> For the complete documentation index, see [llms.txt](https://0x4bd0.gitbook.io/4bd0_m4g3d/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://0x4bd0.gitbook.io/4bd0_m4g3d/threat-intel/the-c2-hunting-arsenal-practical-resources-and-playbooks.md).

# The C2 Hunting Arsenal: Practical Resources & Playbooks

### Introduction

In the world of **Threat Intelligence**, one of the biggest challenges analysts face is **detecting malicious infrastructure** used by attackers to control targeted systems. This infrastructure includes servers, domains, IP addresses, and control panels used to manage malware such as **RATs** and stealers.

The main goal of Malicious Infrastructure Hunting and C2 Hunting isn’t just detecting attacks after they happen.\
It’s about understanding how attackers operate, tracking their activity, and stopping them before they reach their real objectives.

&#x20;This type of analysis enables security teams to take rapid action within a **SOC** or during **Incident Response** operations, and it helps build a strong **Threat Intelligence database** for long-term organizational defense.

This blog will guide the reader step by step:

* First, we’ll understand what **C2 (Command & Control)** is and its role in attacks,
* Then, we’ll define **RATs (Remote Access Trojans)** and why they are critical in system control scenarios,
* Next, we’ll explore what constitutes **Malicious Infrastructure** and its various forms,
* Finally, we’ll explain **how to discover exposed C2 servers** using **malware analysis, sandboxes, IOC extraction, and search engines**.

At each stage, readers will not only learn **how to locate C2 servers**, but also **how to understand the full threat landscape**, from malware and stealers to hashes, URLs, IPs, and domains that may be part of an attacker’s command-and-control network.

The ultimate goal of this blog is to provide a **comprehensive and structured guide for Threat Intelligence analysts or anyone interested in C2 hunting**, allowing them to follow a step-by-step process, fully understand the workflow, and learn how to leverage modern tools and intelligence sources effectively, without missing any critical components of the attack chain.

***

### To hunt malicious infrastructure, you first need to understand the backbone that keeps most attacks alive: Command & Control.&#xD;<br>

### What is C2 (Command & Control)?

Alright, let’s break it down. **C2**, or **Command and Control**, is basically the setup attackers use to **control the machines they’ve compromised**. Think of it as the **“control room”** for an attack: the place where the attacker sends commands, gets info back, and basically runs their operation from afar.

#### The Pieces of a C2:

1. **C2 Server**
   * This is the backend system controlled by the attacker.
   * Malware on infected computers “checks in” to the server.
   * The attacker can tell it stuff like “grab this file”, “send me credentials”, or “encrypt the system”.
2. **C2 Panel / Interface**
   * A dashboard (web-based usually) where the attacker sees all the infected machines.
   * Shows stats like how many machines are live, where they are, and what they’re doing.
   * Sometimes these panels are badly secured, and that’s how hunters find them exposed online.
3. **Listeners**
   * These are the components waiting for the malware to connect back.
   * They can work over HTTP(S), DNS, IRC, TCP, or even custom protocols.

#### Why C2 is the Big Deal:

* It’s the **nerve center** of most malware operations.
* Attackers use it to **control malware in real time**, update it, or push new payloads.
* It’s also the main **data exfiltration point**, sending stolen info back to the attacker.
* If you can find an exposed C2 server, you can **block it, study it, and learn a lot about how the attacker works**.

Basically, **if malware is the weapon, C2 is the control room**. Without it, a lot of attacks fall apart. That’s why understanding and hunting for C2 infrastructure is **one of the most important skills** for anyone doing Threat Intelligence.

<figure><img src="/files/j0VI2il2dt2pvvnpWaQr" alt=""><figcaption></figcaption></figure>

***

### What is a RAT (Remote Access Trojan)?

A **RAT**, or **Remote Access Trojan**, is basically a piece of malware that lets an attacker **control your computer from anywhere**, without you even noticing. Imagine someone sitting miles away, able to move your mouse, read your files, see your screen, or even turn on your webcam. That’s what a RAT can do.

#### How RATs Work:

* **Communication with C2:** A RAT usually talks to a **C2 server**, which is like its command center. The attacker sends instructions, and the RAT carries them out on the infected machine.
* **Stealth:** RATs are designed to be hidden. They often run quietly in the background so the user doesn’t notice.
* **Capabilities:** Depending on the RAT, this can include:
  * Keylogging (recording what you type)
  * Screen capture
  * File access, upload, or download
  * Webcam/microphone access
  * Executing commands remotely
  * Installing additional malware

#### Popular RAT Families & Hunting Clues:

Some well-known RATs include **NjRAT, Quasar, AsyncRAT**, and they often leave traces you can hunt for:

* **TLS certificates** that are unique and repeat across multiple infected hosts
* **HTTP headers or user-agents** used to communicate with C2
* Certain **file hashes** or naming patterns

Knowing these patterns is crucial for Threat Intel analysts because it gives you **a starting point to track malicious infrastructure**. Once you spot a RAT’s fingerprint, you can start mapping its C2 servers, the domains it uses, and even the spread of malware across the internet.

<figure><img src="/files/DyL3H8BLDBuwZSH1S1zB" alt=""><figcaption></figcaption></figure>

***

### What is Malicious Infrastructure?

**Malicious infrastructure** is basically all the online “stuff” attackers use to make their attacks work. It’s not just the malware itself – it’s the **servers, domains, and network assets** that sit behind the scenes and let attacks happen.

#### Examples of Malicious Infrastructure:

* **C2 Servers:** The control centers where RATs and other malware check in for commands.
* **Phishing Panels:** Fake websites or login pages attackers use to steal credentials.
* **Malware Distribution Hosts:** Servers hosting malicious files for victims to download.
* **Backends for Stealers:** Systems storing stolen data from compromised machines.
* **Exploit Kits:** Platforms that deliver malware automatically when a victim visits a vulnerable website.

#### Why It Matters:

* **Stopping attacks early:** If you can find and take down malicious infrastructure, you can disrupt entire campaigns before they spread widely.
* **Gathering IOCs:** These servers and domains are a goldmine for **Indicators of Compromise** like IPs, URLs, hashes, and patterns.
* **Mapping attacker activity:** Each piece of infrastructure tells you more about how the attacker operates, their tools, and even their targets.

In short, hunting for malicious infrastructure is **like following the bread crumbs** left by attackers. By tracking these assets, you can anticipate their next move, block communication channels, and build stronger defenses before damage happens.

<figure><img src="/files/pzEWBuCKeQZF8TgDE81y" alt=""><figcaption></figcaption></figure>

***

### Starting Point: ThreatFox IOC Database

Before touching search engines, URLScan queries, or fancy pivots, one of the best places to start is **ThreatFox**.

ThreatFox is basically a **live IOC feed** maintained by abuse.ch, and it gives you fresh indicators tied directly to real malware campaigns. Think of it as your daily threat intel radar.

You can browse the database here: <https://threatfox.abuse.ch/browse/>

Inside ThreatFox, you’ll find:

* URLs
* Domains
* IPs
* File hashes
* Tagged malware families
* C2 / botnet infrastructure
* Confidence levels and reporters

Everything is timestamped and constantly updated.

<figure><img src="/files/VzxuP7CIOEFAwdlpPN9J" alt=""><figcaption></figcaption></figure>

***

### Step 1: Browsing the IOC Feed

When you browse the database, you’ll see entries like:

* URLs pointing to `/api`, `/panel`, `/gate`, `/heartbeat`
* IPs with multiple exposed ports
* Domains reused across different campaigns
* Clear malware labels (Formbook, Lumma, AsyncRAT, etc.)

At this stage, you’re not hunting yet — you’re **spotting patterns**.

Things to look for:

* Repeated paths (`/api/agents/heartbeat`, `/gn29/`)
* Same IP hosting multiple protocols (80, 443, custom ports)
* Malware families known for C2 reuse (Formbook, Lumma, RATs)

***

### Step 2: Open an IOC Entry

Once you click any IOC, ThreatFox gives you a **full context page**, not just a raw indicator.

Typical fields you should care about:

* IOC Type (URL, IP, domain, hash)
* Threat Type (botnet\_cc, malware\_cc)
* Malware family + aliases
* Confidence level
* ASN and hosting provider
* Country
* First seen / Last seen
* Tags
* Reference links

This page already tells you:

* What malware you’re dealing with
* Whether this IOC is likely a real C2
* Who reported it and how reliable it is

<figure><img src="/files/NmRz24aO0EPThLquHOoK" alt=""><figcaption></figcaption></figure>

***

### Step 3: Pivot to MalwareBazaar (The Reference Link)

One of the most powerful things in ThreatFox is the **Reference** field.

Most of the time, it points to **MalwareBazaar**, which gives you the actual malware sample behind the IOC.

Once you open the reference:

* You get the full malware hash set (SHA256, SHA1, MD5)
* File type and size
* First seen timestamp
* Digital signature (if any)
* YARA hits
* Sandbox links (Triage, CAPE, etc.)

At this point, you’ve moved from **IOC-level intel** to **sample-level intel**.

<figure><img src="/files/LVvFS73suzgoqw7s9bZQ" alt=""><figcaption></figcaption></figure>

***

### Step 4: Use Sandbox Reports to Extract C2s

From MalwareBazaar, you can jump directly into sandbox reports like:

* Triage
* CAPE Sandbox

Inside sandbox analysis, you usually extract:

* C2 domains
* IP addresses
* API endpoints
* POST/GET patterns
* TLS fingerprints
* Hardcoded fallback servers

This gives you **confirmed, behavior-based C2 infrastructure**, not just guesses.

<figure><img src="/files/VK4ajtXh69PtMz1zgxxn" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/A5MITxmmzHQyCTetSxzK" alt=""><figcaption></figcaption></figure>

***

### Step 5: Hash Pivoting Using URLScan

If u get the Hash U can search&#x20;

Here’s where hunting really starts.

Once you have the **SHA256 hash** of the malware:

* Go to URLScan
* Search using: `hash:<SHA256>`

What this does:

* Finds all URLScan submissions where the same malware hash appeared
* Exposes **other C2 servers** used by the same malware
* Reveals reused infrastructure across different campaigns

This is extremely useful for:

* Discovering secondary or backup C2s
* Mapping infrastructure reuse
* Finding related but unreported servers

Same malware, different C2s — classic attacker behavior.

<figure><img src="/files/idkeGP8UQfaCsHYGEfyH" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/MqOf719hq5oYScekQThP" alt=""><figcaption></figcaption></figure>

***

### Step 6: Expanding the Infrastructure Map

From here, the workflow naturally expands:

* Take new domains → pivot into URLScan, VT, search engines
* Take IPs → check ports, ASN patterns, hosting reuse
* Take paths → search for the same endpoints elsewhere

You now have:

* Initial IOC
* Malware sample
* Behavior-confirmed C2
* Infrastructure reuse signals

This is the foundation you’ll later build on using:

* URLScan advanced queries
* Internet-wide search engines
* Favicon hashes
* TLS and HTTP fingerprints

***

Instead of dumping raw queries inside the blog, all practical hunting material is organized into reusable GitHub playbooks.\
Each resource below serves a specific purpose in the C2 and malicious infrastructure hunting lifecycle.

### Practical Hunting Resources & Playbooks

To make this guide practical and usable in real-world threat hunting, all queries, hashes, and references mentioned throughout this blog are collected in dedicated GitHub files.

Instead of listing raw data inside the blog, these resources are organized as **ready-to-use hunting playbooks**. Each file focuses on a specific platform or technique and can be directly reused during investigations.

Below is a structured breakdown of these resources and how each one fits into the malicious infrastructure and C2 hunting workflow.

***

### Internet-Wide Search Engine Queries

#### Shodan Hunting Queries

🔗 <https://raw.githubusercontent.com/frknaykc/Awesome-Malicious-Infra-Hunting-Queries/refs/heads/main/SHODAN_QUERIES.md>

This file contains a complete collection of **Shodan queries tailored for C2 and malware infrastructure hunting**.

You can use these queries to:

* Discover exposed C2 servers
* Identify open panels and misconfigured services
* Hunt based on ports, services, banners, and protocols
* Detect reused infrastructure across different malware campaigns

This resource is especially useful when you already have:

* An IP
* A service name
* A known C2 framework pattern

***

#### Censys Hunting Queries

🔗 <https://raw.githubusercontent.com/frknaykc/Awesome-Malicious-Infra-Hunting-Queries/refs/heads/main/CENSYS_QUERIES.md>

This file focuses on **Censys-based hunting**, with an emphasis on:

* TLS certificates
* HTTP services
* Infrastructure fingerprints
* Certificate reuse across C2 servers

Censys is particularly powerful when attackers reuse:

* Self-signed certificates
* Common TLS fields
* Similar server configurations

Use this when you want to pivot from one known C2 to others using cryptographic and service-level indicators.

***

#### Netlas Hunting Queries

🔗 <https://raw.githubusercontent.com/frknaykc/Awesome-Malicious-Infra-Hunting-Queries/refs/heads/main/NETLAS_QUERIES.md>

This file contains **Netlas queries** designed for:

* HTTP-based C2 hunting
* Panel discovery
* Service exposure analysis
* Infrastructure pattern matching

Netlas is very effective when dealing with:

* Web panels
* Lightweight C2 frameworks
* Poorly secured admin interfaces

It’s a great complement to Shodan and Censys when your hunt is web-focused.

***

### Tools, RATs & Malware References

#### Tool & RAT References

🔗 <https://github.com/frknaykc/Awesome-Malicious-Infra-Hunting-Queries/blob/main/TOOLS_REFERENCES.md>

This file is a curated list of:

* C2 frameworks
* RATs
* Malware projects
* Offensive and malicious tooling repositories

It helps you:

* Understand what frameworks attackers are using
* Recognize panel layouts and behavior
* Map infrastructure patterns back to specific tools

This is especially useful during **attribution and pattern recognition** phases of threat intelligence.

***

### URLScan.io Hunting Resources

#### URLScan C2 Queries

🔗 <https://github.com/0x4bdo/C2-Hunting/blob/main/C2-Hunting/URLScan/URLScan_C2_Queries.md>

This file contains **advanced URLScan.io queries** focused on:

* C2 discovery
* Malware hosting
* Open directories
* Suspicious PHP panels
* Sandbox-tagged scans

These queries are ideal when:

* You want to find exposed panels
* You’re pivoting from known malware behavior
* You’re hunting infrastructure already scanned by sandboxes

<figure><img src="/files/bl70dez99iWWA0qA3Kbn" alt=""><figcaption></figcaption></figure>

***

#### C2-Hunting SHA256 Hashes for URLScan

🔗 <https://github.com/0x4bdo/C2-Hunting/blob/main/C2-Hunting/URLScan/C2-Hunting-SHA256-URLSCAN.md>

This file contains **SHA-256 hashes associated with known malware and C2 families**.

You can use these hashes in URLScan to:

* Discover new C2 servers used by the same malware
* Identify infrastructure reuse
* Track campaign evolution over time

This technique is extremely effective for uncovering **hidden or secondary C2 servers**.

<figure><img src="/files/FHpSdwJ7lf9Rgk5IMrUS" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/2gSZaCcJq5WuniCdEmoF" alt=""><figcaption></figcaption></figure>

***

### C2 Panel Identification

#### C2 Panel Favicon Hashes

🔗 <https://github.com/0x4bdo/C2-Hunting/blob/main/C2-Hunting/Favicon-Hashes/C2%20Name%20Favicon%20Hash.md>

This file contains **favicon hashes mapped to known C2 frameworks and panels**.

Use these hashes to:

* Identify exposed C2 panels
* Detect framework reuse
* Hunt panels even when URLs or domains change

Favicon hunting is a powerful technique because attackers often forget to customize panel assets.

<figure><img src="/files/OeAbS2uC1MX6Jm5UzpYN" alt=""><figcaption></figcaption></figure>

***

### How to Use These Resources Together

These resources are designed to work together as a single hunting workflow:

* Start with malware or an IOC
* Pivot into URLScan using hashes and queries
* Expand into Shodan, Censys, and Netlas
* Identify panels using favicon hashes
* Correlate infrastructure with known tools and frameworks

Each file can be used independently, but combining them gives you **maximum visibility into malicious infrastructure and C2 networks**.

***

You can find more threat hunting content, tools, and research here:

* X: <https://x.com/4bd0_m4g3d>
* LinkedIn: <https://www.linkedin.com/in/0x4bdo/>
* GitHub: <https://github.com/0x4bdo>

***
