Automatically created C2 Feeds | Also posted via @drb_ra
From May 1st, 2026 raw data is provided courtesy of Modat -- https://modat.io/
A special thank you not to Censys for the support provided over the last few years.
C2IntelFeeds is a collection of automatically generated Command-and-Control (C2) threat intelligence feeds derived from large-scale internet scanning data (primarily Censys).
These feeds are intended for defenders and are suitable for:
- Threat hunting
- Network monitoring
- Detection engineering
- IOC enrichment
- Defensive blocking or alerting
The project focuses on identifying real C2 infrastructure, not malware samples.
This repository contains multiple plain-text, CSV, and JSON feeds listing suspected or confirmed C2 infrastructure, including:
- C2 IP addresses
- C2 domains and hostnames
- Domains with C2 URL paths
- IP + port combinations
- C2 configuration metadata (when available)
Feeds are updated automatically and primarily reflect recent activity.
Most feeds are available in two time ranges:
- 7-day feeds (default)
- 30-day feeds (historical context)
- 90-day feeds (long-term context)
The time window refers to last observed activity, not creation date.
These feeds have undergone additional validation and exclude known benign infrastructure.
| Feed | Description |
|---|---|
| C2 IPs | Validated C2 server IP addresses |
| C2 Domains | Domains extracted from known C2 implants |
| C2 Domains (Filtered) | Same as above, with high-false-positive domains removed |
| C2 Domains + URL | Domains with specific C2 URI paths |
| C2 Domains + URL + IP | Domains, paths, and resolved IPs |
These feeds are generated from fingerprint matches but may contain false positives.
Domain Data is derived from scan artifacts and validated against associated IP data at publish time to improved accuracy.
| Feed | Description |
|---|---|
| Unverified C2 IPs | Potential C2 IP addresses based on scan artifacts |
| Unverified C2 Domains | Potential C2 domains based on scan artifacts |
| Unverified KVM IPs | KVM-related IP addresses based on scan artifacts |
| Unverified KVM Domains | KVM-related domains based on scan artifacts |
| Unverified RMM IPs | RMM-related IP addresses based on scan artifacts |
| Unverified RMM Domains | RMM-related domains based on scan artifacts |
| IP + Port Pairs | Destination IP and port combinations |
β οΈ Use unverified feeds cautiously. Local validation is strongly recommended.
Where possible, extracted C2 configuration metadata is included in CSV and JSON formats.
Typical fields may include:
- First seen timestamp
- True C2 IP (actual listener)
- Port, jitter, sleep time
- ASN and network information
- HTTP host headers
- TLS certificate data
- User-agent strings
- Optional public keys (JSON)
Both standard and 30-day variants may be available.
Feeds are built using Censys search queries designed to detect known C2 frameworks by fingerprinting:
- TLS certificate fields
- JARM fingerprints
- HTTP response headers and titles
- Body hashes
- Service banners
- Known implant artifacts
| Tool | Modat Search |
|---|---|
| Sliver | same_service(service="unknown" transport="tcp" cert.issuer.cn="operators" cert.subject.cn="multiplayer") and same_service(service="http" transport="tcp" banner.sha256=dba60000613d7556f0b129e77a9451d6ce5a83f52f2d4830314d2e6b52b7928c) |
| Covenant | same_service(cert.issuer.cn="Covenant" cert.subject.cn="Covenant" ) OR same_service(web.title="Covenant"service="http" transport="tcp" technology="Kestrel" technology="Bootstrap") |
| Brute Ratel C4 | product="Brute Ratel C4" |
| Mythic | same_service(service="http" transport="tcp" cert.issuer.org="Mythic" cert.subject.org="Mythic" ) or same_service(banner.sha256=bc7e468313dcdc814784a20b5676188d19c033a1a3d9e3ebe1ff92f006522216 product!="Mythic C2") or product="Mythic C2" |
| Deimos | same_service(service="http" transport="tcp" banner.sha256=613dfd23a3e10f890cee3032b088cfcdf1bf53ed0851e192c0c93ee59b53821a web.html.sha256=99eb12f2ab3c4866a353e098ffa3cb7a967e617c49b98480394ec5d8ea92b094 cert.issuer.org="Acme Co" cert.subject.org="Acme Co" ) |
| Nighthawk C2 | [TBC] |
| Bianlian Go Trojan | [TBC] |
| Havoc | [TBC] |
| Responder | same_service(service="smb" transport="tcp" banner~"server_guid: AAAAAAAAAAAAAAAAAAAAAO6Fq/fq9gxPkoGSR23rdqk") |
| Pupy RAT | same_service(service="unknown" transport="tcp" cert.subject.ou="CONTROL" cert.subject.org=~"^[a-zA-Z]{10}$" cert.issuer.org=~"^[a-zA-Z]{10}$") OR product="Pupy RAT" |
| Qakbot | [TBC] |
| DcRat | [TBC] |
| Viper | same_service(web.title="VIPER" web.html.sha256=771fb5f8203ca3b8c3a184ebc4347d5308fd75ad57895bc8fddebe7f355ef20a) OR same_service(service="http" transport="tcp" product="Viper RAT") |
| Supershell | same_service(service="http" transport="tcp" product="Supershell C2") |
| Pikabot | [TBC] |
| Meduza Stealer | [TBC] |
| Evilginx/EvilGoPhish | same_service(service="http" transport="tcp" (web.title~"Evilginx" or web.title~"evilgophish" or cert.issuer.org="Evilginx API")) or product="Evilginx" |
| Hookbot/Pegasus | [TBC] |
| AsyncRAT | [TBC] |
| Remcos | [TBC] |
| DanaBot | [REDACTED] |
| Rhysida Trojan | [REDACTED] |
| Oyster Backdoor | [REDACTED] |
| SocGholish | [REDACTED] |
| NetSupport Manager RAT | [TBC] |
| Geacon_Pro | [TBC] |
| Hak5 Cloud C2 | [TBC] |
| CHAOS | [TBC] |
| Interactsh | [TBC] |
| Reverse SSH | [REDACTED] |
| wstunnel | [REDACTED] |
| Ligolo-ng | [REDACTED] |
| Ransomhub Python C2 | [REDACTED] |
| Pyramid | [REDACTED] |
| VPN Themed Phishing | [REDACTED] |
| StealC v2 | [TBC] |
| AdaptixC2 | [REDACTED] |
| Matanbuchus | [REDACTED] |
| Pywssocks | [REDACTED] |
The repository includes an exclusion file: exclusions.rex
This file removes:
- Known CDN/domain-fronting services
- Common shared hosting providers
- Frequently benign infrastructure
Filtered feeds apply these exclusions automatically.
These feeds are suitable for:
- SIEM ingestion (Splunk, Sentinel, Elastic, etc.)
- EDR enrichment
- Threat hunting queries
- Network detections
- Firewall / proxy monitoring
- IOC correlation pipelines
They are intentionally provided in simple formats to ease automation.
The easiest files for most of you to use should be C2 IPs, C2 Domains Filtered and Unverified C2 IPs or their 30 day counterparts.
Separate feeds include known:
- VPN exit nodes
- Residential proxy networks
These can help:
- Reduce noise in detections
- Add context to outbound traffic
- Identify infrastructure abuse
This project is licensed under:
Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International (CC BY-NC-SA 4.0)
- Attribution required
- Non-commercial use only
- Share alike for derivatives
These feeds are provided as-is for defensive and research purposes.
- No guarantee of accuracy or completeness
- Infrastructure may be compromised, misattributed, or reused
- Always validate before taking action
If you find this project useful, attribution is appreciated.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.