API C2 Feed Documentation

The C2 Feed (Command and Control) provides high confidence malicious infrastructure as a new line JSON feed.

How This Feed is Created

  • Hunt.io scans the complete Internet very frequently looking for protocols, SSL certs and other hints as to malware like JARM/JA4 hashes.
  • Hot spots on the Internet that have had malware before or are bullet proof hosting are checked more frequently and completely
  • Validation is run for deep validation that this is indeed malicious to provide low false positives.
  • An in house research team adds malware and update signatures all the time. It's rare we don't go a week with out modifications.
  • The feed includes C2s, Recon tools and more.
  • The feed is generated in real time for the past 7 days of data from the second it is requested.


  • The hostname should be considered malicious, and scan URL represents the endpoint that is used to check for malware.

How to Access This Feed

  1. Open Your Terminal or Command Prompt: This is where you'll type the curl command. On Windows, you can search for "cmd" to open the Command Prompt. On macOS or Linux, you can open the Terminal.

  2. Prepare Your API Key: Before running the command, ensure you have your API key ready. This should be a string of characters you obtained when you created your API key in the previous step. Be sure that API > Access Instructions are set to Allow All. (This is set to Allow All by default)

  3. Construct the Curl Command: Type the following command, but replace <API_TOKEN_GOES_HERE> with your actual API key.

    1. curl -o c2.json.gz 'https://api.hunt.io/v1/feeds/c2' -H 'token: <API_TOKEN_GOES_HERE>'
    2. Ensure you remove <API_TOKEN_GOES_HERE> and replace it with your API key without the angle brackets.
  4. Execute the Command: After typing the command with your API key, press Enter to execute it. This sends a request to the specified URL with your API token for authentication.

  5. Review the Response: The server's response to your request will be in a file named c2.json.gz. This contains the data you're requesting from the API—in this case, the C2 Feed.

    1. Note: Please be aware that the dataset is provided in a compressed format c2.json.gz. For decompression, utilize a native system utility or opt for a verified external tool designed for this purpose.

Returned Data

  • ip: IPv4Address - Optional
    Can be null when a domain name does not have an A DNS record.
  • hostname: String - Optional
    Represents hostname and domain name. Can be null, because some servers only use IPs.
  • scan_uri: String - Optional
    The URI of the scan. Can be URL.
  • timestamp: Float - Timestamp
    The UNIX timestamp of the scan.
  • port: Int = 443
    The port of the malware server.
  • malware_name: String
    The name of the malware.
  • malware_subsystem: String
    The detected subsystem. Subsystems include:
    • C2: Manages communication between the infected host and the attacker's server. This can include exfiltrating data, receiving commands, or downloading additional modules or updates.
    • Exploit Server: Part of an attack infrastructure used to deliver exploits to vulnerable systems.
    • Infrastructure: Ecosystem of known Advanced Persistent Threats (APTs) and threat actors that's running unknown services / malware.
    • Management: A centralized server or web panel through which threat actors orchestrate and control their malware, often serving dual roles as both command center and C2 hub.
    • Phishing: Deceptive tools and techniques designed to trick individuals into disclosing sensitive information, often utilized as an initial attack vector in malware campaigns.
    • Red Team Tools: Tools and applications utilized by ethical hackers to conduct thorough security assessments and emulate real-world threats for strengthening system defenses.
    • Redirect: Techniques used in phishing attacks or malicious websites that redirect users from a legitimate URL to a malicious one without the user's knowledge.
    • Team Server: A command and control server used in Cobalt Strike operations, enabling threat actors to coordinate attacks and manage compromised systems.
    • Victim: A device compromised by malware, serving as the endpoint for malicious operations and data exfiltration.
  • extra: String
    The extra data that does not fit in the current schema - for example a Cobalt Strike Beacon. Basically, a JSON field.
  • confidence: Float
    The confidence of detected server. Currently, based on manual estimations.

      "geoip_country":"United Kingdom",

Malware List

85 Families/Tools (as of 1/2024).
You can see the fully up to date active list at https://hunt.io/active-c2s (requires web login).

ARLGophishCobalt Strike
HajimeRamnitBurp Collaborator
Hak5 Cloud C2SliverSupershell
PlugX C2 profileQuasarVenomRAT
Redline StealerRedWardenNessus VA
Raccoon StealerDarkCometHOOKBOT Fork
ShadowPadErmacMetasploit Meterpreter
AraneidaCovenantPupy C2
Orcus RATAmadeyGh0st RAT
UrsnifUnknown Android MalwareAlienBot
SolarMarkerPosh C2BYOB
Neptune LoaderSystemBCIcedID
Bandit StealerChaos RATPantegana RAT
Mystic StealerBumblebeeNoterce
AirstrikeSpyAgentEpsilon Stealer
Godzilla LoaderLokibotBianlian
MeduzaJinxLoaderDeimos C2