{"id":13598517,"url":"https://github.com/montysecurity/C2-Tracker","last_synced_at":"2025-04-10T09:31:28.623Z","repository":{"id":63778227,"uuid":"570044007","full_name":"montysecurity/C2-Tracker","owner":"montysecurity","description":"Live Feed of C2 servers, tools, and botnets","archived":false,"fork":false,"pushed_at":"2024-04-13T13:31:52.000Z","size":28390,"stargazers_count":332,"open_issues_count":1,"forks_count":30,"subscribers_count":5,"default_branch":"main","last_synced_at":"2024-04-14T12:18:02.182Z","etag":null,"topics":["cybersecurity","infosec","osint","shodan","threat-hunting","threat-intelligence"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/montysecurity.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2022-11-24T07:59:00.000Z","updated_at":"2024-04-15T15:11:59.383Z","dependencies_parsed_at":"2024-04-15T15:11:56.171Z","dependency_job_id":"02645d05-36be-45eb-a2db-2ab8dcc6fec1","html_url":"https://github.com/montysecurity/C2-Tracker","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/montysecurity%2FC2-Tracker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/montysecurity%2FC2-Tracker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/montysecurity%2FC2-Tracker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/montysecurity%2FC2-Tracker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/montysecurity","download_url":"https://codeload.github.com/montysecurity/C2-Tracker/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248191709,"owners_count":21062556,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cybersecurity","infosec","osint","shodan","threat-hunting","threat-intelligence"],"created_at":"2024-08-01T17:00:53.258Z","updated_at":"2025-04-10T09:31:23.609Z","avatar_url":"https://github.com/montysecurity.png","language":"Python","funding_links":[],"categories":["Other Lists","C2 search tools"],"sub_categories":["🚫 IOC Feeds/Blacklists:"],"readme":"# C2 Tracker\n\nC2 Tracker is a free-to-use-community-driven IOC feed that uses [Shodan](https://www.shodan.io/) and [Censys](https://search.censys.io/) searches to collect IP addresses of known malware/botnet/C2 infrastructure.\n\n## Honorable Mentions\n\nMany of the queries have been sourced from other CTI researchers:\n\n- [BushidoToken](https://twitter.com/BushidoToken)\n- [Michael Koczwara](https://twitter.com/MichalKoczwara)\n- [ViriBack](https://twitter.com/ViriBack)\n- [Gi7W0rm](https://twitter.com/Gi7w0rm)\n- [Glacius_](https://twitter.com/Glacius_)\n- [corumir](https://github.com/corumir)\n- [salmanvsf](https://x.com/salmanvsf)\n\nHuge shoutout to them!\n\nThanks to [BertJanCyber](https://twitter.com/BertJanCyber) for creating the [KQL query](https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules/blob/main/Threat%20Hunting/TI%20Feed%20-%20MontySecurity%20C2%20Tracker%20All%20IPs.md) for ingesting this feed\n\nAnd finally, thanks to [Y_nexro](https://twitter.com/Y_NeXRo) for creating [C2Live](https://github.com/YoNixNeXRo/C2Live) in order to visualize the data\n\n## Usage\n\nThe most recent collection will be stored in `data/`. The IPs are seperated by the name of the tool and there is an `all.txt` that contains all of the IPs. As it currently stands this feed updates `weekly` on Monday.\n\n### Ingestion/Alerting\n\n- If your SIEM/EDR/TIP has the ability to ingest data from a remote source than you can use the files in their raw text format. See BertJanCyber's KQL query above as an example\n- FortinetSIEM 7.2.0 added support for this intel feed - `https://docs.fortinet.com/document/fortisiem/7.2.0/release-notes/553241/whats-new-in-7-2-0`\n\n### Investigations/Historical Analysis\n\n- The repo, by its nature, has version control. This means you can search the history of the repo for when an IP was present in the results. I have used one of my other public tools, [GitHub Repo OSINT Tool](https://github.com/montysecurity/GROT), for this purpose.\n\n## What do I track?\n\n- C2's\n    - [Cobalt Strike](https://www.cobaltstrike.com/)\n    - [Metasploit Framework](https://www.metasploit.com/)\n    - [Covenant](https://github.com/cobbr/Covenant)\n    - [Mythic](https://github.com/its-a-feature/Mythic)\n    - [Brute Ratel C4](https://bruteratel.com/)\n    - [Posh](https://github.com/nettitude/PoshC2)\n    - [Sliver](https://github.com/BishopFox/sliver)\n    - [Deimos](https://github.com/DeimosC2/DeimosC2)\n    - PANDA\n    - [NimPlant C2](https://github.com/chvancooten/NimPlant)\n    - [Havoc C2](https://github.com/HavocFramework/Havoc)\n    - [Caldera](https://caldera.mitre.org/)\n    - [Empire](https://github.com/EmpireProject/Empire)\n    - [Ares](https://github.com/sweetsoftware/Ares)\n    - [Hak5 Cloud C2](https://shop.hak5.org/products/c2)\n    - [Pantegana](https://github.com/cassanof/pantegana)\n    - [Supershell](https://github.com/tdragon6/Supershell/tree/main)\n    - Poseidon C2\n    - Viper C2\n    - [UnamWebPanel](https://github.com/UnamSanctam/UnamWebPanel)\n    - [Vshell](https://github.com/veo/vshell)\n    - [Villain](https://github.com/t3l3machus/Villain)\n    - [Nimplant C2](https://github.com/chvancooten/NimPlant)\n    - [RedGuard C2](https://github.com/wikiZ/RedGuard/tree/main)\n    - Oyster C2\n- Malware\n    - AcidRain Stealer\n    - Misha Stealer (AKA Grand Misha)\n    - Patriot Stealer\n    - RAXNET Bitcoin Stealer\n    - Titan Stealer\n    - Collector Stealer\n    - [Mystic Stealer](https://twitter.com/_montysecurity/status/1643164749599834112)\n    - [Gotham Stealer](https://twitter.com/FalconFeedsio/status/1705765083429863720)\n    - [Meduza Stealer](https://twitter.com/g0njxa/status/1717563999984717991?t=rcVyVA2zwgJtHN5jz4wy7A\u0026s=19)\n    - Quasar RAT\n    - ShadowPad\n    - AsyncRAT\n    - DcRat\n    - BitRAT\n    - DarkComet Trojan\n    - XtremeRAT Trojan\n    - NanoCore RAT Trojan\n    - Gh0st RAT Trojan\n    - DarkTrack RAT Trojan\n    - njRAT Trojan\n    - Remcos Pro RAT Trojan\n    - Poison Ivy Trojan\n    - Orcus RAT Trojan\n    - ZeroAccess Trojan\n    - HOOKBOT Trojan\n    - [RisePro Stealer](https://github.com/noke6262/RisePro-Stealer)\n    - NetBus Trojan\n    - Bandit Stealer\n    - Mint Stealer\n    - Mekotio Trojan\n    - Gozi Trojan\n    - Atlandida Stealer\n    - VenomRAT\n    - Orcus RAT\n    - DcRAT\n    - BitRAT\n    - BlackDolphin\n    - Artemis RAT\n    - Godzilla Loader\n    - Jinx Loader\n    - Netpune Loader\n    - [SpyAgent](https://www.deepinstinct.com/blog/the-russian-spyagent-a-decade-later-and-rat-tools-remain-at-risk)\n    - [SpiceRAT](https://hunt.io/blog/the-secret-ingredient-unearthing-suspected-spicerat-infrastructure-via-html-response)\n    - Dust RAT\n    - Pupy RAT\n- Tools\n    - [XMRig Monero Cryptominer](https://xmrig.com/)\n    - [GoPhish](https://getgophish.com/)\n    - [Browser Exploitation Framework (BeEF)](https://github.com/beefproject/beef)\n    - [BurpSuite](https://portswigger.net/burp)\n    - [Hashcat](https://hashcat.net/hashcat/)\n    - [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF)\n- Botnets\n    - [7777](https://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd)\n    - [BlackNET](https://github.com/suriya73/BlackNET)\n    - Doxerina\n    - Scarab\n\n## Running Locally\n\nIf you want to host a private version, put your Shodan API key in an environment variable called `SHODAN_API_KEY`, and setup your Censys credentials in `CENSYS_API_ID` \u0026 `CENSYS_API_SECRET`\n\n```bash\npython3 -m pip install -r requirements.txt\npython3 tracker.py\n```\n\n## Contributing\n\nI encourage opening an issue/PR if you know of any additional Shodan/Censys searches for identifying adversary infrastructure. I will not set any hard guidelines around what can be submitted, just know, **fidelity is paramount** (high true/false positive ratio is the focus).\n\n## References\n\n- [Hunting C2 with Shodan by Michael Koczwara](https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f)\n- [Hunting Cobalt Strike C2 with Shodan by Michael Koczwara](https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2)\n- [https://twitter.com/MichalKoczwara/status/1591750513238118401?cxt=HHwWgsDUiZGqhJcsAAAA](https://twitter.com/MichalKoczwara/status/1591750513238118401?cxt=HHwWgsDUiZGqhJcsAAAA)\n- BushidoToken's [OSINT-SearchOperators](https://github.com/BushidoUK/OSINT-SearchOperators/blob/main/ShodanAdversaryInfa.md)\n- [https://twitter.com/MichalKoczwara/status/1641119242618650653](https://twitter.com/MichalKoczwara/status/1641119242618650653)\n- [https://twitter.com/MichalKoczwara/status/1641676761283850241](https://twitter.com/MichalKoczwara/status/1641676761283850241)\n- [https://twitter.com/_montysecurity/status/1643164749599834112](https://twitter.com/_montysecurity/status/1643164749599834112)\n- [https://twitter.com/ViriBack/status/1713714868564394336](https://twitter.com/ViriBack/status/1713714868564394336)\n- [https://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd](https://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd)\n- [https://twitter.com/Glacius_/status/1731699013873799209](https://twitter.com/Glacius_/status/1731699013873799209)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmontysecurity%2FC2-Tracker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmontysecurity%2FC2-Tracker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmontysecurity%2FC2-Tracker/lists"}