{ "id": "13e78de4-f103-4842-aaf2-30fea7b87f58", "created_at": "2026-04-06T00:22:19.34905Z", "updated_at": "2026-04-10T13:11:47.137773Z", "deleted_at": null, "sha1_hash": "49621b89941a6a61f1ad66562a00a1b24031aed2", "title": "Tracking Pyramid C2: Identifying Post-Exploitation Servers in Hunt", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1038837, "plain_text": "Tracking Pyramid C2: Identifying Post-Exploitation Servers in\r\nHunt\r\nPublished: 2025-02-12 ยท Archived: 2026-04-05 12:58:14 UTC\r\nTABLE OF CONTENTS\r\nWhat is Pyramid?Detection OpportunitiesConclusionNetwork Observables and Indicators of Compromise (IOCs)\r\nPublic code repositories like GitHub have made offensive security tools widely accessible, benefiting defenders\r\nand adversaries. Red team frameworks designed for post-exploitation and stealthy execution are frequently\r\nshared, making it easier for threat actors to repurpose them for malicious use. Pyramid, an open-source post-exploitation framework written in Python, is one such tool. Among its features is a lightweight HTTP/S server\r\nthat delivers encrypted payloads, allowing attackers to execute tasks while blending into legitimate Python\r\nactivity.\r\nIdentifying detection indicators within publicly available offensive security tools before they appear in real-world\r\nattacks is critical for defenders. While Pyramid is valuable for penetration testers, its features can also enable\r\nadversaries to establish command-and-control (C2) infrastructure with minimal detection. By analyzing its\r\nopen-source code, defenders can create robust network detections to prevent its use in malicious campaigns.\r\nThis post examines Pyramid's HTTP/S server, outlines network signatures for detection, and highlights\r\nrecently identified servers using the tool. As adversaries increasingly rely on open-source tooling, defenders\r\nmust stay ahead by proactively developing detection strategies that adapt to evolving TTPs.\r\nWhat is Pyramid?\r\nFirst released on GitHub in 2023, Pyramid is an open-source post-exploitation server designed to evade endpoint\r\ndetection and response (EDR) tools using Python's legitimate presence in many environments. The tool uses a\r\nPython-based HTTP/S server capable of delivering files, which acts as a command-and-control server for\r\noffensive/malicious operations.\r\nhttps://hunt.io/blog/tracking-pyramid-c2-identifying-post-exploitation-servers\r\nPage 1 of 7\n\nFigure 1: Screenshot of Pyramid README.\r\nThe project ships with several modules that load well-known programs like BloodHound, secretsdump, and\r\nLaZagne directly into memory. This in-memory execution allows operators to act within the context of a signed\r\nPython interpreter, a legitimate process that may slip past traditional endpoint security measures.\r\nIn December 2024, The DFIR Report published a blog post on TA4557 (also referred to as FIN6) activity\r\nleveraging Cobalt Strike and Pyramid to target job seekers with the more_eggs malware.\r\nThis past January, GuidePoint Security identified a campaign involving a RansomHub affiliate employing a\r\nPython-based backdoor to compromise endpoints. As will be discussed later, a number of the IP addresses in their\r\nIoC section overlapped with the infrastructure we detect as Pyramid.\r\nDetection Opportunities\r\nAnalyzing the project's README reveals that the Pyramid agent communicates with its server over HTTP or\r\nHTTPS, using Basic HTTP authentication for access control. Given this, we can examine unique request-response\r\npatterns to aid in developing detection signatures.\r\nhttps://hunt.io/blog/tracking-pyramid-c2-identifying-post-exploitation-servers\r\nPage 2 of 7\n\nWithout valid credentials, we anticipate that, in addition to 200 OK responses, 401 Unauthorized responses will\r\nalso appear in the relevant code. A simple search on GitHub confirms this expectation, revealing full HTTP\r\nheaders that can help identify additional infrastructure.\r\nFigure 2: Pyramid C2 HTTP 401 response.\r\nWhen interacting with a suspected Pyramid server, the response headers exhibit the following characteristics:\r\nServer: BaseHTTP/0.6 Python/3.10.4\\\r\nDate:\\\r\nWWW-Authenticate: Basic realm=\"Demo Realm\"\\\r\nContent-Type: application/json\r\n \r\nCopy\r\nAdditionally, the server also returns a JSON response body:\r\n{ \"success\": false, \"error\": \"No auth header received\" }\r\n \r\nCopy\r\nFigure 3 displays what the operator sees when navigating to the login page of a Pyramid server.\r\nhttps://hunt.io/blog/tracking-pyramid-c2-identifying-post-exploitation-servers\r\nPage 3 of 7\n\nFigure 3: Screenshot of Pyramid authentication prompt.\r\nWith this information, we can immediately begin constructing a query to identify similar servers in the wild. To do\r\nthis, we will leverage the following characteristics:\r\nHTTP Status Code: 401 Unauthorized\r\nResponse Body Hash: SHA-256:\r\n54477efe7ddfa471efdcc83f2e1ffb5687ac9dca2bc8a2b86b253cdbb5cb9c84\r\nServer Header: The project is based on Python 3.10 and uses BaseHTTP version 0.6. Since these values\r\nmay vary slightly across deployments, we can generalize them as wildcards (BaseHTTP/0.* Python/3.*).\r\nAuthentication and Content Headers: The presence of WWW-Authenticate: Basic realm=\"Demo Realm\"\r\nand Content-Type: application/json.\r\nBy combining these elements, we can craft a structured query to identify Pyramid-related infrastructure:\r\nhttp.status_code = \"401\" AND http.body.hash = \"54477efe7ddfa471efdcc83f2e1ffb5687ac9dca2bc8a2b86b253cdbb5cb9c84\" AND http.\r\n \r\nCopy\r\nThis approach allows us to filter out unrelated infrastructure while maintaining flexibility for potential variations\r\nin server configurations. Refining these parameters further can improve detection fidelity and uncover additional\r\ninstances of Pyramid servers deployed in the wild.\r\nUsing the parameters outlined above, we ran a search in Hunt, and our scans identified just 9 IP addresses across\r\nseveral different ports matching our criteria. The limited number of results further reinforces the specificity of our\r\napproach, suggesting that we are likely on the right track in identifying Pyramid-related infrastructure.\r\nBeyond serving as an indicator of potential Pyramid servers, combining the JSON response and specific HTTP\r\nheaders also serves as a validation mechanism. This is a critical step in crafting high-fidelity detection queries, as\r\nit helps reduce false positives. By ensuring that WWW-Authenticate: Basic realm=\"Demo Realm\" and Content-https://hunt.io/blog/tracking-pyramid-c2-identifying-post-exploitation-servers\r\nPage 4 of 7\n\nType: application/json align with the expected JSON response body, we can more confidently filter out unrelated\r\ninfrastructure while maintaining a precise detection signature.\r\nBelow is a snippet of the servers we track in Hunt under the Active C2s feature.\r\nFigure 4: Snippet of the Pyramid C2 servers tracked in Hunt.\r\nRecent Findings\r\nThree of the IP addresses identified in our search---104.238.61[.]144, 92.118.112[.]208, and 45.82.85[.]50---were\r\npreviously listed as indicators of compromise (IoCs) in GuidePoint Security's analysis of RansomHub.\r\nAccording to their report, these IPs were associated with a Python-based backdoor, suggesting a possible\r\nconnection between this infrastructure and previously observed malicious activity.\r\nOne of the servers, 54.38.94[.]225, resolves to multiple domains that bear a strong resemblance to DevaGroup, an\r\ninternet marketing service based in Poland. While we have not yet identified any malicious samples associated\r\nwith this server, the domains in question were recently registered in December 2024, indicating a possible attempt\r\nat phishing or drive-by downloads.\r\nConclusion\r\nThe infrastructure identified in this post exhibits distinctive HTTP response patterns, allowing for structured\r\ndetection queries to surface additional related servers. This method will enable defenders to monitor or\r\npreemptively block suspect IPs before they are operationalized in attacks.\r\nhttps://hunt.io/blog/tracking-pyramid-c2-identifying-post-exploitation-servers\r\nPage 5 of 7\n\nWhile open-source offensive security tools remain a common choice for adversaries, their deployment often\r\nleaves behind detectable network artifacts. Defenders can improve detection fidelity while minimizing false\r\npositives by focusing on authentication challenges, response headers, and specific error messages. Tracking\r\nsimilar implementations of these tools over time can provide early warning of new infrastructure and help refine\r\ndetection methodologies as adversaries adapt.\r\nNetwork Observables and Indicators of Compromise (IOCs)\r\nIP Address ASN Domains\r\n38.146.28[.]93 Cogent Communications N/A\r\n92.118.112[.]208 GLOBAL CONNECTIVITY SOLUTIONS LLP N/A\r\n162.252.172[.]12 M247 Europe SRL N/A\r\n104.238.61[.]144 GWY IT PTY LTD N/A\r\n45.82.85[.]50 QuadraNet Enterprises LLC N/A\r\n15.222.251[.]55 Amazon.com, Inc. N/A\r\n85.208.139[.]131 GLOBAL CONNECTIVITY SOLUTIONS LLP N/A\r\n54.38.94[.]225 OVH SAS\r\ndevagroup[.]com[.]pl\r\nSubdomains:\r\nwww.aw.\r\npop.vps.\r\ntest.*\r\nsmtp.panel.*\r\nsmtp.backup.*\r\nserp.*\r\nmail.crm.*\r\nmail.git.*\r\nawscraper.*\r\npop.ncrm.*\r\npop.git.*\r\nftp.*\r\nwww.panel.*\r\nmail.aw.*\r\nwww.parkwodny.*\r\nlinki.*\r\nrentplanet.*\r\n38.180.195[.]187 M247 Europe SRL\r\nthiscode[.]info\r\nemdr-traumatherapie[.]info\r\nhttps://hunt.io/blog/tracking-pyramid-c2-identifying-post-exploitation-servers\r\nPage 6 of 7\n\nSource: https://hunt.io/blog/tracking-pyramid-c2-identifying-post-exploitation-servers\r\nhttps://hunt.io/blog/tracking-pyramid-c2-identifying-post-exploitation-servers\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://hunt.io/blog/tracking-pyramid-c2-identifying-post-exploitation-servers" ], "report_names": [ "tracking-pyramid-c2-identifying-post-exploitation-servers" ], "threat_actors": [ { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7a257844-df90-4bd4-b0f1-77d00ff82802", "created_at": "2022-10-25T16:07:24.376356Z", "updated_at": "2026-04-10T02:00:04.964565Z", "deleted_at": null, "main_name": "Venom Spider", "aliases": [ "Golden Chickens", "TA4557", "Venom Spider" ], "source_name": "ETDA:Venom Spider", "tools": [ "More_eggs", "PureLocker", "SONE", "SpicyOmelette", "StealerOne", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Taurus Loader Reconnaissance Module", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraCrypt", "TerraLogger", "TerraPreter", "TerraRecon", "TerraStealer", "TerraTV", "TerraWiper", "ThreatKit", "VenomKit", "VenomLNK", "lite_more_eggs" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434939, "ts_updated_at": 1775826707, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/49621b89941a6a61f1ad66562a00a1b24031aed2.pdf", "text": "https://archive.orkl.eu/49621b89941a6a61f1ad66562a00a1b24031aed2.txt", "img": "https://archive.orkl.eu/49621b89941a6a61f1ad66562a00a1b24031aed2.jpg" } }