API C2 Feed Documentation
The C2 Feed (Command and Control) provides high confidence malicious infrastructure as a new line JSON feed.
How This Feed is Created
- Hunt.io scans the complete Internet very frequently looking for protocols, SSL certs and other hints as to malware like JARM/JA4 hashes.
- Hot spots on the Internet that have had malware before or are bullet proof hosting are checked more frequently and completely
- Validation is run for deep validation that this is indeed malicious to provide low false positives.
- An in house research team adds malware and update signatures all the time. It's rare we don't go a week with out modifications.
- The feed includes C2s, Recon tools and more.
- The feed is generated in real time for the past 7 days of data from the second it is requested.
Note
- The hostname should be considered malicious, and scan URL represents the endpoint that is used to check for malware.
How to Access This Feed
-
Open Your Terminal or Command Prompt: This is where you'll type the curl command. On Windows, you can search for "cmd" to open the Command Prompt. On macOS or Linux, you can open the Terminal.
-
Prepare Your API Key: Before running the command, ensure you have your API key ready. This should be a string of characters you obtained when you created your API key in the previous step. Be sure that API > Access Instructions are set to Allow All. (This is set to Allow All by default)
-
Construct the Curl Command: Type the following command, but replace <API_TOKEN_GOES_HERE> with your actual API key.
-
curl -o c2.json.gz 'https://api.hunt.io/v1/feeds/c2' -H 'token: <API_TOKEN_GOES_HERE>'
- Ensure you remove
<API_TOKEN_GOES_HERE>
and replace it with your API key without the angle brackets.
-
-
Execute the Command: After typing the command with your API key, press Enter to execute it. This sends a request to the specified URL with your API token for authentication.
-
Review the Response: The server's response to your request will be in a file named
c2.json.gz
. This contains the data you're requesting from the API—in this case, the C2 Feed.- Note: Please be aware that the dataset is provided in a compressed format
c2.json.gz
. For decompression, utilize a native system utility or opt for a verified external tool designed for this purpose.
- Note: Please be aware that the dataset is provided in a compressed format
Returned Data
- ip: IPv4Address - Optional
Can be null when a domain name does not have an A DNS record. - hostname: String - Optional
Represents hostname and domain name. Can be null, because some servers only use IPs. - scan_uri: String - Optional
The URI of the scan. Can be URL. - timestamp: Float - Timestamp
The UNIX timestamp of the scan. - port: Int = 443
The port of the malware server. - malware_name: String
The name of the malware. - malware_subsystem: String
The detected subsystem. Subsystems include:- C2: Manages communication between the infected host and the attacker's server. This can include exfiltrating data, receiving commands, or downloading additional modules or updates.
- Exploit Server: Part of an attack infrastructure used to deliver exploits to vulnerable systems.
- Infrastructure: Ecosystem of known Advanced Persistent Threats (APTs) and threat actors that's running unknown services / malware.
- Management: A centralized server or web panel through which threat actors orchestrate and control their malware, often serving dual roles as both command center and C2 hub.
- Phishing: Deceptive tools and techniques designed to trick individuals into disclosing sensitive information, often utilized as an initial attack vector in malware campaigns.
- Red Team Tools: Tools and applications utilized by ethical hackers to conduct thorough security assessments and emulate real-world threats for strengthening system defenses.
- Redirect: Techniques used in phishing attacks or malicious websites that redirect users from a legitimate URL to a malicious one without the user's knowledge.
- Team Server: A command and control server used in Cobalt Strike operations, enabling threat actors to coordinate attacks and manage compromised systems.
- Victim: A device compromised by malware, serving as the endpoint for malicious operations and data exfiltration.
- extra: String
The extra data that does not fit in the current schema - for example a Cobalt Strike Beacon. Basically, a JSON field. - confidence: Float
The confidence of detected server. Currently, based on manual estimations.
"ip":"18.135.30.45",
"port":4086,
"hostname":"ipso.alert-manager.co.uk",
"timestamp":"2023-11-27T10:59:02",
"scan_uri":"https://ipso.alert-manager.co.uk:4086/login",
"confidence":100.0,
"extra":{
"geoip_city":"London",
"geoip_country":"United Kingdom",
"geoip_asn":"AMAZON-02",
"geoip_asn_num":16509,
"geoip_subnetwork":"18.132.0.0/14",
"domain_private_name":"alert-manager.co.uk",
"domain_type":"REGULAR"
},
"malware_name":"Gophish"
Malware List
85 Families/Tools (as of 1/2024).
You can see the fully up to date active list at https://hunt.io/active-c2s (requires web login).
ARL | Gophish | Cobalt Strike |
Hajime | Ramnit | Burp Collaborator |
ReNgine | Metasploit | Acunetix |
AsyncRAT | Viper | Interactsh |
Hak5 Cloud C2 | Sliver | Supershell |
PlugX C2 profile | Quasar | VenomRAT |
BeEF | Qakbot | Havoc |
Redline Stealer | RedWarden | Nessus VA |
Pikabot | HOOKBOT | MITRE Caldera |
L3MON | Responder | DcRat |
Raccoon Stealer | DarkComet | HOOKBOT Fork |
ShadowPad | Ermac | Metasploit Meterpreter |
Araneida | Covenant | Pupy C2 |
Mozi | Mirai | Mythic |
Vshell | Evilgophish | AZORult |
Orcus RAT | Amadey | Gh0st RAT |
Ursnif | Unknown Android Malware | AlienBot |
ReconFTW | Octopus | RedGuard |
SolarMarker | Posh C2 | BYOB |
MuddyWater APT | OWASP ZAP API | Kaiji |
Neptune Loader | SystemBC | IcedID |
Bandit Stealer | Chaos RAT | Pantegana RAT |
Mystic Stealer | Bumblebee | Noterce |
Just-kill | Ares | Vidar |
Scarab | BitRAT | Gafgyt |
Airstrike | SpyAgent | Epsilon Stealer |
Godzilla Loader | Lokibot | Bianlian |
Meduza | JinxLoader | Deimos C2 |
Rhadamanthys |
Updated 5 months ago