- Joined
- July 8, 2025
- Messages
- 10
- Reaction score
- 1
- Points
- 3
- Thread Author
- #1
All the links you need in one place - your start for growth and collaboration.
What is Malware Hunter?
Malware Hunter is a specialized scanner from Shodan that searches for botnet command and control (C2) servers on the Internet. As described in the article Deep Dive: Malware Hunter, it works by pretending to be an infected Windows XP computer that sends a C2 handshake to every IP address on the Internet. If the server responds, it is C2, and Shodan tags it with a "malware" tag. This allows it to find malicious servers even if they are not yet used in attacks
How does it work?
Malware Hunter does not just scan ports, it imitates the behavior of an infected device. Here's how it works:
Imitation of an infected client: The scanner sends requests as if it were an infected computer ready to join the botnet.
Response analysis: If the IP address responds as a C2 server, it gets the "malware" tag in the Shodan database.
Protocols: Supports searching for servers for RATs (Remote Access Trojans), such as Gh0st RAT, DarkComet, njRAT, and others.
Uniqueness: Unlike passive methods (e.g. certificate analysis), Malware Hunter actively searches for C2 on home networks even before they are activated.
Example: in 2017, Malware Hunter found more than 5,700 C2 servers, including 72% in the US, 12% in Hong Kong, and 5.2% in China. Among them were servers for Gh0st RAT (93.5%) and DarkComet (3.7%).
π How to use?
Malware Hunter is integrated into Shodan, and access to the results is free for anyone with an account. Here are the steps:
Search Shodan: Go to shodan.io and search for category:malware. This will show IP addresses that have been tagged as C2 servers.
Example: Enter category:malware country:US to search for servers in the US.
Using the API/CLI: For automation, use the command:shodan stats --facets ip:1000 tag:malware | sed -e '1d' -e 's/ .*//' | sort
This will return a list of C2 IP addresses. A corporate account is required for the full list.
Analysis for OSINT: Use the data to map the attackers' infrastructure. For example, check IP via internetdb.shodan.io to analyze open ports.
For SOC analysts: Upload the C2 list to SIEM (e.g. Splunk) for monitoring or blocking.
Contribute to the project: If you know a new C2 protocol or malware, send data (PCAP, code, or articles) to support@shodan.io.
For beginners: C2 is a server that controls infected devices (botnets). RAT is a remote access trojan, like a spy that steals data.
Limitations and tips
Free access: The results are available to anyone with a Shodan account, but full data export requires a corporate subscription.
Ethical: Only use the data for legitimate purposes, such as network security or research. Scanning other people's systems without permission is illegal.
False positives: Some antiviruses may flag Malware Hunter traffic as a threat, but it is safe because it does not send malicious data.
Tip: Check your IPs via Shodan to make sure your devices are not mistakenly listed by C2.
Limitation: Malware Hunter focuses on RATs, but may support other types of malware in the future (e.g. cryptominers).
Why is it needed?
Malware Hunter is like a detective who catches the bad guys before they make their first move. It helps:
OSINT analysts: Track the infrastructure of cybercriminals.
Cybersecurity: Block C2 servers before attacks begin.
Researchers: Study new threats such as Gh0st RAT or DarkComet.
Have you checked your networks for vulnerabilities using Shodan? Share your experience in the comments!
Cold calls? We warm them up to the result!
Open sources, closed questions - we will find everything in seconds!
Contact on telegram @Grrds1
What is Malware Hunter?Malware Hunter is a specialized scanner from Shodan that searches for botnet command and control (C2) servers on the Internet. As described in the article Deep Dive: Malware Hunter, it works by pretending to be an infected Windows XP computer that sends a C2 handshake to every IP address on the Internet. If the server responds, it is C2, and Shodan tags it with a "malware" tag. This allows it to find malicious servers even if they are not yet used in attacks
How does it work?Malware Hunter does not just scan ports, it imitates the behavior of an infected device. Here's how it works:
Imitation of an infected client: The scanner sends requests as if it were an infected computer ready to join the botnet.Response analysis: If the IP address responds as a C2 server, it gets the "malware" tag in the Shodan database.Protocols: Supports searching for servers for RATs (Remote Access Trojans), such as Gh0st RAT, DarkComet, njRAT, and others.Uniqueness: Unlike passive methods (e.g. certificate analysis), Malware Hunter actively searches for C2 on home networks even before they are activated.Example: in 2017, Malware Hunter found more than 5,700 C2 servers, including 72% in the US, 12% in Hong Kong, and 5.2% in China. Among them were servers for Gh0st RAT (93.5%) and DarkComet (3.7%).
π How to use?
Malware Hunter is integrated into Shodan, and access to the results is free for anyone with an account. Here are the steps:
Search Shodan: Go to shodan.io and search for category:malware. This will show IP addresses that have been tagged as C2 servers.Example: Enter category:malware country:US to search for servers in the US.
Using the API/CLI: For automation, use the command:shodan stats --facets ip:1000 tag:malware | sed -e '1d' -e 's/ .*//' | sortThis will return a list of C2 IP addresses. A corporate account is required for the full list.
Analysis for OSINT: Use the data to map the attackers' infrastructure. For example, check IP via internetdb.shodan.io to analyze open ports.For SOC analysts: Upload the C2 list to SIEM (e.g. Splunk) for monitoring or blocking.Contribute to the project: If you know a new C2 protocol or malware, send data (PCAP, code, or articles) to support@shodan.io.For beginners: C2 is a server that controls infected devices (botnets). RAT is a remote access trojan, like a spy that steals data.
Limitations and tipsFree access: The results are available to anyone with a Shodan account, but full data export requires a corporate subscription.Ethical: Only use the data for legitimate purposes, such as network security or research. Scanning other people's systems without permission is illegal.False positives: Some antiviruses may flag Malware Hunter traffic as a threat, but it is safe because it does not send malicious data.Tip: Check your IPs via Shodan to make sure your devices are not mistakenly listed by C2.Limitation: Malware Hunter focuses on RATs, but may support other types of malware in the future (e.g. cryptominers). Why is it needed?Malware Hunter is like a detective who catches the bad guys before they make their first move. It helps:
OSINT analysts: Track the infrastructure of cybercriminals.Cybersecurity: Block C2 servers before attacks begin.Researchers: Study new threats such as Gh0st RAT or DarkComet.Have you checked your networks for vulnerabilities using Shodan? Share your experience in the comments!
Cold calls? We warm them up to the result!Open sources, closed questions - we will find everything in seconds!Contact on telegram @Grrds1
