{
	"id": "444aa7aa-9047-4452-8d12-3b101aa1c9b3",
	"created_at": "2026-04-06T00:07:25.624569Z",
	"updated_at": "2026-04-10T03:21:05.413722Z",
	"deleted_at": null,
	"sha1_hash": "8bd0001d98f45bc20cadc3bed092e4a855d43822",
	"title": "Shodan Query Guide - How To Track Amadey Bot Infrastructure With TLS Certificates and Russian Profanity",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4832034,
	"plain_text": "Shodan Query Guide - How To Track Amadey Bot Infrastructure\r\nWith TLS Certificates and Russian Profanity\r\nBy Matthew\r\nPublished: 2023-05-19 · Archived: 2026-04-05 23:00:56 UTC\r\nAnalysing a suspicious IP address found in our previous post on Amadey Bot Malware. Utilising Shodan and\r\nCensys to pivot to additional Amadey infrastructure.\r\nHere you'll see how to use a known c2 to craft additional queries based on html content and certificate\r\ninformation. In total, 12 unique servers will be identified.\r\nOriginal sample can be found here and original post here.\r\n(If you're just here for the c2 list, it's at the bottom of this post)\r\nAnalysis\r\nIn the original post on Amadey bot, conditional breakpoints were used to extract decrypted strings and obtain the\r\naddress of a command and control (C2) server.\r\nA partial output of this can be seen below. Observing that the ip 77.91.124[.]207 has been extracted alongside a\r\npartial URL.\r\nBy utilising Shodan and Censys, we wanted to try and identify any additional C2 servers or related infrastructure.\r\nSpecial thanks to Michael Koczwara for the initial inspiration for this post. Also thanks to Chris Duggan and\r\n0xburgers for their inspiring and helpful posts.\r\nAnalysis of the IP with Shodan\r\nWe initially analyzed the IP of 77.91.124[.]207 by inputting it directly into Shodan. Our goal here was to\r\nidentify any unique pieces of information that could potentially be used to pivot to additional servers.\r\nThe kinds of information we were mainly looking for were..\r\nUnique headers and header values\r\nhttps://embee-research.ghost.io/amadey-bot-infrastructure/\r\nPage 1 of 14\n\nSSL Certificates with unique information (issuer and subject in particular)\r\nSSL Fingerprints (JARM and JA3)\r\nUnique titles in HTTP Responses\r\nUnique content returned in HTTP bodies.\r\nOur first search was a plain search for the original Amadey C2 of 77.91.124[.]207 (without the [.]), this\r\nidentified a running server with three open ports. 21,80,443\r\nThe first port available was port 21 , this appeared to be a plain FTP server without any unique information to\r\npivot from.\r\nThe second available port was port 80 , nothing stood out within the headers but we decided to look further by\r\ninspecting the http response.\r\nThe html response was obtained from within the \"raw data\" Shodan tab and contained multiple references to \"Sosi\r\nnahui!\". (Essentially a f*ck off in Russian)\r\nThis was a reasonably unique value that could serve as a pivot point.\r\nhttps://embee-research.ghost.io/amadey-bot-infrastructure/\r\nPage 2 of 14\n\nThis polite message was present in both the html body and html title. These two fields provided two values that\r\ncould be used for pivoting.\r\nOption one was the hash of the html response. Option two was the html title. Both are dependent on the \"unique\"\r\ncontent of \"Sosi Nahui!\"\r\nOption 1 - Shodan Pivoting with the html hash\r\nPivoting with the html_hash produced 19 results for similar servers. Each server had an identical html title of\r\n\"Sosi Nahui!\" and were all based in either Russia Finland. For me, this was enough similarity to begin assuming\r\nsimilar origin.\r\nhttps://embee-research.ghost.io/amadey-bot-infrastructure/\r\nPage 3 of 14\n\nNote that of these 19 results there were only 12 unique IP addresses. Some IP's were counted twice if\r\nthe same hash appeared on multiple ports. (Eg same response on port 80 and 443 )\r\nThe results of this scan have all been exported and added to the end of this post.\r\nOption 2 - Shodan Pivoting With the HTML Title\r\nPivoting based on the html title produces the same 19 results. Again noting that some of these are duplicates.\r\nShodan Pivoting With the Subject Common Name\r\nBoth Shodan searches contained references to desas.digital inside the subject common name of the ssl\r\ncertificate.\r\nThis was another unique and interesting value that could be used as a pivot point.\r\nhttps://embee-research.ghost.io/amadey-bot-infrastructure/\r\nPage 4 of 14\n\nSeven results could be found by modifying the Shodan query to ssl.cert.subject.cn:\"desas.digital\" .\r\nThis query was able to be crafted by referencing the Shodan Filter list.\r\nPivoting with the subject common name can produce new results and additional servers. In this case, no new\r\nservers were found.\r\nThe returned results were all contained within the initial results for \"sosi nahui!\" and the html_hash.\r\nAt this point we were satisfied with our analysis of port 80 and decided not to pursue it further. There may be\r\nother avenues that could have resulted in more servers.\r\nThese same results could also have been obtained by clicking directly on the html_hash from the\r\noriginal page. This is a good option if you don't have the paid version of Shodan.\r\nhttps://embee-research.ghost.io/amadey-bot-infrastructure/\r\nPage 5 of 14\n\nShodan Analysis of Port 443\r\nMoving back to the original search for 77.91.124[.]207 , there still remained port 443 to be analyzed.\r\nThis revealed another reverse proxy running with nginx.\r\nThe html responses on this port were identical to those on port 80 and would produce the same results when\r\nsearched.\r\nhttps://embee-research.ghost.io/amadey-bot-infrastructure/\r\nPage 6 of 14\n\nPort 443 also contained references to the same desas.digital certificate that was previously identified.\r\nThe rest of the certificate did not contain anything that we could pivot from.\r\nThe remaining certificate values were not interesting outside of additional references to desas.digital which\r\nhad already been identified. The next task was to try to pivot further using the ssl ja3 and ssl jarm hashes.\r\nThe ja3 and jarm are ssl/tls fingerprints that can be used to identify separate servers containing\r\ncertificates with similar origins. They are often used as pivot points in blogs utilising Shodan.\r\nThese two fingerprint values were present in the raw_data tab of Shodan. (Expand All and CTRL+F if your raw\r\ndata tab gets too wild)\r\nhttps://embee-research.ghost.io/amadey-bot-infrastructure/\r\nPage 7 of 14\n\nPivoting from the Jarm hash produced 154,426 results.\r\nWe suspect this was because the Jarm was related to Let's Encrypt and not specifically to this malware. (Let's\r\nEncrypt is a popular free service for producing TLS certificates, so it makes sense that there are a lot of \"similar\"\r\ncertificates)\r\nEssentially, this meant that the Jarm (on its own) was not useful as a pivot point as the properties that produce the\r\nJarm fingerprint are shared with a huge number of other Let's Encrypt certificates.\r\nPivoting from the ja3 came to a similar conclusion with over nine million results returned.\r\nAs with the Jarm, the Ja3 fingerprint was not useful as a pivot point.\r\nIt's possible that the Jarm/ja3 fingerprints could be combined with other fields to produce a better result, but we\r\ndecided not to pursue this route when 9 Million results were returned.\r\nWe then moved on to Censys to continue analysis.\r\nhttps://embee-research.ghost.io/amadey-bot-infrastructure/\r\nPage 8 of 14\n\nAnalysing Infrastructure With Censys\r\nContinuing analysis using Censys, we decided to input the initial ip in order to compare results.\r\nA Censys search for the ip 77.91.124.207 returned the ip with no running services. Censys has likely performed\r\na scan whilst the server was down or not responding to Censys headers.\r\nThis highlights why it is useful to use multiple tools.\r\nUtilising the previously obtained desas.digital , 6 results are found.\r\nThese results were all contained within the 19 results from Shodan. No new results were found.\r\nhttps://embee-research.ghost.io/amadey-bot-infrastructure/\r\nPage 9 of 14\n\nAttempts to pivot using the html title produced the same 6 results as the search for desas.digital .\r\nhttps://embee-research.ghost.io/amadey-bot-infrastructure/\r\nPage 10 of 14\n\nThe Censys page for 77.91.68[.]248 contained references to a body hash which could be useful for additional\r\npivoting.\r\nHowever, attempts to pivot from this html hash produced no new results.\r\nContinuing analysis, we were unable to identify any additional servers with Shodan or Censys.\r\nWe exported our results from Shodan and they have been included at the end of this post.\r\nConclusion\r\nhttps://embee-research.ghost.io/amadey-bot-infrastructure/\r\nPage 11 of 14\n\nAt this point we were happy with the 12 unique servers initially identified by Shodan and we decided to call it a\r\nday. These 12 servers all shared extremely similar html content, location and certificate information so we had\r\nhigh confidence that they were related.\r\nIf you wish to read the original analysis that produced the initial IP address, you can find that here.\r\nRedline Stealer/Amadey Bot - Static Analysis and C2 Extraction\r\nDeep dive analysis of a redline stealer sample. I will use manual analysis to extract C2 information\r\nusing a combination of Ghidra and x32dbg\r\nEmbee ResearchMatthew\r\nhttps://embee-research.ghost.io/amadey-bot-infrastructure/\r\nPage 12 of 14\n\nOne Last Thing\r\nIf you enjoyed this post and would like to see more. Consider becoming a member of the site.\r\nMembers will receive early access to blogs and threat intel, exclusive posts, as well as access to a discord server\r\nwhere you can ask questions and get help with analysis.\r\nSign up here\r\nFinal Results\r\nShodan\r\nhttp.html_hash:548631456\r\nssl.cert.subject.cn:\"desas.digital\"\r\nhttp.title:\"sosi nahui!\"\r\nCensys\r\nhttps://embee-research.ghost.io/amadey-bot-infrastructure/\r\nPage 13 of 14\n\nservices.tls.certificates.leaf_data.subject.common_name:\"desas.digital\"\r\nservices.http.response.body_hash:\"sha1:e084a66d16925abf43390c59d783f7a2fb49752d\"\r\nList Of Identified Servers\r\n77.91.68.61\r\n77.91.68.62\r\n77.91.68.248\r\n77.91.124.20\r\n77.91.124.130\r\n77.91.124.203\r\n77.91.124.207\r\n77.91.124.242\r\n193.201.9.43\r\n193.201.9.44\r\n193.201.9.67\r\n193.201.9.241\r\nVirusTotal CrossCheck (2023-05-17)\r\n77.91.68.61 - 1/87\r\n77.91.68.62 - 11/87\r\n77.91.68.248 - 3/87\r\n77.91.124.20 - 1/87\r\n77.91.124.130 - 3/87\r\n77.91.124.203 - 10/87\r\n77.91.124.207 - 1/87\r\n77.91.124.242 - 1/87\r\n193.201.9.43 - 1/87\r\n193.201.9.44 - 0/86\r\n193.201.9.67 - 11/87\r\n193.201.9.241 - 2/87\r\nSource: https://embee-research.ghost.io/amadey-bot-infrastructure/\r\nhttps://embee-research.ghost.io/amadey-bot-infrastructure/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://embee-research.ghost.io/amadey-bot-infrastructure/"
	],
	"report_names": [
		"amadey-bot-infrastructure"
	],
	"threat_actors": [],
	"ts_created_at": 1775434045,
	"ts_updated_at": 1775791265,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8bd0001d98f45bc20cadc3bed092e4a855d43822.pdf",
		"text": "https://archive.orkl.eu/8bd0001d98f45bc20cadc3bed092e4a855d43822.txt",
		"img": "https://archive.orkl.eu/8bd0001d98f45bc20cadc3bed092e4a855d43822.jpg"
	}
}