API C2 Feed Documentation
The C2 Feed (Command and Control) provides high confidence malicious infrastructure as a new line JSON feed.
How This Feed is Created
- Hunt.io scans the complete Internet very frequently looking for protocols, SSL certs and other hints as to malware like JARM/JA4 hashes.
- Hot spots on the Internet that have had malware before or are bullet proof hosting are checked more frequently and completely
- Validation is run for deep validation that this is indeed malicious to provide low false positives.
- An in house research team adds malware and update signatures all the time. It's rare we don't go a week with out modifications.
- The feed includes C2s, Recon tools and more.
- The feed is generated in real time for the past 7 days of data from the second it is requested.
Note
- The hostname should be considered malicious, and scan URL represents the endpoint that is used to check for malware.
How to Access This Feed
-
Open Your Terminal or Command Prompt: This is where you'll type the curl command. On Windows, you can search for "cmd" to open the Command Prompt. On macOS or Linux, you can open the Terminal.
-
Prepare Your API Key: Before running the command, ensure you have your API key ready. This should be a string of characters you obtained when you created your API key in the previous step. Be sure that API > Access Instructions are set to Allow All. (This is set to Allow All by default)
-
Construct the Curl Command: Type the following command, but replace <API_TOKEN_GOES_HERE> with your actual API key.
-
curl -o c2.json.gz 'https://api.hunt.io/v1/feeds/c2' -H 'token: <API_TOKEN_GOES_HERE>'
- Ensure you remove
<API_TOKEN_GOES_HERE>
and replace it with your API key without the angle brackets.
-
-
Execute the Command: After typing the command with your API key, press Enter to execute it. This sends a request to the specified URL with your API token for authentication.
-
Review the Response: The server's response to your request will be in a file named
c2.json.gz
. This contains the data you're requesting from the API—in this case, the C2 Feed.- Note: Please be aware that the dataset is provided in a compressed format
c2.json.gz
. For decompression, utilize a native system utility or opt for a verified external tool designed for this purpose.
- Note: Please be aware that the dataset is provided in a compressed format
Returned Data
The C2 feed API returns the following fields when queried. Details on accessing the C2 feed API can be found here.
Field | Type | Desc | Optional |
---|---|---|---|
ip | IPv4Address | Ipv4 address of the server. Can be null when a server does not have a DNS A record | True |
hostname | String | Hostname and domain name. Can be null if a server is accessible by IP only. | True |
scan_uri | string | URI or URL of the scan. | True |
timestamp | float (Timestamp) | UNIX timestamp of the scan. | False |
port | int | Port of the malware server | False |
malware_name | string | Name of the Malware | False |
malware_subsystem | string | Detected subsystem. More information in Malware Subsystems table. | False |
extra | string | Additional data on the detected C2. Stored in JSON format | False |
confidence | float | Confidence score for detected C2. | False |
Malware Subsystems
Name | Description |
---|---|
C2 | Manages communication between the infected host and attacker server. Communication can include exfiltration, command and control, or download of modules and updates. |
Exploit Server | Attack Infrastructure used for delivering exploits to vulnerable systems. |
Infrastructure | Ecosystem of known Advanced Persistent Threats (APTs) and Threat Actors running unknown services and malware. |
Management | Centralized server or web panel where Threat Actors orchestrate and control malware. Often dual purpose as both C2 hub and command center. |
Phishing | Deceptive tools and techniques designed to trick users into disclosing sensitive information. Usually an initial attack vector in malware campaigns. |
Red Team Tools. | Tools and applications used by legitimate actors to conduct security assessments and threat emulation. |
Redirect | A site that redirects users to a malicious URL without the users knowledge. |
Team Server | Command and control server used in Cobalt Strike operations. Enables actors to co-ordinate attacks and manage compromised systems. |
Victim | Device compromised by Malware. Serves as an endpoint for malicious operations and data exfiltration |
"ip":"18.135.30.45",
"port":4086,
"hostname":"ipso.alert-manager.co.uk",
"timestamp":"2023-11-27T10:59:02",
"scan_uri":"https://ipso.alert-manager.co.uk:4086/login",
"confidence":100.0,
"extra":{
"geoip_city":"London",
"geoip_country":"United Kingdom",
"geoip_asn":"AMAZON-02",
"geoip_asn_num":16509,
"geoip_subnetwork":"18.132.0.0/14",
"domain_private_name":"alert-manager.co.uk",
"domain_type":"REGULAR"
},
"malware_name":"Gophish"
Malware List
85 Families/Tools (as of 1/2024).
You can see the fully up to date active list at https://hunt.io/active-c2s (requires web login).
ARL | Gophish | Cobalt Strike |
Hajime | Ramnit | Burp Collaborator |
ReNgine | Metasploit | Acunetix |
AsyncRAT | Viper | Interactsh |
Hak5 Cloud C2 | Sliver | Supershell |
PlugX C2 profile | Quasar | VenomRAT |
BeEF | Qakbot | Havoc |
Redline Stealer | RedWarden | Nessus VA |
Pikabot | HOOKBOT | MITRE Caldera |
L3MON | Responder | DcRat |
Raccoon Stealer | DarkComet | HOOKBOT Fork |
ShadowPad | Ermac | Metasploit Meterpreter |
Araneida | Covenant | Pupy C2 |
Mozi | Mirai | Mythic |
Vshell | Evilgophish | AZORult |
Orcus RAT | Amadey | Gh0st RAT |
Ursnif | Unknown Android Malware | AlienBot |
ReconFTW | Octopus | RedGuard |
SolarMarker | Posh C2 | BYOB |
MuddyWater APT | OWASP ZAP API | Kaiji |
Neptune Loader | SystemBC | IcedID |
Bandit Stealer | Chaos RAT | Pantegana RAT |
Mystic Stealer | Bumblebee | Noterce |
Just-kill | Ares | Vidar |
Scarab | BitRAT | Gafgyt |
Airstrike | SpyAgent | Epsilon Stealer |
Godzilla Loader | Lokibot | Bianlian |
Meduza | JinxLoader | Deimos C2 |
Rhadamanthys |
Updated 10 days ago