During the APT campaign adversaries need to maintain active connections with the compromised infrastructure. While the initial malware plays an important role, it’s important for the attackers to establish a Command and Control (C&C) infrastructure in order to interact with the infected host. C&C provides means of upgrading the malware, performing further attacks and facilitates during the data exfiltration stage. Therefore, attackers make sure that the C&C is stealth, not blocked by the target’s network monitoring systems and is resilient to takedowns .
Depending on the adversary’s tactics the C&C might be as simple as a single server operating on the external network or a very sophisticated infrastructure involving a chain of servers, in some cases even legitimate cloud based infrastructures which are abused via techniques such as stenography, covert communications, etc.  C&C can also be established within the compromised network . This allows the attackers to keep minimal traces on the target’s egress network making it more difficult to detect the breach.
The way infrastructure is established depends on the resources the APT group poses. In some cases, the infrastructure is kept simple due to lack of financial resources or low priority of the campaign. It might also be a sign of poor skills of the threat actor. A very sophisticated C&C is usually used by skilled and well sponsored APT groups who want to keep their campaign very stealth for a long time. In any case, C&C is a crucial part of the attack carried out by these adversaries.