Get Active C2's
The Get active C2 endpoint allows users to query the hunt database and determine which families of tooling are currently being tracked. This enables users to later query the tools and obtain specific C2 lists.
How To Make a Request
Active C2's can be obtained by performing a GET request to the following URL endpoint.
https://api.hunt.io/v1/c2s
Requests can be made via any tool that performs GET requests and can specify an authorization token.
Examples are provided below for both curl and python.
Curl
curl --request GET \
--url https://api.hunt.io/v1/c2s \
--header 'accept: application/json' \
--header 'token: <your-token>'
Python
import requests
url = "https://api.hunt.io/v1/c2s"
headers = {
"accept": "application/json",
"token": "<your-token>"
}
response = requests.get(url, headers=headers)
print(response.text)
Returned Fields
The following fields will be returned for each tracked family or tool.
Field | Explanation |
---|---|
name | Name of the tool or malware family |
slug | Slug of the name or malware family |
count | Number of active C2's in Hunt database (Integer) |
count_str | Number of active C2's in Hunt database. (String) |
categories | Categories assigned to the tool or malware family |
tags | Additional tags applied to the tool or malware family. |
short_description | Short description of the tool or family. |
long_description | Long description of the tool or family. |
confidence_score | Confidence score of current detection methods. |
confidence_tags | Types of detection methods currently in use. |
icon_url | URL of icon associated with the tool or family. |
Returned Data Example
Calling the API endpoint will return an object for all families tracked by Hunt.
Below is an example of returned data for a specific family. Note that the endpoint will return an array of similar objects for all known families and tooling.
{
name: "Redline Stealer",
slug: "redline-stealer",
count: 56,
count_str: "56",
categories: [
"C2",
"Loader"
],
tags: [
"Banking",
"Info Stealing",
"Windows"
],
short_description: "RedLine is a stealer distributed as cracked games, applications, and services. The malware steals information from web browsers, cryptocurrency wallets, and applications such as FileZilla, Discord, Steam, Telegram, and VPN clients. The binary also gathers data about the infected machine, such as the running processes, antivirus products, installed programs, the Windows product name, the processor architecture, etc. The stealer implements the following actions that extend its functionality: Download, RunPE, DownloadAndEx, OpenLink, and Cmd. The extracted information is converted to the XML format and exfiltrated to the C2 server via SOAP messages.",
long_description: "",
confidence_score: 90,
confidence_tags: "header match, path match, status match",
icon_url: https://ui-avatars.com/api/?background=6c3acf&font-size=0.6&length=1&color=fff&name=Redline Stealer
},
Updated 26 days ago