C2 Feed

The C2 Feed (Command and Control) provides high confidence malicious infrastructure as a new line JSON feed..

How This Feed is Created

Hunt frequently scans the internet for malware protocols, SSL certificates, and JARM/JA4 hashes.
Hosting providers that favor malicious activity (Like bulletproof hosting) are subject to additional scanning.
Custom validation logic is performed on C2 candidates to ensure accuracy and reduce false positives.
The Hunt Research team frequently updates signatures and validators to enhance accuracy and discovery.
The C2 feed includes more than just C2s. Recon tools, Phishing, and other malicious infrastructure is included.
The C2 feed generates the last 7 days of data from the time the feed is requested.

Note

The hostname should be considered malicious, and scan URL represents the endpoint that is used to check for malware.

How to Access This Feed

Open Your Terminal or Command Prompt: This is where you'll type the curl command. On Windows, you can search for "cmd" to open the Command Prompt. On macOS or Linux, you can open the Terminal.
Prepare Your API Key: Before running the command, ensure you have your API key ready. This should be a string of characters you obtained when you created your API key in the previous step. Be sure that API > Access Instructions is set to Allow All. (This is set to Allow All by default)
Construct the Curl Command: Type the following command, but replace <API_TOKEN_GOES_HERE> with your actual API key.
1. ```
curl -o c2.json.gz 'https://api.hunt.io/v1/feeds/c2' -H 'token: <API_TOKEN_GOES_HERE>'
```
2. Ensure you remove <API_TOKEN_GOES_HERE> and replace it with your API key without the angle brackets.
Execute the Command: After typing the command with your API key, press Enter to execute it. This sends a request to the specified URL with your API token for authentication.
Review the Response: The server's response to your request will be in a file named c2.json.gz. This contains the data you're requesting from the API—in this case, the C2 Feed.
1. Note: Please be aware that the dataset is provided in a compressed format c2.json.gz. For decompression, utilize a native system utility or opt for a verified external tool designed for this purpose.

Returned Data

The C2 feed API returns the following fields when queried. Details on accessing the C2 feed API can be found here.

Field	Type	Desc	Optional
ip	IPv4Address	Ipv4 address of the server. Can be null when a server does not have a DNS A record	True
hostname	string	Hostname and domain name. Can be null if a server is accessible by IP only.	True
scan_uri	string	URI or URL of the scan.	True
timestamp	float (Timestamp)	UNIX timestamp of the scan.	False
port	int	Port of the malware server	False
malware_name	string	Name of the Malware	False
malware_subsystem	string	Detected subsystem. More information in the Malware Subsystems table.	False
extra	string	Additional data on the detected C2. Stored in JSON format	False
confidence	float	Confidence score for detected C2.	False

Malware Subsystems

Name	Description
C2	Manages communication between the infected host and attacker server. Communication can include exfiltration, command and control, or download of modules and updates.
Exploit Server	Attack Infrastructure used for delivering exploits to vulnerable systems.
Infrastructure	Ecosystem of known Advanced Persistent Threats (APTs) and Threat Actors running unknown services and malware.
Management	Centralized server or web panel where Threat Actors orchestrate and control malware. Often dual purpose as both C2 hub and command center.
Phishing	Deceptive tools and techniques designed to trick users into disclosing sensitive information. Usually an initial attack vector in malware campaigns.
Red Team Tools.	Tools and applications used by legitimate actors to conduct security assessments and threat emulation.
Redirect	A site that redirects users to a malicious URL without the users knowledge.
Team Server	Command and control server used in Cobalt Strike operations. Enables actors to co-ordinate attacks and manage compromised systems.
Victim	Device compromised by Malware. Serves as an endpoint for malicious operations and data exfiltration

{
  "ip": "172.64.80.1",
  "port": 80,
  "hostname": "api.inmediavault.com",
  "timestamp": "2025-03-07T12:11:06",
  "scan_uri": "http://api.inmediavault.com/PEoX",
  "confidence": 100,
  "extra": {
    "status_code": 200,
    "geoip_city": null,
    "geoip_country": null,
    "geoip_asn": "CLOUDFLARENET",
    "geoip_asn_num": 13335,
    "geoip_subnetwork": "172.64.0.0/15",
    "domain_private_name": "inmediavault.com",
    "domain_type": "REGULAR"
  },
  "malware_name": "Cobalt Strike",
  "malware_subsystem": "C2"
}

Malware List

85 Families/Tools (as of 1/2024).
You can see the fully up to date active list on the Hunt.io web platform.

ARL	Gophish	Cobalt Strike
Hajime	Ramnit	Burp Collaborator
ReNgine	Metasploit	Acunetix
AsyncRAT	Viper	Interactsh
Hak5 Cloud C2	Sliver	Supershell
PlugX C2 profile	Quasar	VenomRAT
BeEF	Qakbot	Havoc
Redline Stealer	RedWarden	Nessus VA
Pikabot	HOOKBOT	MITRE Caldera
L3MON	Responder	DcRat
Raccoon Stealer	DarkComet	HOOKBOT Fork
ShadowPad	Ermac	Metasploit Meterpreter
Araneida	Covenant	Pupy C2
Mozi	Mirai	Mythic
Vshell	Evilgophish	AZORult
Orcus RAT	Amadey	Gh0st RAT
Ursnif	Unknown Android Malware	AlienBot
ReconFTW	Octopus	RedGuard
SolarMarker	Posh C2	BYOB
MuddyWater APT	OWASP ZAP API	Kaiji
Neptune Loader	SystemBC	IcedID
Bandit Stealer	Chaos RAT	Pantegana RAT
Mystic Stealer	Bumblebee	Noterce
Just-kill	Ares	Vidar
Scarab	BitRAT	Gafgyt
Airstrike	SpyAgent	Epsilon Stealer
Godzilla Loader	Lokibot	Bianlian
Meduza	JinxLoader	Deimos C2
Rhadamanthys