C2 Tracker - Community-Driven Malware and C2 Monitoring Tool

C2 Tracker - Community-Driven Malware and C2 Monitoring Tool

C2 Tracker is a free, community-driven Indicator of Compromise (IOC) feed designed to track IP addresses associated with known malware, botnets, and Command-and-Control (C2) infrastructure.

Leveraging powerful tools like Shodan and Censys, it provides a centralized repository for cybersecurity professionals to identify and monitor adversary infrastructure. This guide will cover everything you need to know about C2 Tracker, including its usage, supported tools, and how to contribute.

What is C2 Tracker?

C2 Tracker aggregates IP addresses linked to malicious activities by conducting searches on platforms like Shodan and Censys. It is updated weekly and serves as a valuable resource for threat intelligence analysts, security operations teams, and researchers.

Key Features

  • Community-Driven: Contributions from various cybersecurity researchers enhance the accuracy and scope of the feed.

  • Version Control: The repository allows historical analysis, enabling users to track when an IP address was first flagged.

  • Wide Coverage: Tracks a variety of C2 frameworks, malware families, botnets, and tools.

Acknowledgments

C2 Tracker is built on the collective efforts of the cybersecurity community. Special thanks go to the following contributors:

  • Researchers: BushidoToken, Michael Koczwara, ViriBack, Gi7W0rm, Glacius_, corumir, salmanvsf, SecurityJosh.

  • Visualization Tools: Y_nexro for creating C2Live and the website version at c2tracker.com.

  • KQL Query Support: BertJanCyber for crafting the KQL query that enables ingestion into SIEM systems.

How to Use C2 Tracker

Data Access

  • The latest collection is stored in the data/ directory of the repository.

  • IP addresses are categorized by tool names and consolidated into an all.txt file for comprehensive analysis.

  • The feed updates weekly on Mondays.

Ingestion and Alerting

If your security tools (SIEM/EDR/TIP) support ingesting data from remote sources:

  1. Use the raw text files provided in the repository.

  2. Refer to BertJanCyber's KQL query as an example for integration.

  3. Fortinet SIEM 7.2.0 includes built-in support for this feed.

Investigations and Historical Analysis

The repository's version control allows users to:

  • Search for specific IP addresses in historical data.

  • Identify when an IP was first flagged as malicious.
    For this purpose, you can use tools like the GitHub Repo OSINT Tool.

What Does C2 Tracker Monitor?

C2 Tracker monitors a wide range of malicious activities across multiple categories:

Command-and-Control Frameworks

Includes popular offensive security tools often abused by attackers:

  • Cobalt Strike

  • Metasploit Framework

  • Covenant

  • Mythic

  • Brute Ratel C4

  • Sliver

  • Deimos
    …and many more.

Malware Families

Tracks various malware types such as:

  • Stealers: AcidRain Stealer, Mystic Stealer, Vidar Stealer, etc.

  • RATs: Quasar RAT, AsyncRAT, DarkComet Trojan, njRAT Trojan.

  • Trojans: NanoCore RAT Trojan, Poison Ivy Trojan.

  • Loaders: Bumblebee Loader, Godzilla Loader.

Botnets

Monitors botnets like:

  • 7777

  • BlackNET

  • Kaiji

  • Mozi

Tools

Tracks penetration testing tools that may be misused:

  • XMRig Monero Cryptominer

  • GoPhish

  • BurpSuite
    …and more.

Running C2 Tracker Locally

To host your private version of C2 Tracker:

1.Set up your Shodan API key as an environment variable (SHODAN_API_KEY).

2.Configure your Censys credentials (CENSYS_API_ID and CENSYS_API_SECRET).

3.Install dependencies:

python3 -m pip install -r requirements.txt

4.Run the tracker:

python3 tracker.py

Contributing to C2 Tracker

Contributions are encouraged! If you know additional Shodan or Censys search queries that can improve the fidelity of identifying adversary infrastructure:

  1. Open an issue or submit a pull request (PR) in the repository.

  2. Focus on maintaining a high true/false positive ratio.

References

The following resources have been instrumental in shaping C2 Tracker:

  1. Hunting Cobalt Strike C2 with Shodan by Michael Koczwara.

  2. BushidoToken's OSINT Search Operators.

  3. Various Twitter threads by prominent researchers such as ViriBack and Glacius_.

For further insights into botnet tracking or specific techniques used in identifying malicious infrastructure, consult these references or follow related discussions in the cybersecurity community.

By leveraging C2 Tracker effectively, organizations can stay ahead of evolving threats and enhance their threat detection capabilities through actionable intelligence. You can learn more and Download C2 Tracker in GitHub.

Upgrade Your Cybersecurity Skills EHA: Learn 150+ Practical Cyber Security Courses Online With Life Time Access - Enroll Here

Back to blog