreading.com/attacks-breaches/apt-attackers-hiding-in-plain-sight