{
	"id": "3957c572-a5ce-486f-8582-67e7a844b8f9",
	"created_at": "2026-04-06T00:13:37.105341Z",
	"updated_at": "2026-04-10T03:24:23.477479Z",
	"deleted_at": null,
	"sha1_hash": "49fefaa827a3ef2a3bbbd81e51620330c80f8c39",
	"title": "DeimosC2: What SOC Analysts and Incident Responders Need to Know About This C\u0026C Framework",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4353614,
	"plain_text": "DeimosC2: What SOC Analysts and Incident Responders Need to\r\nKnow About This C\u0026C Framework\r\nBy Feike Hacquebord, Stephen Hilt, Fernando Merces ( words)\r\nPublished: 2022-11-08 · Archived: 2026-04-05 23:00:03 UTC\r\nIntroduction\r\nWith the rise in attention to Cobalt Strike from network defenders, attackers have been looking to\r\nalternative command-and-control (C\u0026C) frameworks\r\nAmong these, Brute Ratel and Sliver are growing in popularity, having recently been featured in a number\r\nof publications.\r\nThis report provides defenders and security operations center (SOC) teams with the technical details they\r\nneed to know should they encounter an alternative tool, DeimosC2.\r\nC\u0026C systems are useful collaboration tools for penetration testers and red teamers. They provide a common place\r\nfor all victim machines to reach out to, be controlled from, and allow multiple users to interact with the same\r\nvictims. When performing authorized testing, this is very important as logs are kept in a single place to aid\r\nreporting. However, more and more of these tools are being utilized by criminals, including open-source and\r\ncommercial tools. Their ease of use and stability allows them to run for long periods without issues, which is one\r\nof the reasons that even criminals are moving to these C\u0026C platforms instead of building their own.\r\nWith most of the attention being paid on established commercial tools such as Cobalt Strike, criminals have been\r\nlooking for other alternatives that provide many of the same functions. For defenders, this means that as criminals\r\nturn to open-source C\u0026C software (which gives them many different options available, and in some cases using\r\nmultiple platforms on one host), the threat landscape is evolving, incorporating a larger number of tools that will\r\nmake attacks more difficult for both individuals and organizations to defend themselves against.\r\nSome of the popular alternative frameworks that attackers have turned to include Brute Ratel and Sliver. In this\r\npublication, we will focus on providing information on another similar framework defenders might encounter —\r\nDeimosC2, another open-source alternative. We will explain how DeimosC2 works and how you can identify\r\nrelated traffic and binaries to help defend your networks.\r\nOpen-Source C\u0026C software\r\nMuch like some of the other open-source C\u0026C frameworks such as Ares C2, PoshC2 and TrevorC2, DeimosC2\r\nprovides classic C\u0026C framework features but also provides a user interface that feels and behaves much like a\r\ncommercial tool such as Cobalt Strike or Metasploit Pro. As such, red teamers have been discussing DeimosC2\r\nmore frequently.\r\nThe 2matrix website is designed to help red teamers find the right framework for their engagements and includes a\r\nmatrix comparing open-source and commercial products. While some are popular and recognizable frameworks,\r\nhttps://www.trendmicro.com/en_us/research/22/k/deimosc2-what-soc-analysts-and-incident-responders-need-to-know.html\r\nPage 1 of 17\n\nothers are new and upcoming frameworks with specific purposes. While these sites can help red teams and\r\npenetration-testing teams find the right product for their needs, they could also aid criminals find the next\r\nframework to use: preferably one that is growing in support and not detected well by the security industry.\r\nTo date, in the criminal underground, there is not as much discussion around DeimosC2 as an alternative, but\r\nattackers might be using DeimosC2 in the near future as a tool of choice and as part of their migration away from\r\nCobalt Strike. The other tools that we’ve observed being discussed and used are PoshC2, PHPSploit, and Merlin.\r\nSimilar to red teamers, cybercriminals like to use a mix of command line- and GUI-based C\u0026C frameworks,\r\ndepending on their preference among ease to build, maintain, and operate.  \r\nopen on a new tab\r\nFigure 2. DeimosC2 appearing in a list of recommended alternatives to Cobalt Strike on one\r\nRussian-speaking forum\r\nIn July 2022, Censys published a blog entry on the open-source C\u0026C frameworks being used by ransomware\r\ngroups. This included PoshC2 and DeimosC2 being employed in partnership with Metasploit and Acunetix, which\r\nare used for vulnerability scanning and system exploitation. Either PoshC2 or DeimosC2 was then used for the\r\npost-exploitation C\u0026C communications.\r\nWhile DeimosC2 is not the most popular choice for attackers currently looking for other C\u0026C platforms to use,\r\nthis is also exactly one of the reasons that it is important to study it in advance. Attackers will continue to evaluate\r\ntools that are lower in popularity, hoping that these systems go undetected for longer. Because of this, we have\r\ndecided to look at DeimosC2 to get a better idea of what might make a criminal want to use this platform as their\r\nC\u0026C framework of choice.\r\nWhat is DeimosC2?\r\nhttps://www.trendmicro.com/en_us/research/22/k/deimosc2-what-soc-analysts-and-incident-responders-need-to-know.html\r\nPage 2 of 17\n\nDeimosC2 is an open-source C\u0026C framework that was released in June 2020. It is a fully-functional framework\r\nthat allows for multiple attackers to access, create payloads for, and interact with victim computers. As a post-exploitation C\u0026C framework, DeimosC2 will generate the payloads that need to be manually executed on\r\ncomputer servers that have been compromised through other means such as social engineering, exploitation, or\r\nbrute-force attacks. Once it is deployed, the threat actors will gain the same access to the systems as the user\r\naccount that the payload was executed as, either as an administrator or a regular user. Note that DeimosC2 does\r\nnot perform active or privilege escalation of any kind.\r\nPost-exploitation C\u0026C servers are popular with red teams since they provide a convenient method of interacting\r\nwith multiple victim machines, collecting notes, and storing evidence of what was done to each machine so that\r\nwhen incident responses are involved in any cleanup efforts, they can be provided information on everything that\r\nwas done while the red team was in the systems.\r\nThe features Of DeimosC2\r\nDeimosC2 has two options for installation on a system: a pre-built binary that does not depend on Go being\r\ninstalled, and the source code that can be compiled and run on any system with Go installed. For this research, the\r\npre-built binaries inside of a Debian virtual machine (VM) were used, so some behaviors might be different\r\ncompared to if the source code directly downloaded from the GitHub project had been used.\r\nDeimosC2 combines a lot of the same features as other C\u0026Csoftware platforms. One of the main purposes for a\r\nC\u0026C system like DeimosC2 is to help red teams and penetration testers consolidate their infrastructure,\r\ncollaborate with others by sharing compromised hosts during the engagement, and aid with reporting when\r\nengagements are finished. With that in mind, DeimosC2 has multiple user support with two roles for the users:\r\nAdministrator and User. Figure 4 shows the two user setups in our tests of DeimosC2. \r\nSince DeimosC2 is also aimed at red teams, it has support for multifactor authentication (MFA), an API, backup,\r\nand restore features, as well as an ability to mark systems as either a development or a production system.\r\nOnce the users are set up, the next step is to set up the listeners, which are the sockets and protocols that the victim\r\nmachines will reach out to. DeimosC2 has five types of listeners that users can configure for their payloads, with\r\nthe most common that we’ve seen so far being HTTPS and TCP. We expect that as the popularity of tools like\r\nthese grow, it is likely that we will see malicious actors use the DNS over HTTPS DNS over HTTPs (DoH) option\r\nas well. \r\nOnce a selection is made, in this case HTTPS, the listener is configured by entering the data required for\r\nmandatory and certain optional settings. Settings such as domain names and IP addresses are required by the user,\r\nwhile the key and most of the advanced settings are optional. \r\nInside the advanced settings, there are some configurable options for how the C\u0026C server works. This is where\r\nyou will find the settings for changing the default paths that the victim will use over HTTP POST to the C\u0026C\r\nserver. By default, these paths are /login, /index, /settings, and /profile, but these can be changed during the\r\ncreation of the listener. They can also be changed at a later time; however, new binaries will need to be created.\r\nhttps://www.trendmicro.com/en_us/research/22/k/deimosc2-what-soc-analysts-and-incident-responders-need-to-know.html\r\nPage 3 of 17\n\nOnce all the settings are configured, the binaries will be created based on the options in the “compile options”\r\nportion of the settings. These settings determine which binaries are to be created and if they should be obfuscated.\r\nOnce the binaries are created, they are downloaded via the interface by selecting “interact” from the listener\r\noptions. \r\nopen on a new tab\r\nFigure 7. Screenshot of the listeners created for the HTTPS listener\r\nOnce downloaded, these are ready to deploy on a machine that has been compromised via another means such as\r\nthrough phishing or an exploit. The ease of use to create post-exploitation binaries for C\u0026C communications\r\nmakes this an attractive framework for red teamers and penetration testers to include in their arsenal of tools.\r\nDeimosC2 agent analysis\r\nWhile many of the DeimosC2 samples are obfuscated with gobfuscate, an open-source tool for obfuscating\r\nprograms written in Go language, we also found non-obfuscated samples. These allowed us to spot DeimosC2\r\npackage names, where we figured out that this was an open-source post-exploitation C2 framework. It is also\r\npossible to manually de-obfuscate the implemented changes of a tool like gobfuscate, but this will take more time\r\nfor the investigator.\r\nIn DeimosC2 terminology, a client binary intended to infect victims is called an agent. DeimosC2 leverages the\r\nmulti-platform nature of the Go language to compile agents for different architectures such as Windows, Linux,\r\nmacOS, and Android.\r\nThe agent is straightforward: When executed, it immediately tries to contact the listener in the hard-coded C\u0026C\r\ndomain or IP address, except when an execution time range is set.\r\nDeimosC2 agents use three different keys to exchange messages with the listener.\r\nhttps://www.trendmicro.com/en_us/research/22/k/deimosc2-what-soc-analysts-and-incident-responders-need-to-know.html\r\nPage 4 of 17\n\nThis is a unique key that identifies the agent. The key is initially set to\r\n\"000000000000000000000000000000000000\", but the first response from the listener updates it to a new version,\r\n4 UUID.\r\nThis 256-bit AES key is randomly generated every time an agent talks to a C\u0026C listener. This is used to encrypt\r\nmessages exchanged with the C\u0026C listener.\r\nAside from AES encryption, DeimosC2 uses RSA-2048 to encrypt both the agent and the AES keys previously\r\nexplained. The agent uses a hard-coded public key to encrypt the other keys, while the C\u0026C listener decrypts the\r\ndata with its private key.\r\nFigure 8 illustrates the encryption process from the agent's perspective.\r\nThe first message sent to the C\u0026C listener includes information about the infected machine in JSON format, as\r\nshown in Figure 9.\r\nopen on a new tab\r\nFigure 9. Sample JSON data sent to the C\u0026C listener for the first time\r\nThe data sent includes information about the operating system, installed antivirus products, the host name, the\r\nlogged username, the internal IP address, the agent path on the file system, available shell programs, the Process\r\nID (PID), and user privileges.\r\nThe C2 listener response can include one or more commands (called \"jobs” in DeimosC2 terminology). Table 1\r\nprovides a description of these commands.\r\nCommand Description\r\nshell Executes shell commands\r\ndownload Downloads a file to the C\u0026C server\r\nhttps://www.trendmicro.com/en_us/research/22/k/deimosc2-what-soc-analysts-and-incident-responders-need-to-know.html\r\nPage 5 of 17\n\nupload Uploads a file to the infected machine\r\noptions\r\nThe jitter and delay options set the sleep time for C\u0026C communications. The eol (which we\r\nassume means end-of-life) option sets a date for the agent to exit, while the hours option\r\nconfigures the time range for communication.\r\nfileBrowser Asks the agent to list all files and directories on a given path\r\nshellInject Injects and runs custom shellcode in the agent process\r\nmodule Executes a module\r\nreinit Reconnects the agent, which causes the agent to get a new Agent Key\r\npivotTCP\r\nStarts a TCP server in the infected machine so it can be used as a listener by other agents;\r\nuseful for infecting machines that do not have internet access\r\npivotJob Handles pivot jobs\r\npivotKill Resets the list of pivot listeners\r\nkill Uninstalls the agent\r\nTable 1. DeimosC2 commands and their descriptions\r\nDeimosC2 extends its functionalities through modules that can be executed in the victim's machine. In our lab, the\r\nfollowing modules were available:\r\nModule Description\r\nscreengrab Takes a screenshot on an infected machine\r\nhttps://www.trendmicro.com/en_us/research/22/k/deimosc2-what-soc-analysts-and-incident-responders-need-to-know.html\r\nPage 6 of 17\n\nminidump Generates a user-mode minidump of a given process\r\nlsadump Downloads SECURITY and SYSTEM registry hives for credentials stealing\r\nntdsdump Downloads Ntds.dit and SYSTEM files for credentials stealing\r\nsamdump Downloads SECURITY, SYSTEM, and SAM registry hives for credentials stealing\r\nshadowdump Downloads /etc/shadow files from Linux machines\r\nTable 2. The available DeimosC2 modules, as seen in our lab\r\nThe module interface of DeimosC2 allows the C\u0026C listener to push new modules and execute them from either\r\ndisk or memory (using code injection).\r\nNetwork analysis\r\nAs we previously mentioned, there are a few listener types that users can choose while using DeimosC2, including\r\nHTTPS, TCP, and DoH. These are likely to be the most common options as they are popular with other C\u0026C\r\nplatforms. We were able to investigate how these listeners worked in detail because of DeimosC2’s open-source\r\nnature.\r\nOnce the listener is running for HTTPS, we observed that there was a default webpage that was configured. By\r\nreviewing the GitHub page, we confirmed that it was a default Ubuntu webpage for Apache. \r\nopen on a new tab\r\nFigure 10. Nmap results showing the default Apache Ubuntu page for the title\r\nBased on the configuration of the listener during setup, we know that the tool uses a few paths. Looking into the\r\n.go version of the agent source code, we can see the processes that have been set up and are being used. \r\nhttps://www.trendmicro.com/en_us/research/22/k/deimosc2-what-soc-analysts-and-incident-responders-need-to-know.html\r\nPage 7 of 17\n\nThe variable “firsttime” is used for the initial communication to the server. From then on, the variable “checkin”\r\nwill be used as a heartbeat.\r\nBased on this, we can fingerprint if the C\u0026C server is in the default configuration and if HTTPS inspection is\r\nenabled. The agents will send HTTP POST to /login, and then to /index afterward at periodical intervals. The\r\ndefault port used for the HTTPS listener is 4443. However, this can be changed easily when creating the listener\r\non any other port. The variable “moduleloc” at /profile is used to send data from the agent back to the server.\r\nFinally, the “piviotloc” variable is used to pass data through the current victim as part of the previously described\r\npiviotTCP functionality of the agents. \r\nopen on a new tab\r\nFigure 12. The sendMsg function in the HTTPS_agent.go showing http.Post call\r\nFigure 13 shows an encrypted POST request sent by an agent configured to use an HTTPS listener. By default, it\r\nuses /login to send the first message, after which the agent sends requests to /checkin by default.\r\nhttps://www.trendmicro.com/en_us/research/22/k/deimosc2-what-soc-analysts-and-incident-responders-need-to-know.html\r\nPage 8 of 17\n\nopen on a new tab\r\nFigure 13. An encrypted POST request sent by an agent configured to use a HTTPS listener\r\nThe TCP listener utilizes the Go language functions to create a packet and send it to a created socket. The flow for\r\nencryption works the same as it does with the HTTPS encryption. The only difference, in this case, is that there is\r\na length for the overall message that will aid in the decryption of the data. To accomplish this, it prepends the\r\nencrypted data with the length of the data that was encrypted and is to be sent. This is sent to the socket, and then\r\nto the C\u0026C server. \r\nhttps://www.trendmicro.com/en_us/research/22/k/deimosc2-what-soc-analysts-and-incident-responders-need-to-know.html\r\nPage 9 of 17\n\nBased on our analysis of the packets that were being sent from the TCP agent to the listener, this part has a\r\npredictable behavior. Because of the uint64 call, the created length will be in an unsigned integer that is 64 bits or\r\n8 bytes long. The start of the data portion of the packet will have 8 bytes for the length of the packet to follow.\r\nThis was the case with most of the information we observed on the heartbeat communications to the C\u0026C server.\r\nEach packet was 350 bytes in total with 296 bytes of data. \r\nopen on a new tab\r\nFigure 15. Data portion of the packet (highlighted) of the TCP agent communicating to the C\u0026C\r\nserver\r\nSince we know that the packet size is prepended to the data portion of the packet, and that it is an unsigned integer\r\nof 8 bytes, we can conclude that the first 8 bytes of the data is the size that will be followed in processing the\r\npackets.\r\nIn this case, where there is a data field of 296 bytes, if we take away the 8 bytes for the length field, this will leave\r\n288 bytes for the commands from the C\u0026C server. This is easily calculated if we take 288 bytes and convert it to\r\nthe hexadecimal system, resulting in 0x120 or 01 20, which is what we find after the first 6 bytes of 0s in the\r\nexamples we have seen. \r\nOne possible way to detect this behavior is with a snort rule that looks for the heartbeat traffic. Here is an example\r\nof a Snort rule that would detect our sample packets:\r\nalert tcp any any -\u003e any any (content: \"|00 00 00 00 00 00 01 20|\"; offset: 0; depth: 8; msg:\"Possible DeimosC2\r\nTCP\r\nAgent Heartbeat Communications\"; sid:123400; priority:3; rev:1;)\r\nhttps://www.trendmicro.com/en_us/research/22/k/deimosc2-what-soc-analysts-and-incident-responders-need-to-know.html\r\nPage 10 of 17\n\nBased on testing in Snort with only this rule enabled, we confirmed that it will detect the heartbeat\r\ncommunications from the TCP agent. Note that this rule might need tuning based on specific setups to remove\r\nfalse positives and enhance sensor performance. \r\nThe DoH or DNS over HTTPS listener uses DNS queries to communicate with the C\u0026C server. One of the\r\nadvantages of using DoH is that there are no direct communications with the C\u0026C server. However, there is a\r\ndelay in the communications; therefore, DoH is often used if stealth is a requirement for the red-team engagement.\r\nDeimosC2 utilizes the HTTPS JSON API for DNS from Google. This is different from the RFC 8484-compliant\r\nDoH requests that Google also supports. It is an easier solution programmatically and is common for attackers to\r\nuse. \r\nopen on a new tab\r\nFigure 18. Screenshot of the Go code showing the use of dns.google.com/resolve\r\nWithin the listener configuration, there are two names you can change: the firsttime and checkin variables. When\r\nsetting up the listener, the default names for these are getname and checkin, respectively. When the agent first\r\nreaches out to the listener, it will first use the firsttime variable, after which the checkin variable will be used for\r\nthe heartbeat communications. Unlike HTTPS and TCP, the agent will not communicate directly with the listener,\r\nbut it will communicate to the DNS Google service previously mentioned. \r\nopen on a new tab\r\nFigure 19. Variables used for the initial communications to the DoH listener\r\nOn initial setup, one query that can be observed looks like the following:\r\nhttps://dns.google.com/resolve?name=0000000000.6765746e616d65.ftr.trendmicro.com\r\nhttps://www.trendmicro.com/en_us/research/22/k/deimosc2-what-soc-analysts-and-incident-responders-need-to-know.html\r\nPage 11 of 17\n\nWhen you look at this query, there are a few things that stand out, one of which is the 6765746e616d65\r\nsubdomain that is generated from the code during the check-in process. In this case, the value takes the variable\r\nfirsttime and converts its content to a hexadecimal system based on its ASCII values (getname in our case). This is\r\nthen used as the first subdomain sent to dns.google.com. To decode this, the AES key is needed from either the\r\nagent or the C\u0026C server itself. \r\nAll these methods we’ve discussed are based on the paths and variables that are set to the defaults in the\r\nconfiguration, which is easy to change while building the listeners. Changing the default settings is good for when\r\na red team is using it, since they can work with the blue teams to help find their traffic in the network logs.\r\nHowever, when a criminal changes these settings, it will make it more difficult to find them in future campaigns,\r\nsince they change their variables to alter their tools, tactics, and procedures (TTPs) slightly to avoid detection or\r\nmodify configurations based on the campaign. We present this information to help defenders understand what is\r\nhappening behind the scenes in DeimosC2 should they encounter non-default behavior in an attack.\r\nChanging default listener settings\r\nChanging the paths is easy to achieve in the DeimosC2 user interface; take for example the default paths for the\r\nHTTPS Listener of /login, /index, /settings and /profile. To change this, all an attacker needs to do is to expand the\r\nAdvanced Options while building the listener. \r\nopen on a new tab\r\nFigure 21. Screenshot of the Advanced Options while building the HTTPS listener\r\nChanging the paths is likely something that an attacker will do, and this will cause some of the things we’ve\r\npreviously discussed to change in the binaries and in the traffic patterns. For instance, if the getname in the DOH\r\nagent is changed, it will no longer go to 6765746e616d65 but will instead redirect to a subdomain of whatever it\r\nhttps://www.trendmicro.com/en_us/research/22/k/deimosc2-what-soc-analysts-and-incident-responders-need-to-know.html\r\nPage 12 of 17\n\nwas changed to, converted to the hexadecimal system (an example being “trendmicroftr”, which would look like\r\n7472656e646d6963726f667472 in the DoH query). This is one of the things that makes finding some of these red\r\nteam tools increasingly more difficult since the evasion techniques are built into the options.\r\nEach of the listeners can be updated for specific information that will change some of the paths and subdomains\r\nthat are used. The TCP listener has the least number of options and as of writing, will likely be one of the easiest\r\nlisteners to detect via network monitoring methods.\r\nRecommendations for defending networks against DeimosC2\r\nDetecting C\u0026C traffic can be a difficult proposition for network defenders across the globe. Fortunately, during\r\nour investigation into DeimosC2, we have found some techniques that can be used to detect the presence of the\r\nagents communicating with the servers.\r\nWhile some network activities are dynamic, such as the inspection of the paths of the URL (as these can be\r\nchanged by malicious actors while setting up the listeners), others are predictable. For example, the first 8\r\nbytes of the TCP listener communication can be used for detection using the provided Snort rule in an\r\nintrusion detection system (IDS).\r\nIn the case of the DoH example, if defenders are not using a service that leverages the JSON version of\r\nDoH within normal business operations, it is recommended that HTTPS to dns[.]google is blocked or at\r\nleast logged. Most of the current DeimosC2 samples that leverage DoH currently use the JSON version of\r\nDoH provided by Google, which will stop this agent from working altogether.\r\nHowever, it is important to remember that DeimosC2 is a post-exploitation C\u0026C framework, and if you are seeing\r\nits traffic on your network, you have already been compromised by another means, and this is just the actor setting\r\nup persistency. If you detect DeimosC2 in your system, you should be aware there will likely be other attack tools\r\ndeployed that you might not be aware of. Assuming a stance that you are already compromised also provides\r\nadditional defensive options:\r\nDefenders should perform regular monitoring of outbound communications for top talkers. In particular,\r\nthey should flag any hosts that have a significantly larger amount of data sent than during a normal\r\nmonitoring period.\r\nLooking for communications that are new but also occur suddenly and frequently is an important part of\r\nnetwork defense and helps not only in spotting DeimosC2 communications but also in helping spot other\r\nmalware and communications that are malicious in nature early — especially if they are based on any sort\r\nof phone home or heartbeat patterns.\r\nAlthough not designed to be a defensive measure, these kinds of tools can also sometimes provide an unexpected\r\nadvantage for the defenders. As we mentioned, a C\u0026C framework is meant to make the lives of penetration testers\r\nand red teamers easier through a variety of functions, such as by logging every command they run (whether this is\r\non by default varies from framework to framework).\r\nWhile non-malicious actors use these kinds of tools to enable faster report creation, if investigators are able to\r\nseize a server in which the attackers had this option configured (perhaps unknowingly), it can be a fantastic source\r\nof intelligence on the attacker’s post-compromise activities.\r\nhttps://www.trendmicro.com/en_us/research/22/k/deimosc2-what-soc-analysts-and-incident-responders-need-to-know.html\r\nPage 13 of 17\n\nConclusion\r\nThis report was intended to shed light on one of several C\u0026C frameworks that criminals are using. DeimosC2 is\r\none of the alternative tools that SOC teams will likely see being used against their networks for post-compromise\r\nactivities. Over the coming months and years, we expect to see a rise in the use of many of these alternative C\u0026C\r\nframeworks. We have already seen malicious actors switching from Cobalt Strike to these alternatives as\r\ndefenders get better at identifying and blocking the communications and agents that are deployed.\r\nIt is important to remember that tools like these are dual-purpose: Their presence does not immediately indicate\r\ncybercriminal behavior since they are also popular with both internal and external penetration testers and red\r\nteams. While the red team’s role is to perform adversary simulations and work with companies to help them\r\ndefend their networks from these exact same tools, it is still in the interest of network defenders to be aware of\r\ntheir presence. By learning how to identify and block these tools, an organization can strengthen their defensive\r\nposture and prevent attackers from pivoting within networks, exfiltrating data, or generally doing harm to\r\nenterprises.\r\nIndicators of Compromise (IOCs)\r\nThese are IP addresses that were observed to have a DeimosC2 panel. Some of these IP addresses are likely to\r\nhave been part of a red-team exercise.\r\nIP address first last\r\n3.133.59.113 03/05/2022 04/09/2022\r\n3.17.189.71 20/08/2021 20/08/2021\r\n5.101.4.196 27/04/2022 17/09/2022\r\n5.101.5.196 06/05/2022 19/09/2022\r\n13.211.163.117 01/02/2021 01/08/2021\r\n35.193.194.65 01/03/2021 01/03/2021\r\n35.238.243.202 01/08/2020 01/09/2020\r\nhttps://www.trendmicro.com/en_us/research/22/k/deimosc2-what-soc-analysts-and-incident-responders-need-to-know.html\r\nPage 14 of 17\n\n39.101.198.2 29/09/2022 06/10/2022\r\n45.12.32.61 01/01/2022 01/01/2022\r\n45.32.29.78 01/04/2021 01/07/2021\r\n45.76.148.163 01/08/2020 01/08/2020\r\n47.241.40.139 01/12/2021 01/01/2022\r\n49.233.238.185 01/09/2020 01/09/2020\r\n50.17.89.130 16/11/2021 16/11/2021\r\n51.161.75.139 01/07/2020 01/07/2020\r\n51.222.169.4 01/02/2021 01/02/2021\r\n54.205.246.190 01/03/2022 01/03/2022\r\n69.197.131.198 01/09/2020 01/09/2020\r\n80.211.130.78 06/06/2022 06/06/2022\r\n84.246.85.157 30/04/2022 30/04/2022\r\n95.179.228.18 01/08/2020 01/09/2020\r\n104.131.12.204 01/08/2020 01/09/2020\r\nhttps://www.trendmicro.com/en_us/research/22/k/deimosc2-what-soc-analysts-and-incident-responders-need-to-know.html\r\nPage 15 of 17\n\n106.13.236.30 05/10/2021 14/11/2021\r\n108.61.186.55 01/03/2021 01/04/2021\r\n117.50.31.161 01/10/2020 01/10/2020\r\n120.92.9.225 01/02/2021 01/02/2022\r\n124.156.148.70 01/11/2020 01/02/2021\r\n145.239.41.145 01/08/2020 01/09/2020\r\n152.32.212.101 22/08/2020 05/09/2020\r\n154.221.28.248 01/02/2021 01/02/2021\r\n157.230.93.100 01/08/2021 01/08/2021\r\n162.219.33.194 01/05/2021 01/04/2022\r\n162.219.33.195 01/04/2021 01/03/2022\r\n162.219.33.196 01/07/2021 01/04/2022\r\n172.104.163.114 01/11/2020 01/05/2021\r\n172.105.107.243 01/12/2021 01/12/2021\r\n182.92.189.18 01/10/2020 01/01/2021\r\nhttps://www.trendmicro.com/en_us/research/22/k/deimosc2-what-soc-analysts-and-incident-responders-need-to-know.html\r\nPage 16 of 17\n\n185.173.36.219 01/10/2021 01/10/2021\r\n185.232.30.2 01/01/2022 01/03/2022\r\n185.232.31.2 01/01/2022 01/03/2022\r\n203.41.204.180 01/12/2020 01/12/2020\r\n206.189.196.189 01/01/2021 01/01/2021\r\n218.253.251.120 01/08/2021 01/09/2021\r\nThe details of several DeimosC2 samples observed in the wild, complete with platform, protocol, C\u0026C server, and\r\nRSA public keys (useful for clustering behavior) can be found in this link.\r\nThis was compiled with the help of two x64dbg scripts we developed, which assist with configuration extraction.\r\nMeanwhile, the list of Trend Micro detections can be found here.\r\nSource: https://www.trendmicro.com/en_us/research/22/k/deimosc2-what-soc-analysts-and-incident-responders-need-to-know.html\r\nhttps://www.trendmicro.com/en_us/research/22/k/deimosc2-what-soc-analysts-and-incident-responders-need-to-know.html\r\nPage 17 of 17\n\nhttps://www.trendmicro.com/en_us/research/22/k/deimosc2-what-soc-analysts-and-incident-responders-need-to-know.html  \n39.101.198.2 29/09/2022 06/10/2022\n45.12.32.61 01/01/2022 01/01/2022\n45.32.29.78 01/04/2021 01/07/2021\n45.76.148.163 01/08/2020 01/08/2020\n47.241.40.139 01/12/2021 01/01/2022\n49.233.238.185 01/09/2020 01/09/2020\n50.17.89.130 16/11/2021 16/11/2021\n51.161.75.139 01/07/2020 01/07/2020\n51.222.169.4 01/02/2021 01/02/2021\n54.205.246.190 01/03/2022 01/03/2022\n69.197.131.198 01/09/2020 01/09/2020\n80.211.130.78 06/06/2022 06/06/2022\n84.246.85.157 30/04/2022 30/04/2022\n95.179.228.18 01/08/2020 01/09/2020\n104.131.12.204 01/08/2020 01/09/2020\n Page 15 of 17 \n\nhttps://www.trendmicro.com/en_us/research/22/k/deimosc2-what-soc-analysts-and-incident-responders-need-to-know.html  \n106.13.236.30 05/10/2021 14/11/2021\n108.61.186.55 01/03/2021 01/04/2021\n117.50.31.161 01/10/2020 01/10/2020\n120.92.9.225 01/02/2021 01/02/2022\n124.156.148.70 01/11/2020 01/02/2021\n145.239.41.145 01/08/2020 01/09/2020\n152.32.212.101 22/08/2020 05/09/2020\n154.221.28.248 01/02/2021 01/02/2021\n157.230.93.100 01/08/2021 01/08/2021\n162.219.33.194 01/05/2021 01/04/2022\n162.219.33.195 01/04/2021 01/03/2022\n162.219.33.196 01/07/2021 01/04/2022\n172.104.163.114 01/11/2020 01/05/2021\n172.105.107.243 01/12/2021 01/12/2021\n182.92.189.18 01/10/2020 01/01/2021\n Page 16 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/22/k/deimosc2-what-soc-analysts-and-incident-responders-need-to-know.html"
	],
	"report_names": [
		"deimosc2-what-soc-analysts-and-incident-responders-need-to-know.html"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434417,
	"ts_updated_at": 1775791463,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/49fefaa827a3ef2a3bbbd81e51620330c80f8c39.pdf",
		"text": "https://archive.orkl.eu/49fefaa827a3ef2a3bbbd81e51620330c80f8c39.txt",
		"img": "https://archive.orkl.eu/49fefaa827a3ef2a3bbbd81e51620330c80f8c39.jpg"
	}
}