惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

博客园_首页
T
Threat Research - Cisco Blogs
GbyAI
GbyAI
Y
Y Combinator Blog
美团技术团队
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
博客园 - 【当耐特】
S
SegmentFault 最新的问题
IT之家
IT之家
Recent Announcements
Recent Announcements
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
阮一峰的网络日志
阮一峰的网络日志
T
The Blog of Author Tim Ferriss
Martin Fowler
Martin Fowler
Microsoft Azure Blog
Microsoft Azure Blog
V
Visual Studio Blog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
U
Unit 42
WordPress大学
WordPress大学
博客园 - Franky
L
LangChain Blog
人人都是产品经理
人人都是产品经理
小众软件
小众软件
博客园 - 叶小钗
罗磊的独立博客
酷 壳 – CoolShell
酷 壳 – CoolShell
大猫的无限游戏
大猫的无限游戏
云风的 BLOG
云风的 BLOG
Vercel News
Vercel News
雷峰网
雷峰网
腾讯CDC
Google DeepMind News
Google DeepMind News
博客园 - 三生石上(FineUI控件)
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Help Net Security
Help Net Security
C
Check Point Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
N
News and Events Feed by Topic
V2EX - 技术
V2EX - 技术
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Schneier on Security
Schneier on Security
博客园 - 聂微东
A
Arctic Wolf
H
Heimdal Security Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Recent Commits to openclaw:main
Recent Commits to openclaw:main
T
The Exploit Database - CXSecurity.com
C
Cyber Attacks, Cyber Crime and Cyber Security
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Google DeepMind News
Google DeepMind News

Mapping the <mark>Internet</mark> on Netlas: Comprehensive Internet-Wide Scanning & OSINT Platform

Weaponized RMM: Hunting the Adversary Abuse of Remote Monitoring Tools Device Code Phishing: Technical Analysis and Proactive Hunting via Netlas Discovering Data Exposure with Netlas Telegram Bot API Abuse - Netlas Blog Using OWASP Amass with Netlas Module - Netlas Blog How we hunt C2 infrastructure at RST Cloud using Netlas - Netlas Blog Using Uncover with Netlas.io module - Netlas Blog Netlas Updates Terms and API & Data License Agreement - Netlas Blog Top 10 Hacking Devices for Ethical Hackers in 2026 - Netlas Blog Inside ClickFix: How Fake Prompts Took Over the Web Top 10 Critical Threat Actors to Watch in 2026: Ransomware, APTs & Defensive Strategies - Netlas Blog Bug Bounty 101 - A Complete Bug Bounty Roadmap for Beginners (2026) - Netlas Blog Supply Chain Attack - How Attackers Weaponize Software Supply Chains - Netlas Blog The Evolution of C2: Centralized to On-Chain - Netlas Blog From Starlink to Star Wars - The Real Cyber Threats in Space - Netlas Blog LLM Vulnerabilities: Why AI Models Are the Next Big Attack Surface - Netlas Blog When AI Turns Criminal: Deepfakes, Voice-Cloning & LLM Malware - Netlas Blog Zero-Click Exploits - Netlas Blog When Patches Fail: An Analysis of Patch Bypass and Incomplete Security - Netlas Blog I Analysed Over 3 Million Exposed Databases Using Netlas - Netlas Blog Post-Quantum Now: From AES & RSA to ML-KEM Hybrids - Netlas Blog Bug Bounty 101: Top 10 Reconnaissance Tools - Netlas Blog Mapping Dark Web Infrastructure - Netlas Blog Top Vibe-Coding Security Risks - Netlas Blog From Chaos to Control: Kanvas Incident Management Tool - Netlas Blog Bug Bounty 101: The Best Courses to Get Started in 2025 - Netlas Blog I, Robot + NIST AI RMF = Complete Guide on Preventing Robot Rebellion - Netlas Blog The $1.5B Bybit Hack & How OSINT Led to Its Attribution - Netlas Blog Hannibal Stealer: A Deep Technical Analysis - Netlas Blog The Pyramid of Pain: Beyond the Basics - Netlas Blog SOCMINT: Intelligence in the Social Media Era - Netlas Blog Hannibal Stealer vs. Browser Security - Netlas Blog The Largest Data Breach Ever? How Hackers Stole 16 Billion Credentials - Netlas Blog DNS Cache Poisoning – Is It Still Relevant? - Netlas Blog Modern Cybercrime: Who’s Behind It and Who’s Stopping It - Netlas Blog AI-Driven Attack Surface Discovery - Netlas Blog Netlas vs Urlscan: Tools Comparison - Netlas Blog Track Adversary Infrastructure Challenge 2025 Recap - Netlas Blog What is Threat Intelligence - Netlas Blog Netlas vs IPinfo: Tools Comparison - Netlas Blog Best Nmap Alternatives - Netlas Blog Whois History: How to Check the Domain Owner History - Netlas Blog Top WHOIS & RDAP Tools for Fast IP Address Lookup - Netlas Blog ASN Lookup Explained: Tools, Methods & Insights - Netlas Blog How to Detect CVEs Using Nmap Vulnerability Scan Scripts - Netlas Blog Nmap Cheat Sheet: Top 10 Scan Techiques - Netlas Blog Netlas vs ZoomEye: Platforms Comparison - Netlas Blog Top 6 Most Widely Used Port Scanners in Cybersecurity - Netlas Blog FAQ: Understanding Root DNS Servers and the Root Zone - Netlas Blog Domain Recon: Must-Know Tools for Security Professionals - Netlas Blog DNS History: Exploring Domains Past by Inspecting DNS Trails - Netlas Blog DNSSEC: Should You Use It? An Expert’s View on the Pros, Cons, and When to Implement - Netlas Blog Which DNS Servers Offer the Best Balance of Speed, Security, and Privacy? - Netlas Blog theHarvester: a Classic Open Source Intelligence Tool - Netlas Blog - Netlas Blog Top 15 OSINT Tools for Expert Intelligence Gathering - Netlas Blog A Deep Dive into the Open Web Application Security Project Top 10 Vulnerabilities - Netlas Blog Using Subfinder with Netlas Module - Netlas Blog Netlas Chrome and Firefox Extensions - Netlas Blog Netlas vs Censys: Platforms Comparison - Netlas Blog OSINT in Cybersecurity: Exploring Its Spectrum and Tech - Netlas Blog Best Honeypots for Detecting Network Threats - Netlas Blog Using Maltego with Netlas Module - Netlas Blog Using theHarvester with Netlas - Netlas Blog Using TLDFinder with Netlas - Netlas Blog Netlas vs Fofa: Platforms Comparison - Netlas Blog Netlas vs Shodan: Platforms Comparison - Netlas Blog Google Dorking in Cybersecurity - Netlas Blog 7 Tools for Web Penetration Testing - Netlas Blog Using DNS History in Cybersecurity - Netlas Blog Mastering Online Camera Searches - Netlas Blog Best Attack Surface Visualization Tools - Netlas Blog Complete Guide on Attack Surface Discovery - Netlas Blog How to find unprotected databases with Netlas.io: Chapter 2 - Netlas Blog
Proactive Threat Hunting: Techniques to Identify Malicious Infrastructure - Netlas Blog
Sukant Kumar · 2025-07-30 · via Mapping the <mark>Internet</mark> on Netlas: Comprehensive Internet-Wide Scanning & OSINT Platform

Malicious actors rely on a range of technical assets, known as adversary infrastructure, to carry out their operations. In this article, I will demonstrate how to hunt for the key components of such infrastructure – command-and-control (C2) servers, which are used for malware distribution, communication, and data exfiltration.

Our primary goal is to learn how to find distinct fingerprints that remain consistent across deployments. These may include favicon hashes, HTTP headers, TLS certificate fields, web page titles, and hash values of the HTTP response body. While not infrastructure in themselves, these artifacts are tightly linked to how infrastructure is configured and are essential for detection and correlation.

Malicious infrastructure hunting involves identifying, analyzing, and pivoting across these technical indicators to uncover related systems controlled by threat actors. By doing so, defenders can map attacker ecosystems, block future attacks proactively, and strengthen threat detection far earlier in the attack lifecycle.

A C2 server (short for Command-and-Control server) is a network service used by cyberattackers to remotely control compromised devices (such as infected computers, servers, or IoT devices) within a botnet or malware campaign.

From Reactive to Proactive: The Shift in Threat Detection

Traditional threat detection tends to be reactive – alerts are triggered once an attack has begun or after a compromise has occurred. Indicators like file hashes, malicious URLs, or command-and-control traffic are flagged only after they’ve been observed in an active attack.

Malicious infrastructure hunting changes this approach. By proactively monitoring the attacker’s supporting infrastructure, defenders can detect threats earlier, often before any payload is delivered or a connection to a victim is made.

AI generated abstract image

This shift offers several key benefits:

  • Early Detection: Infrastructure elements are often set up and tested before launch. Identifying them enables defenders to take action in the pre-attack phase.
  • Wider Visibility: Infrastructure reuse across campaigns reveals attacker patterns, helping to uncover related threats.
  • Faster Response: Blocking or monitoring suspicious infrastructure limits its reach and shortens the attacker’s window of effectiveness.
  • Improved Attribution: Clustering infrastructure, based on the threat hunting methods described below, facilitates the linking of activity to known threat actors or malware families.

Moving from reactive detection to proactive hunting equips organizations with the context and foresight needed to stay ahead of evolving threats, rather than just responding to them.

Recommended Reading

The Pyramid of Pain: Beyond the Basics

Techniques for Hunting Malicious Infrastructure

Malicious infrastructure hunting often begins with a known indicator of compromise (IoC) – such as an IP address, domain name, or hash – collected from threat intelligence reports, threat feeds, or community platforms like X (formerly Twitter). In some of the case studies discussed in this post, IoCs were gathered from platforms like X and SSL Blacklist (a project of Abuse.ch), which then served as pivot points to uncover related infrastructure.

This article demonstrates how to expand a single C2 IoC into broader threat hunting by fingerprinting it and leveraging IoT search engines such as Shodan and Netlas to uncover related C2 infrastructure. We will learn to analyze TLS certificates, HTTP headers and titles, favicon or body hashes, JARM fingerprints, and artifacts found in the source code of offensive tooling to search for C2 instances.

In the following subsections, we’ll break down these techniques with practical examples to illustrate how they can be applied effectively in real-world hunting scenarios.

Why use different IoT search engines?

Using multiple search engines like Netlas, Shodan, and Censys provides broader visibility because each platform uses different scanning techniques, infrastructure placements, and indexing schedules. This diversity helps reduce blind spots, catch assets missed by a single engine, and increase the chances of uncovering hidden or overlapping C2 infrastructure.

Although this article was originally posted on the Netlas blog, the Netlas team specifically asked me to demonstrate how combining different search engines can enhance threat hunting outcomes.

Leveraging HTTP Headers, Titles, and Body Hashes for Infrastructure Hunting

Adversary infrastructure often exposes unique, recurring HTTP characteristics, ranging from response headers and page titles to the full content of the HTTP body. These artifacts may include uncommon header combinations, such as:

  • WWW-Authenticate and Access-Control-Allow-Methods
  • custom 404 pages
  • open directory listings
  • static HTML used by control panels and malware stagers.

Since many threat actors reuse configurations or payload templates across multiple servers, defenders can use these traits to build powerful fingerprinting queries, effectively expanding known infrastructure into broader clusters.

Case Study 1: Discovering SectopRAT C2 Servers

Step 1: An IP address 91.199.163.74 is identified as being linked to SectopRAT malware activity. Upon validation using VirusTotal, the IP is flagged as malicious.

SectopRAT

Step 2: Netlas.io reveals notable HTTP response headers and status code patterns on port 9000:

  • port: 9000 - SectopRAT C2 servers commonly expose their interface on port 9000.
  • Server: Microsoft-HTTPAPI/2.0 - This specific server header is reused in multiple deployments.
  • Status Code: 404 - The C2 often returns a 404 error for unauthorized or default HTTP requests.
  • The full list of allowed HTTP methods (OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH) indicates the same backend stack or framework.

Sectop RAT Netlas Search

Step 3: By combining these headers, we constructed a Netlas query to hunt down the potentially related cluster.

Constructed Netlas Query:

port:9000 AND http.headers.server:"Microsoft-HTTPAPI/2.0" AND http.status_code:404 AND http.headers.access_control_allow_methods:"OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH"

Sectop RAT Netlas Group by IP address Cluster

Result: Servers configured similarly, likely operated by the same actor or malware variant, pointing to a broader malicious infrastructure footprint.

A RAT (Remote Access Trojan) is a type of malware that gives an attacker covert, remote control over an infected system. It relies on a C2 server as a communication hub, enabling the attacker to manage the compromised machine remotely. Through this C2 connection, the attacker can perform remote command execution, exfiltrate data, and coordinate control of multiple infected devices.

Case Study 2: Finding Open Directories Hosting Sliver Client and Other Malicious Tools

Unsecured web directories serve as drop zones for threat actors, often exposing file structures due to default server configurations.

  • http.title – Detects open directories or misconfigured file listings.
  • http.body – Matches Sliver payload names (executables or client identifiers)

Constructed Netlas Query:

http.title:("Index of" OR "Directory Listing for") AND http.body:("sliver.exe" OR "sliver64.exe" OR "sliver" OR "sliver-c2" OR "sliver-client")

Search with keyword variations

Include multiple permutations like sliver, sliver-c2, or sliver-client in the HTTP body. Adversaries or careless actors may name files or folders differently, using lowercase, hyphens, underscores, or abbreviated names, so using keyword variations helps capture a broader but still relevant set of results.

Sliver Netlas Search Group by IP

Sliver IP Virus Total Scan

Sliver - Open Directory

While initial discovery of Sliver C2 payloads was performed using Netlas, by identifying open directories with filenames like sliver-server and sliver-client, we extended this hunting methodology to Censys to uncover similar infrastructure tied to other red teaming and stealer tools.

Censys Query to Discover Malicious Tool Listings:

labels=suspicious-open-dir AND (services.http.response.body: "sliver" OR services.http.response.body: "MimiKatz" OR services.http.response.body: "xworm" OR services.http.response.body: "metasploit")

OpenDir Censys Search

A closer inspection of an open directory hosted at 164.92.224.52 revealed a stash of well-known red teaming and post-exploitation tools.

  • The open directory contained notorious offensive security tools, including credential dumpers (Mimikatz, BetterSafetyKatz, nanodump), Kerberos exploit tools (Kekeo, Kerberoast), and stealth execution methods (Mockingjay, Invoke-SDPropagator). AMSI bypasses, AD enumerators, and password crackers (John the Ripper) confirm the server supports post-compromise attack phases.

OpenDir Censys Search

  • Threat actors commonly leverage such infrastructure for payload staging, tool hosting, lateral movement, and privilege escalation. The use of obfuscated/EDR-evasive variants underscores malicious intent.

OpenDir Censys Search

How to Replicate:

  • Use labeled datasets: Start with labels=suspicious-open-dir to filter out endpoints already flagged by Censys for exposing directory listings.
  • Search for tool-specific keywords: Add terms like sliver, metasploit, MimiKatz, or xworm in the HTTP response body. These help locate open directories hosting known red teaming or stealer tools.
  • Look for indexing patterns: Open directories often contain HTML elements like Index of / or Parent Directory which are indicative of directory listings.
  • Detect common file types: You can also include popular payload file extensions such as .exe, .zip, .ps1, and .bat to focus on directories serving binaries or scripts.

Recommended Reading

Netlas vs Censys: Platforms Comparison

Case Study 3: Detecting Hookbot Control Panels

Some C2 panels expose hardcoded HTML page titles that can be searched directly.

http.title – Identifiable title string left unchanged in attacker deployments.

Constructed Netlas Query:

http.title:"HOOKBOT PANEL"

Hookbot Netlas Search Group By

Result: Detects Hookbot C2 admin panels, often tied to active or dormant infrastructure.

Recommended Reading

Hannibal Stealer vs. Browser Security

Case Study 4: Finding Oyster C2 Using HTTP Body Hash

Step 1: An IP address 85.239.52.99 is identified as being linked to Oyster C2.

Oyster C2 IP

Step 2: Netlas.io shows a distinctive HTTP body SHA-256 hash:

  • http.body_sha256 – This value represents the SHA-256 hash of the HTTP response body for an Oyster C2 landing page.
  • Reused payloads or panel pages tend to produce identical body hashes, making this a powerful way to cluster infrastructure.

OysterC2 Netlas Search

Constructed Netlas Query:

http.body_sha256:"f84b78e96fc74a902481247dc87434c5ce7b6130f0fa53ab5ba1f6fe1d50d377"

Oyster C2 Netlas Search Group By

Result: Reveals a cluster of servers using the same static web content, pointing to other C2 nodes or staging infrastructure.

Analyzing SSL/TLS Certificates

Before TLS encryption is established, the server provides its certificate, which contains its public key and is used to establish an encrypted connection. SSL/TLS certificates contain several attributes, such as the Subject Distinguished Name (DN), Issuer DN, Serial Number, Validity Period, Signature Algorithm, and various extensions, which are commonly used for fingerprinting, especially when self-signed certificates are used.

Unlike certificates issued by trusted Certificate Authorities (CAs), self-signed certificates are manually generated and often contain unique or uncommon metadata. This uniqueness becomes a fingerprint for hunting.

Case Study 1: OrcusRAT

Step 1: To hunt for infrastructure related to OrcusRAT, a known remote access trojan (RAT), we began by searching SSL Blacklist by Abuse.ch, which tracks suspicious and malicious certificates. We observed that many OrcusRAT variants use self-signed certificates where the Issuer DN is set to: "OrcusServerCertificate"

OrcusRAT Search on SSLBlacklist

Step 2: This consistent trait enabled us to craft a Censys query to uncover related infrastructure:

services.tls.certificates.leaf_data.issuer_dn="CN=OrcusServerCertificate"

Result: Running this query surfaced several potentially related servers exhibiting the same certificate configuration, which is valuable for tracking C2 infrastructure or identifying live command channels.

Orcus RAT Censys Search

Case Study 2: BitRAT

Step 1: Similarly, BitRAT infrastructure commonly uses "BitRAT" as the Certificate Issuer CN, allowing defenders to build detection logic based on this trait.

BitRAT Search on SSLBlacklist

Step 2: This consistent pattern again became a pivot point. We queried Censys using:

services.tls.certificates.leaf_data.issuer_dn="CN=BitRAT”

BitRAT Censys Search

Below is a table summarizing similar patterns observed across different C2 and RAT infrastructures:

Well-known C2 Self-Signed Certificate Attributes
NameCertificate Pattern FieldCertificate Pattern Value
Mythic C2subject_dnO=Mythic
VenomRATsubject_dnCN=VenomRAT
AsyncRATissuer_dnCN=AsyncRAT Server
Sliver C2issuer.common_nameoperators
Cobalt Strikeissuer.common_nameMajor Cobalt Strike

These easily identifiable fields allow analysts to pivot across different servers or domains that reuse the same certificate metadata, making it possible to uncover broader infrastructure clusters linked to a single tool or threat actor.

Mining Offensive Framework Source Code for Hardcoded Indicators

Many modern C2 frameworks used by red teams and threat actors alike are published as open-source projects. By reviewing these projects, defenders can extract unique headers or behaviors that help identify exposed or misused infrastructure.

To get started:

  • Explore the official repositories (e.g., GitHub) of popular frameworks like Havoc or Pyramid C2.
  • Useful files often include: readme.md, wiki.md, *.css, settings.py, config.json, custom HTML error pages, etc.

Below, we demonstrate this approach using two widely known frameworks: Havoc and Pyramid C2.

Case Study 1: Havoc C2

Havoc is a modern, open-source C2 framework used for post-exploitation, red teaming, and adversary simulation. Its GitHub repository provides clear documentation of the listener behavior.

How to Analyze:

  • Visit: github.com/HavocFramework/Havoc
  • Open the WIKI.MD file.
  • Under the Listener Configuration section, you’ll find default header values used in C2 communication:

Havoc Github Code Repo

Netlas Search Query to Detect Havoc Servers:

This query searches for HTTP servers responding with the X_Havoc header – potentially identifying exposed or misconfigured Havoc infrastructure.

http.unknown_headers.key:"X_Havoc"

Havoc Netlas Search

By grouping the results by IP, we were able to see the related IP cluster:

Havoc Netlas Search Group By

VirusTotal analysis for one of the IP addresses from the cluster:

Havoc IP VirusTotal Scan

Pyramid C2 is a Python-based post-exploitation framework. Its server-side logic includes custom authentication behavior that can be fingerprinted in threat hunting.

How to Analyze:

Pyramid C2 Github Code Repo

This default authentication challenge string is a unique and easily searchable indicator.

Netlas Search Query to Detect Pyramid Servers: The Netlas query below helps locate any servers exposing Pyramid’s default authentication header.

http.headers.www_authenticate:"Basic realm=\"Demo Realm\""

PyramidC2 Netlas Search

PyramidC2 Netlas Search Group By

VirusTotal analysis of one of the IP addresses from the cluster:

Pyramid C2 VT Scan

Pyramid C2 VT Scan Community Comments

Clustering Adversary Servers with Favicon Hashes

Favicons, the small icons shown in browser tabs, can act as subtle but powerful indicators when tracking attacker-controlled infrastructure. Since many threat actors reuse favicon.ico files across multiple systems, such as phishing pages or C2 servers, these icons often generate consistent hash values.

This behavior can create a unique fingerprint that can be used to detect other systems controlled by the same actor. Unlike broad heuristics, hash-based detection offers high precision, helping analysts minimize false positives. With just one hash, it is possible to uncover a larger network of related domains and IP addresses, making favicon hashes a fast and efficient pivot point in threat hunting workflows.

To illustrate, begin with a suspicious IP address that has been confirmed as malicious using a threat intelligence platform such as VirusTotal.

Step 1: Starting point: from:drb_ra reverse_SSH

Supershell X post

VirusTotal analysis of the IP address from X:

Supershell IP VT Scan

Step 2: Next, inspect the IP on urlscan.io and navigate to the HTTP transactions section.

Supershell URLScan

If a request for favicon.ico is observed, extract the associated SHA-256 hash of the favicon file.

Supershell URLScan

Step 3: This resource (favicon) hash can then be used as a pivot point. Search the hash on Netlas.io using a dork like:

http.favicon.hash_sha256:8a0bfe63bcd9859d68e4e60ac703c20e6242c2a9c690638c4887e32eadf59ceb

Supershell Netlas Search

Supershell Login Panel:

Supershell Login Panel

Step 4: By grouping the search results by IP and path, we can observe a cluster of malicious IP addresses pointing to Supershell login paths.

Supershell Netlas Group By

This type of search often reveals clusters of infrastructure, indicating potential connections between malicious servers.

Identifying Infrastructure Using JARM Fingerprints

JARM is a TLS fingerprinting technique developed by Salesforce that helps identify servers based on their TLS configuration and behavior. Each server responds to a series of custom TLS Client Hello messages, and the response pattern is hashed to generate a unique JARM fingerprint.

This technique is particularly useful in hunting and clustering C2 infrastructure built with a unique or rare SSL/TLS stack. JARM fingerprints can reveal infrastructure operated by the same malware family or threat group even when the network indicators differ.

Case Study: Hunting Cobalt Strike Infrastructure

Step 1: An IP address 82.156.102.187 is suspected to be associated with Cobalt Strike.

CobaltStrikeX

Step 2: When checked on VirusTotal, a JARM fingerprint was identified:

2ad2ad16d2ad2ad00042d42d00042ddb04deffa1705e2edc44cae1ed24a4da

CobaltStrike VT Scan

CobaltStrike VT Scan

Step 3: Searching for this JARM fingerprint on Shodan returned over 7,000 results. Constructed Shodan query:

ssl.jarm:"2ad2ad16d2ad2ad00042d42d00042ddb04deffa1705e2edc44cae1ed24a4da”

Cobalt Strike Shodan Search

Not all servers with the same JARM hash are malicious

Many servers may share similar TLS configurations because they use default or common libraries without any malicious intent. Thus, JARM alone is often insufficient and must be combined with other attributes.

Step 4: Upon searching the malicious IP address on Shodan, a detailed review of the HTTP HTML hash, HTTP response, and SSL information from the same IP revealed:

  • http.html_hash:0

  • HTTP/1.1 404 Not Found

  • Content-Type: text/plain

  • Content-Length: 0

  • SSL public key size: 2048-bit

Cobalt Strike Shodan Search

Step 5: These details were combined into a refined Shodan query:

Constructed Shodan query:

ssl.jarm:"2ad2ad16d2ad2ad00042d42d00042ddb04deffa1705e2edc44cae1ed24a4da" http.html_hash:0 HTTP/1.1 404 Not Found Content-Type: text/plain Content-Length: 0 ssl:2048

Cobalt Strike Shodan Search

This reduced the result set to 274 hosts.

To further reduce noise, facet analysis in Shodan was leveraged:

  • Certificate Issuer CNs (Common Names) were reviewed.
  • Uncommon issuers such as "query.com", “www.bing.com”, “Google”, and "Microsoft Windows" stood out. These could be deliberate attempts to mimic legitimate metadata to evade detection or appear trustworthy.

Cobalt Strike Shodan Search

  • jquery.com is not a legitimate Certificate Authority. It is often observed in self-signed certificates used by malware C2 servers. Its presence indicates likely misuse and should be treated as suspicious when seen in unknown infrastructure.

Constructed Shodan query:

ssl.jarm:"2ad2ad16d2ad2ad00042d42d00042ddb04deffa1705e2edc44cae1ed24a4da" http.html_hash:0 HTTP/1.1 404 Not Found Content-Type: text/plain Content-Length: 0 ssl:2048 ssl.cert.issuer.cn:"jquery.com"

Cobalt Strike Shodan jquery

  • Attackers use Google as the issuer CN to mimic legitimate traffic and blend into expected telemetry. This tactic is frequently observed in commodity RAT infrastructure.

Constructed Shodan query:

ssl.jarm:"2ad2ad16d2ad2ad00042d42d00042ddb04deffa1705e2edc44cae1ed24a4da" http.html_hash:0 HTTP/1.1 404 Not Found Content-Type: text/plain Content-Length: 0 ssl:2048 ssl.cert.issuer.cn:"Google"

Cobalt Strike Shodan Google

  • Though it looks like a trusted name, Microsoft Windows as an issuer CN in a certificate is non-standard. It is often used by attackers to appear trustworthy, especially in campaigns abusing SSL/TLS configurations.

Constructed Shodan query:

ssl.jarm:"2ad2ad16d2ad2ad00042d42d00042ddb04deffa1705e2edc44cae1ed24a4da" http.html_hash:0 HTTP/1.1 404 Not Found Content-Type: text/plain Content-Length: 0 ssl:2048 ssl.cert.issuer.cn:"Microsoft Windows"

Cobalt Strike Shodan Microsoft

Takeaway: By combining JARM, HTTP response details, SSL key attributes, and certificate metadata, researchers can pivot from a single IOC to a broader infrastructure cluster. While JARM helps group similar setups, it’s critical to refine results using layered indicators and metadata analysis to filter out benign servers.

Recommended Reading

Netlas vs Shodan: Platforms Comparison

Final Thoughts on Hunting Malicious Infrastructure

Threat actors fundamentally depend on infrastructure components to maintain their malicious activities. The good news is that we can track this infrastructure using attributes such as unique certificate values, JARM hashes, HTTP body hashes, and favicons.

We demonstrated practical, actionable techniques for pivoting across these digital artifacts, supported by real-world case studies. A critical defensive insight is reinforced here: no single indicator is definitive. However, strategically combining multiple signals and applying contextual filtering significantly reduces false positives and sharply improves detection accuracy.

The use of modern IoT search platforms helps track malicious infrastructure across the entire Internet.

The key takeaway for defenders is the power of a proactive hunting mindset: by leveraging the right queries and techniques, even small clues sourced publicly (e.g., from X or abuse.ch) can unravel entire malicious ecosystems. This proactive discovery empowers defenders to disrupt attacks earlier, dismantle attacker operations at scale, and stay ahead of the threat.

Please let me know in the comments if any parts of this post need further clarification or detail. Thank you for reading!

Calendar

Book Your Netlas Demo

Chat with our team to explore how the Netlas platform can support your security research and threat analysis.