C2 Feed Documentation
Access our C2 feeds through our API endpoint.
The C2 Feed (Command and Control) provides high confidence malicious infrastructure as a new line JSON feed..
How This Feed is Created
- Hunt frequently scans the internet for malware protocols, SSL certificates, and JARM/JA4 hashes.
- Hosting providers that favor malicious activity (Like bulletproof hosting) are subject to additional scanning.
- Custom validation logic is performed on C2 candidates to ensure accuracy and reduce false positives.
- The Hunt Research team frequently updates signatures and validators to enhance accuracy and discovery.
- The C2 feed includes more than just C2s. Recon tools, Phishing, and other malicious infrastructure is included.
- The C2 feed generates the last 7 days of data from the time the feed is requested.
Note
- The hostname should be considered malicious, and scan URL represents the endpoint that is used to check for malware.
How to Access This Feed
-
Open Your Terminal or Command Prompt: This is where you'll type the curl command. On Windows, you can search for "cmd" to open the Command Prompt. On macOS or Linux, you can open the Terminal.
-
Prepare Your API Key: Before running the command, ensure you have your API key ready. This should be a string of characters you obtained when you created your API key in the previous step. Be sure that API > Access Instructions is set to Allow All. (This is set to Allow All by default)
-
-
Construct the Curl Command: Type the following command, but replace <API_TOKEN_GOES_HERE> with your actual API key.
-
curl -o c2.json.gz 'https://api.hunt.io/v1/feeds/c2' -H 'token: <API_TOKEN_GOES_HERE>' - Ensure you remove
<API_TOKEN_GOES_HERE>and replace it with your API key without the angle brackets.
-
-
Execute the Command: After typing the command with your API key, press Enter to execute it. This sends a request to the specified URL with your API token for authentication.
-
Review the Response: The server's response to your request will be in a file named
c2.json.gz. This contains the data you're requesting from the API—in this case, the C2 Feed.- Note: Please be aware that the dataset is provided in a compressed format
c2.json.gz. For decompression, utilize a native system utility or opt for a verified external tool designed for this purpose.
- Note: Please be aware that the dataset is provided in a compressed format
Returned Data
The C2 feed API returns the following fields when queried. Details on accessing the C2 feed API can be found here.
| Field | Type | Desc | Optional |
|---|---|---|---|
| ip | IPv4Address | Ipv4 address of the server. Can be null when a server does not have a DNS A record | True |
| hostname | string | Hostname and domain name. Can be null if a server is accessible by IP only. | True |
| scan_uri | string | URI or URL of the scan. | True |
| timestamp | float (Timestamp) | UNIX timestamp of the scan. | False |
| port | int | Port of the malware server | False |
| malware_name | string | Name of the Malware | False |
| malware_subsystem | string | Detected subsystem. More information in the Malware Subsystems table. | False |
| extra | string | Additional data on the detected C2. Stored in JSON format | False |
| confidence | float | Confidence score for detected C2. | False |
| ioc_hunter_metadata | array | An array containing one or more entries of enriched IOC data. | True |
| publication_title | string | The title of the publication or article from which the IOC data is derived. | True |
| publication_name | string | The apex domain of the website or source that published the article. | True |
| publication_url | string | The full URL where the publication can be accessed. | True |
| published_at | float (Timestamp) | The timestamp marking when the publication was released or captured. | True |
| threat_actor | object | An object containing detailed threat actor information associated with the publication. | True |
| id | int | A numeric identifier for the threat actor. | True |
| uuid | string | A unique identifier for the threat actor (UUID format), as available. | True |
| origin | string | The attribution to identify the threat actor. | True |
| synonyms | array | A detailed narrative of the threat actor’s activities, targets and motivations. | True |
| description | string | A detailed narrative of the threat actor’s activities, targets and motivations. | True |
| meta | object | Contains additional contextual data such as sponsor, victims, and incidents. | True |
| sponsor | string | Nation state sponsoring threat actor, where available. | True |
| victims | array | Countries targeted by the threat actor. | True |
| category | array | The sectors or industries that are typically targeted by threat actors. | True |
| incident | array | Key motivations for threat actor’s attack. | True |
| ransomware_group | boolean | Indicates whether the threat actor is associated with ransomware activities. | True |
| country_code | string | The country code representing the threat actor's geographical association. | True |
| country | string | The name of the country linked to the threat actor. | True |
Malware Subsystems
| Name | Description |
|---|---|
| C2 | Manages communication between the infected host and attacker server. Communication can include exfiltration, command and control, or download of modules and updates. |
| Exploit Server | Attack Infrastructure used for delivering exploits to vulnerable systems. |
| Infrastructure | Ecosystem of known Advanced Persistent Threats (APTs) and Threat Actors running unknown services and malware. |
| Management | Centralized server or web panel where Threat Actors orchestrate and control malware. Often dual purpose as both C2 hub and command center. |
| Phishing | Deceptive tools and techniques designed to trick users into disclosing sensitive information. Usually an initial attack vector in malware campaigns. |
| Red Team Tools. | Tools and applications used by legitimate actors to conduct security assessments and threat emulation. |
| Redirect | A site that redirects users to a malicious URL without the users knowledge. |
| Team Server | Command and control server used in Cobalt Strike operations. Enables actors to co-ordinate attacks and manage compromised systems. |
| Victim | Device compromised by Malware. Serves as an endpoint for malicious operations and data exfiltration |
{
"ip": "172.64.80.1",
"port": 80,
"hostname": "api.inmediavault.com",
"timestamp": "2025-03-07T12:11:06",
"scan_uri": "http://api.inmediavault.com/PEoX",
"confidence": 100,
"extra": {
"status_code": 200,
"geoip_city": null,
"geoip_country": null,
"geoip_asn": "CLOUDFLARENET",
"geoip_asn_num": 13335,
"geoip_subnetwork": "172.64.0.0/15",
"domain_private_name": "inmediavault.com",
"domain_type": "REGULAR"
},
"malware_name": "Cobalt Strike",
"malware_subsystem": "C2",
"ioc_hunter_metadata": [
{
"value": "d9e52663715902e9ec51a7dd2fea5241c9714976e9541c02df66d1a42a3a7d2a",
"ioc_type": "ioc_sha256",
"publication_name": "medium.com",
"publication_title": "Shamoon Malware. Shamoon Malware is a wiper that spread...",
"publication_url": "https://medium.com/@cyberecht/shamoon-malware-e24823501b10",
"published_at": "2025-02-28T18:33:00",
"threat_actor": {
"id": 46,
"uuid": "4f69ec6d-cb6b-42af-b8e2-920a2aa4be10",
"name": "APT33",
"origin": "APT33",
"synonyms": "APT 33, Elfin, MAGNALLIUM, Refined Kitten, HOLMIUM, COBALT TRINITY, G0064, ATK35, Peach Sandstorm, TA451",
"description": "Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess APT33 works at the behest of the Iranian government.",
"meta": {
"sponsor": "Iran (Islamic Republic of)",
"victims": [
"United States",
"Saudi Arabia",
"South Korea"
],
"category": [
"Private sector"
],
"incident": [
"Espionage"
]
},
"ransomware_group": false,
"country_code": "IR",
"country": "Iran",
}
}
]
}
Malware List
85 Families/Tools (as of 1/2024).
You can see the fully up to date active list at https://hunt.io/active-c2s (requires web login).
| ARL | Gophish | Cobalt Strike |
| Hajime | Ramnit | Burp Collaborator |
| ReNgine | Metasploit | Acunetix |
| AsyncRAT | Viper | Interactsh |
| Hak5 Cloud C2 | Sliver | Supershell |
| PlugX C2 profile | Quasar | VenomRAT |
| BeEF | Qakbot | Havoc |
| Redline Stealer | RedWarden | Nessus VA |
| Pikabot | HOOKBOT | MITRE Caldera |
| L3MON | Responder | DcRat |
| Raccoon Stealer | DarkComet | HOOKBOT Fork |
| ShadowPad | Ermac | Metasploit Meterpreter |
| Araneida | Covenant | Pupy C2 |
| Mozi | Mirai | Mythic |
| Vshell | Evilgophish | AZORult |
| Orcus RAT | Amadey | Gh0st RAT |
| Ursnif | Unknown Android Malware | AlienBot |
| ReconFTW | Octopus | RedGuard |
| SolarMarker | Posh C2 | BYOB |
| MuddyWater APT | OWASP ZAP API | Kaiji |
| Neptune Loader | SystemBC | IcedID |
| Bandit Stealer | Chaos RAT | Pantegana RAT |
| Mystic Stealer | Bumblebee | Noterce |
| Just-kill | Ares | Vidar |
| Scarab | BitRAT | Gafgyt |
| Airstrike | SpyAgent | Epsilon Stealer |
| Godzilla Loader | Lokibot | Bianlian |
| Meduza | JinxLoader | Deimos C2 |
| Rhadamanthys |
Updated about 1 month ago