Free to use IOC feed for various tools/malware. It started out for just C2 tools but has morphed into tracking infostealers and botnets as well. It uses shodan.io/">Shodan searches to collect the IPs. The most recent collection is always stored in data; the IPs are broken down by tool and there is an all.txt. The feed should update daily. Actively working on making the backend more reliable Honorable Mentions Many of the Shodan queries have been sourced from other CTI researchers: BushidoToken Michael Koczwara ViriBack Gi7W0rm @Glacius_ Huge shoutout to them! Thanks to BertJanCyber for creating the KQL query for ingesting this feed And finally, thanks to Y_nexro for creating C2Live in order to visualize the data What do I track? C2's Cobalt Strike Metasploit Framework Covenant Mythic Brute Ratel C4 Posh Sliver Deimos PANDA NimPlant C2 Havoc C2 Caldera Empire Ares Malware AcidRain Stealer Misha Stealer (AKA Grand Misha) Patriot Stealer RAXNET Bitcoin Stealer Titan Stealer Collector Stealer Mystic Stealer Gotham Stealer Meduza Stealer Quasar RAT ShadowPad AsyncRAT DcRat BitRAT DarkComet Trojan XtremeRAT Trojan NanoCore RAT Trojan Gh0st RAT Trojan DarkTrack RAT Trojan njRAT Trojan Remcos Pro RAT Trojan Poison Ivy Trojan Orcus RAT Trojan ZeroAccess Trojan HOOKBOT Trojan Tools XMRig Monero Cryptominer GoPhish Botnets 7777 Botnet Running Locally If you want to host a private version, put your Shodan API key in an environment variable called SHODAN_API_KEY echo…Read More