AI Summary: C2 Tracker is a community-driven IOC feed that aggregates IP addresses related to known malware, botnets, and command-and-control (C2) infrastructures by leveraging searches from platforms like Shodan. Its primary use case is to facilitate threat intelligence by providing a regularly updated feed that can be ingested by various SIEM and EDR systems, enhancing detection and investigation capabilities. Notable features include version-controlled historical data, weekly updates, and compatibility with tools like OpenCTI and FortinetSIEM for streamlined integration and alerting.

README

C2 Tracker

C2 Tracker is a free-to-use-community-driven IOC feed that uses Shodan and Censys searches to collect IP addresses of known malware/botnet/C2 infrastructure.

Honorable Mentions

Many of the queries have been sourced from other CTI researchers:

• BushidoToken
• Michael Koczwara
• ViriBack
• Gi7W0rm
• Glacius_
• corumir
• salmanvsf
• SecurityJosh

Huge shoutout to them!

Thanks to BertJanCyber for creating the KQL query for ingesting this feed

And finally, thanks to Y_nexro for creating C2Live in order to visualize the data and the website version at c2tracker.com

Usage

The most recent collection will be stored in data/. The IPs are seperated by the name of the tool and there is an all.txt that contains all of the IPs. As it currently stands this feed updates weekly on Monday.

Ingestion/Alerting

• If your SIEM/EDR/TIP has the ability to ingest data from a remote source than you can use the files in their raw text format. See BertJanCyber’s KQL query above as an example
• FortinetSIEM 7.2.0 added support for this intel feed - https://docs.fortinet.com/document/fortisiem/7.2.0/release-notes/553241/whats-new-in-7-2-0

Investigations/Historical Analysis

• The repo, by its nature, has version control. This means you can search the history of the repo for when an IP was present in the results. I have used one of my other public tools, GitHub Repo OSINT Tool, for this purpose.
• There is an OpenCTI connector for this project which can be found here - not recommended for production environments

What do I track?

• C2’s
  • Cobalt Strike
  • Metasploit Framework
  • Covenant
  • Mythic
  • Brute Ratel C4
  • Posh
  • Sliver
  • Deimos
  • PANDA
  • NimPlant C2
  • Havoc C2
  • Caldera
  • Empire
  • Ares
  • Hak5 Cloud C2
  • Pantegana
  • Supershell
  • Vshell
  • Villain
  • Nimplant C2
  • RedGuard C2
  • Oyster C2
  • byob C2
• Malware
  • AcidRain Stealer
  • Misha Stealer (AKA Grand Misha)
  • Patriot Stealer
  • RAXNET Bitcoin Stealer
  • Titan Stealer
  • Collector Stealer
  • Mystic Stealer
  • Gotham Stealer
  • Meduza Stealer
  • Quasar RAT
  • ShadowPad
  • AsyncRAT
  • DcRat
  • BitRAT
  • DarkComet Trojan
  • XtremeRAT Trojan
  • NanoCore RAT Trojan
  • Gh0st RAT Trojan
  • DarkTrack RAT Trojan
  • njRAT Trojan
  • Remcos Pro RAT Trojan
  • Poison Ivy Trojan
  • Orcus RAT Trojan
  • ZeroAccess Trojan
  • HOOKBOT Trojan
  • RisePro Stealer
  • NetBus Trojan
  • Bandit Stealer
  • Mint Stealer
  • Mekotio Trojan
  • Gozi Trojan
  • Atlandida Stealer
  • VenomRAT
  • Orcus RAT
  • BlackDolphin
  • Artemis RAT
  • Godzilla Loader
  • Jinx Loader
  • Netpune Loader
  • SpyAgent
  • SpiceRAT
  • Dust RAT
  • Pupy RAT
  • Atomic Stealer
  • Lumma Stealer
  • Serpent Stealer
  • Axile Stealer
  • Vector Stealer
  • Mint Stealer
  • Z3us Stealer
  • Rastro Stealer
  • Darkeye Stealer
  • Agniane Stealer
  • Epsilon Stealer
  • Bahamut Stealer
  • Unam Web Panel / SilentCryptoMiner
  • Vidar Stealer
  • Kraken RAT
  • Bumblebee Loader
  • Viper RAT
  • Spectre Stealer
  • Sectop RAT
• Tools
  • XMRig Monero Cryptominer
  • GoPhish
  • Browser Exploitation Framework (BeEF)
  • BurpSuite
  • Hashcat
  • MobSF
  • EvilGoPhish
  • EvilGinx
• Botnets
  • 7777
  • BlackNET
  • Doxerina
  • Scarab
  • 63256
  • Kaiji
  • MooBot
  • Mozi

Running Locally

If you want to host a private version, put your Shodan API key in an environment variable called SHODAN_API_KEY, and setup your Censys credentials in CENSYS_API_ID & CENSYS_API_SECRET

python3 -m pip install -r requirements.txt
python3 tracker.py

Contributing

I encourage opening an issue/PR if you know of any additional Shodan/Censys searches for identifying adversary infrastructure. I will not set any hard guidelines around what can be submitted, just know, fidelity is paramount (high true/false positive ratio is the focus).

References

• Hunting C2 with Shodan by Michael Koczwara
• Hunting Cobalt Strike C2 with Shodan by Michael Koczwara
• https://twitter.com/MichalKoczwara/status/1591750513238118401?cxt=HHwWgsDUiZGqhJcsAAAA
• BushidoToken’s OSINT-SearchOperators
• https://twitter.com/MichalKoczwara/status/1641119242618650653
• https://twitter.com/MichalKoczwara/status/1641676761283850241
• https://twitter.com/_montysecurity/status/1643164749599834112
• https://twitter.com/ViriBack/status/1713714868564394336
• https://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd
• https://twitter.com/Glacius_/status/1731699013873799209
• https://www.team-cymru.com/post/botnet-7777-are-you-betting-on-a-compromised-router