C2 Feed
Access our C2 feeds through our API endpoint.
The C2 Feed (Command and Control) provides high confidence malicious infrastructure as a new line JSON feed..
How This Feed is Created
- Hunt frequently scans the internet for malware protocols, SSL certificates, and JARM/JA4 hashes.
- Hosting providers that favor malicious activity (Like bulletproof hosting) are subject to additional scanning.
- Custom validation logic is performed on C2 candidates to ensure accuracy and reduce false positives.
- The Hunt Research team frequently updates signatures and validators to enhance accuracy and discovery.
- The C2 feed includes more than just C2s. Recon tools, Phishing, and other malicious infrastructure is included.
- The C2 feed generates the last 7 days of data from the time the feed is requested.
Note
- The hostname should be considered malicious, and scan URL represents the endpoint that is used to check for malware.
How to Access This Feed
-
Open Your Terminal or Command Prompt: This is where you'll type the curl command. On Windows, you can search for "cmd" to open the Command Prompt. On macOS or Linux, you can open the Terminal.
-
Prepare Your API Key: Before running the command, ensure you have your API key ready. This should be a string of characters you obtained when you created your API key in the previous step. Be sure that API > Access Instructions is set to Allow All. (This is set to Allow All by default)
-
-
Construct the Curl Command: Type the following command, but replace <API_TOKEN_GOES_HERE> with your actual API key.
-
curl -o c2.json.gz 'https://api.hunt.io/v1/feeds/c2' -H 'token: <API_TOKEN_GOES_HERE>'
- Ensure you remove
<API_TOKEN_GOES_HERE>
and replace it with your API key without the angle brackets.
-
-
Execute the Command: After typing the command with your API key, press Enter to execute it. This sends a request to the specified URL with your API token for authentication.
-
Review the Response: The server's response to your request will be in a file named
c2.json.gz
. This contains the data you're requesting from the API—in this case, the C2 Feed.- Note: Please be aware that the dataset is provided in a compressed format
c2.json.gz
. For decompression, utilize a native system utility or opt for a verified external tool designed for this purpose.
- Note: Please be aware that the dataset is provided in a compressed format
Returned Data
The C2 feed API returns the following fields when queried. Details on accessing the C2 feed API can be found here.
Field | Type | Desc | Optional |
---|---|---|---|
ip | IPv4Address | Ipv4 address of the server. Can be null when a server does not have a DNS A record | True |
hostname | string | Hostname and domain name. Can be null if a server is accessible by IP only. | True |
scan_uri | string | URI or URL of the scan. | True |
timestamp | float (Timestamp) | UNIX timestamp of the scan. | False |
port | int | Port of the malware server | False |
malware_name | string | Name of the Malware | False |
malware_subsystem | string | Detected subsystem. More information in the Malware Subsystems table. | False |
extra | string | Additional data on the detected C2. Stored in JSON format | False |
confidence | float | Confidence score for detected C2. | False |
Malware Subsystems
Name | Description |
---|---|
C2 | Manages communication between the infected host and attacker server. Communication can include exfiltration, command and control, or download of modules and updates. |
Exploit Server | Attack Infrastructure used for delivering exploits to vulnerable systems. |
Infrastructure | Ecosystem of known Advanced Persistent Threats (APTs) and Threat Actors running unknown services and malware. |
Management | Centralized server or web panel where Threat Actors orchestrate and control malware. Often dual purpose as both C2 hub and command center. |
Phishing | Deceptive tools and techniques designed to trick users into disclosing sensitive information. Usually an initial attack vector in malware campaigns. |
Red Team Tools. | Tools and applications used by legitimate actors to conduct security assessments and threat emulation. |
Redirect | A site that redirects users to a malicious URL without the users knowledge. |
Team Server | Command and control server used in Cobalt Strike operations. Enables actors to co-ordinate attacks and manage compromised systems. |
Victim | Device compromised by Malware. Serves as an endpoint for malicious operations and data exfiltration |
{
"ip": "172.64.80.1",
"port": 80,
"hostname": "api.inmediavault.com",
"timestamp": "2025-03-07T12:11:06",
"scan_uri": "http://api.inmediavault.com/PEoX",
"confidence": 100,
"extra": {
"status_code": 200,
"geoip_city": null,
"geoip_country": null,
"geoip_asn": "CLOUDFLARENET",
"geoip_asn_num": 13335,
"geoip_subnetwork": "172.64.0.0/15",
"domain_private_name": "inmediavault.com",
"domain_type": "REGULAR"
},
"malware_name": "Cobalt Strike",
"malware_subsystem": "C2"
}
Malware List
85 Families/Tools (as of 1/2024).
You can see the fully up to date active list on the Hunt.io web platform.
ARL | Gophish | Cobalt Strike |
Hajime | Ramnit | Burp Collaborator |
ReNgine | Metasploit | Acunetix |
AsyncRAT | Viper | Interactsh |
Hak5 Cloud C2 | Sliver | Supershell |
PlugX C2 profile | Quasar | VenomRAT |
BeEF | Qakbot | Havoc |
Redline Stealer | RedWarden | Nessus VA |
Pikabot | HOOKBOT | MITRE Caldera |
L3MON | Responder | DcRat |
Raccoon Stealer | DarkComet | HOOKBOT Fork |
ShadowPad | Ermac | Metasploit Meterpreter |
Araneida | Covenant | Pupy C2 |
Mozi | Mirai | Mythic |
Vshell | Evilgophish | AZORult |
Orcus RAT | Amadey | Gh0st RAT |
Ursnif | Unknown Android Malware | AlienBot |
ReconFTW | Octopus | RedGuard |
SolarMarker | Posh C2 | BYOB |
MuddyWater APT | OWASP ZAP API | Kaiji |
Neptune Loader | SystemBC | IcedID |
Bandit Stealer | Chaos RAT | Pantegana RAT |
Mystic Stealer | Bumblebee | Noterce |
Just-kill | Ares | Vidar |
Scarab | BitRAT | Gafgyt |
Airstrike | SpyAgent | Epsilon Stealer |
Godzilla Loader | Lokibot | Bianlian |
Meduza | JinxLoader | Deimos C2 |
Rhadamanthys |
Updated 5 days ago