Beaconing: What it is, how to spot it, and how to stop it

Beaconing

What it is

Beaconing is the quiet “check-in” a hidden infection makes to its boss (a command-and-control server). The malware pings out on a schedule to say “I’m here,” ask for instructions, or send stolen data like logins or card details. It can stay sleepy for days and wake only when told.

How it works 

  • The malware picks a destination (domain/IP) and a rhythm (every few minutes, hours, or at random).

  • It hides in normal-looking web requests (HTTPS, DNS, cloud apps) to blend in.

  • When the server replies, the device may exfiltrate data or run commands (download more malware, move laterally, encrypt files).

What you might notice

  • Brief, repeating network spikes to the same unknown host

  • Activity at odd hours when the device seems idle

  • Security tools turning off or update checks failing

If you suspect beaconing (quick response)

  1. Isolate the device from the network (Wi-Fi off, unplug Ethernet).

  2. Run a full anti-malware scan; check startup items and scheduled tasks.

  3. From a clean device, change passwords and enable MFA.

  4. Ask IT/Sec to review firewall/proxy/DNS logs for recurring destinations and block them.

How to prevent it

  • Keep OS, apps, and browsers updated; patch fast.

  • Use EDR/AV with network-based detections; enable DNS filtering.

  • Limit admin rights; turn on MFA everywhere.

  • Be cautious with attachments, macros, and “free” installers.

    Glossary (A–Z)

    All A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

      • Related Articles

      • EDR (Endpoint Detection and Response)

        What it is EDR is your always-on security team for laptops and servers. It watches what’s happening on each device, spots attacks in progress, and helps you respond fast - quarantine, investigate, and clean up. For details on capabilities and use ...

      • Computer Network Attack

        What it is A computer network attack is a deliberate hit on your systems to break, slow, or quietly take control. Attackers exploit weak spots in apps, devices, or configurations to spread malware, steal data, or flood services with traffic (DDoS) ...

      • NDR (Network Detection And Response)

        What it is Network Detection and Response (NDR) watches live network traffic to spot and investigate suspicious behavior in real time. Instead of relying on signatures, it analyzes patterns and anomalies to catch threats moving across your ...

      • XDR (Extended Detection and Response)

        What it is XDR is a security system that watches your company’s devices, email, cloud, and network together and connects the dots. Instead of separate tools, XDR pulls all the signals into one place, spots attacks faster, and can auto-block bad ...

      • Data Execution Prevention

        What it is Data Execution Prevention (DEP) is a Windows safety net that stops code from running in places it shouldn’t—like the stack or heap. If malware tries to execute from those memory areas, Windows blocks it and shuts the app down instead of ...