{
	"id": "d787bd47-b821-490a-a0da-b05ff05bf206",
	"created_at": "2026-04-06T00:11:02.904025Z",
	"updated_at": "2026-04-10T03:24:23.565593Z",
	"deleted_at": null,
	"sha1_hash": "975882c7e503e664f2b1570cb3b299a1e7c04ae8",
	"title": "Combining Pivot Points to Identify Malware Infrastructure - Redline, Smokeloader and Cobalt Strike",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1721631,
	"plain_text": "Combining Pivot Points to Identify Malware Infrastructure -\r\nRedline, Smokeloader and Cobalt Strike\r\nBy Matthew\r\nPublished: 2023-11-19 · Archived: 2026-04-05 21:26:08 UTC\r\nIn this post, we'll demonstrate how to use Censys to pivot when there are minimal unique indicators that could be\r\nused for a single strong pivot.\r\nWe'll combine 5 separate \"weak\" indicators to identify 11 malware servers from a single initial IP found on\r\nURLHaus.\r\nThe final query we will be building can be found here.\r\nservices.http.response.body_hashes=\"sha1:7dd71afcfb14e105e80b0c0d7fce370a28a41f0a\" and\r\nservices.port:22 and services.port:80 and service_count:2 and operating_system.vendor=\"Ubuntu\" and\r\nautonomous_system.asn=\"210352\"\r\nAnalysis\r\nI'll be starting with the ip 5.42.65[.]80 . This IP was present on URLHaus and marked as Smoke Loader.\r\nViewing additional information, we can see that the IP has been used to host Smoke Loader samples.\r\nhttps://embee-research.ghost.io/combining-pivot-points-to-identify-malware-infrastructure-redline-smokeloader-and-cobalt-strike/\r\nPage 1 of 14\n\nCensys Analysis\r\nMoving over to Censys, we can search on the IP address and attempt to determine a pivot point.\r\nWithin Censys, we can see that there are two running services. SSH on port 22 and HTTP on port 80.\r\nhttps://embee-research.ghost.io/combining-pivot-points-to-identify-malware-infrastructure-redline-smokeloader-and-cobalt-strike/\r\nPage 2 of 14\n\nPivoting on the SSH Service.\r\nWhen SSH is in use it can be possible to pivot on the SSH host key, this works if the threat actor has used the\r\nsame SSH setup across related infrastructure.\r\nIn this case this did not work, the SSH Host key was not re-used across any other hosts in the Censys database.\r\nhttps://embee-research.ghost.io/combining-pivot-points-to-identify-malware-infrastructure-redline-smokeloader-and-cobalt-strike/\r\nPage 3 of 14\n\nPivoting on the HTTP Service\r\nInspecting the HTTP service on port 80, there isn't a lot of information that we can pivot from.\r\nAt first glance, everything seems to be a default install of the Nginx load balancer.\r\nAttempts to pivot on the html title or banner hash will result in either millions of results, or a single result (the\r\nsame server). So these are not useful as pivot points.\r\nhttps://embee-research.ghost.io/combining-pivot-points-to-identify-malware-infrastructure-redline-smokeloader-and-cobalt-strike/\r\nPage 4 of 14\n\nPivoting On The Body Hash\r\nThe response body from one of the previous screenshots shows a default but relatively long string of text.\r\nIn hopes that this text is unique enough to be used as a pivot point, we can use the search button in Censys to\r\nattempt a pivot on the hash of this text. (This will search for any server that returns identical text to this one)\r\nPivoting on the hash of the response body returns over a million results. So this value is also not useful as a pivot\r\npoint.\r\nAt least not on its own.\r\nhttps://embee-research.ghost.io/combining-pivot-points-to-identify-malware-infrastructure-redline-smokeloader-and-cobalt-strike/\r\nPage 5 of 14\n\nCombining Pivot Points\r\nSince we weren't able to identify any useful pivot points within the HTTP or SSH services, we can instead try a\r\ndifferent approach by limiting the location and the number of services running.\r\nFor example, we can combine our body hash search with a requirement that the server is ONLY running SSH/22\r\nand HTTP/80.\r\nThe below query will limit our search to servers running only port 22 and 80.\r\nservices.http.response.body_hashes=\"sha1:7dd71afcfb14e105e80b0c0d7fce370a28a41f0a\" and\r\nservices.port:22 and services.port:80 and service_count:2\r\nThis reduces our results from ~1Mil down to ~71k.\r\nThis is still too many results, but much lower than before so we may be on to something.\r\nLooking for Additional Pivot Points\r\nhttps://embee-research.ghost.io/combining-pivot-points-to-identify-malware-infrastructure-redline-smokeloader-and-cobalt-strike/\r\nPage 6 of 14\n\nSince we've already limited our results fairly significantly (considering the lack of unique services running). We\r\ncan go looking for other options for pivoting.\r\nIf we return the summary view of our initial host, we can see that it's running Ubuntu Linux and is operating on\r\nASN 210352.\r\nASN is short for \"Autonomous System Number\" and is used to group IP addresses with the same\r\nrouting policy. This generally means that it groups IP addresses in similar locations (same datacentre) or\r\nat least roughly the same geographical area.\r\nASN's are often useful as pivot points when other options fail.\r\nFiltering on Ubuntu Operating System\r\nIf we return to our previous search and a filter on Ubuntu, we can reduce our results down to ~38K.\r\nThis is still too many but heading in the right direction.\r\nhttps://embee-research.ghost.io/combining-pivot-points-to-identify-malware-infrastructure-redline-smokeloader-and-cobalt-strike/\r\nPage 7 of 14\n\nFiltering on Autonomous System Number (ASN)\r\nSince we still had too many results (38K) after filtering on Ubuntu. We can go ahead and filter on the ASN\r\nnumber 210352 present in our initial IP.\r\nThis means that our current search looks like this. Which accounts for...\r\nBody Hash of nginx page\r\nONLY services 22 and 80\r\nRunning Ubuntu Operating System\r\nGrouped by ASN Number 210352\r\nservices.http.response.body_hashes=\"sha1:7dd71afcfb14e105e80b0c0d7fce370a28a41f0a\" and\r\nservices.port:22 and services.port:80 and service_count:2 and operating_system.vendor=\"Ubuntu\" and\r\nautonomous_system.asn=\"210352\"\r\nNow we're down to 11 results, which looks very promising.\r\nhttps://embee-research.ghost.io/combining-pivot-points-to-identify-malware-infrastructure-redline-smokeloader-and-cobalt-strike/\r\nPage 8 of 14\n\nInvestigating Results\r\nWith only 11 results remaining, we probably don't need to do any additional filtering. We can instead go ahead and\r\nconfirm our current results.\r\nThe second result 79.137.192[.]9 has 9/88 hits on Virustotal and may be related to Redline Stealer.\r\nInvestigating 77.91.76[.]7\r\nhttps://embee-research.ghost.io/combining-pivot-points-to-identify-malware-infrastructure-redline-smokeloader-and-cobalt-strike/\r\nPage 9 of 14\n\nThe 4th result in the search has 0/88 detections on Virustotal. But has 11 recent communicating files that are very\r\nlikely to be malicious.\r\nThe first communicating file has been marked as Amadey Clipper Module by the Thor scanner by Florian Roth.\r\nhttps://embee-research.ghost.io/combining-pivot-points-to-identify-malware-infrastructure-redline-smokeloader-and-cobalt-strike/\r\nPage 10 of 14\n\nInvestigating 5.42.65[.]49\r\nA VirusTotal search on the returned result 5.42.65[.]49 returns 12/88 results.\r\nThere are also two comments indicating that the server has been used as a Cobalt Strike C2.\r\nhttps://embee-research.ghost.io/combining-pivot-points-to-identify-malware-infrastructure-redline-smokeloader-and-cobalt-strike/\r\nPage 11 of 14\n\nConfirming Results\r\nSo far 3 of the returned results are malware C2's related to Redline, Amadey and Cobalt Strike.\r\nWe won't go into the analysis of every one of the results, but a summary will be included below of the findings.\r\nSome of the results had 0 detections and no indications of malware. In these cases, I would still assume that the IP\r\nis related and malicious (possibly reserved for later use).\r\nFinal Results\r\nThe final results can be observed below, based on the prevalence of malware C2's, I would assume that the 3\r\n\"clean\" results are malicious but not yet in active use.\r\n5.42.65[.]49 - 12/88 VT, Cobalt Strike C2\r\n5.42.65[.]64 - 0/88 VT, Clean\r\n5.42.65[.]80 - 19/88 VT, Smokeloader Delivery\r\n5.42.66[.]9 - 4/88 VT, Amadey Bot C2\r\n5.42.66[.]18 - 0/88 VT, Clean\r\n5.42.67[.]28 - 0/88 VT, Clean\r\n77.91.76[.]7 - 0/88 VT, Amadey C2\r\n77.91.76[.]12 - 1/88 VT, Unsure\r\n79.137.192[.]6 - 17/88 VT, Redline Stealer\r\n79.137.192[.]9 - 9/88 VT, Redline Stealer\r\n79.137.192[.]18 - 19/88 VT, Redline Stealer\r\nSign up for Embee Research\r\nMalware Analysis Tutorials\r\nNo spam. Unsubscribe anytime.\r\nAdditional Notes - Lumma Stealer\r\nThe concept covered in this post can also be applied to a Lumma C2 from URLHaus.\r\nBy combining the use of \"Tiny File Manager\" on port 80 with the limited port numbers and ASN, we can identify\r\nanother 6 malicious servers.\r\nBelow is an example of what this looks like.\r\nservices.http.response.html_title=\"Tiny File Manager\" and service_count:2 and services.port:22 and\r\nservices.port:80 and autonomous_system.asn=\"216419\"\r\nhttps://embee-research.ghost.io/combining-pivot-points-to-identify-malware-infrastructure-redline-smokeloader-and-cobalt-strike/\r\nPage 12 of 14\n\nAdditional Notes - RecordBreaker\r\nThe same concept can also be applied to this server from URLHaus.\r\nYou can see the Censys search here.\r\nservices.http.response.html_title=\"Error\" and services.software.product=\"nginx\" and service_count:2\r\nand services.port:22 and services.port:80 and autonomous_system.asn=\"211409\"\r\nThis is based on a limited number of ports, ASN and an error message in the returned page on port 80.\r\nAdditional Notes - PrivateLoader/Mirai\r\nThere is another similar pattern in the IP of 91.92.244[.]70 from URLHaus.\r\nThis search returns 10 results with hits for PrivateLoader and other malware.\r\nhttps://embee-research.ghost.io/combining-pivot-points-to-identify-malware-infrastructure-redline-smokeloader-and-cobalt-strike/\r\nPage 13 of 14\n\nservices.http.response.html_title=\"403 Forbidden\" and services.port:22 and services.port:80 and\r\nservice_count:2 and autonomous_system.asn=\"394711\"\r\nSource: https://embee-research.ghost.io/combining-pivot-points-to-identify-malware-infrastructure-redline-smokeloader-and-cobalt-strike/\r\nhttps://embee-research.ghost.io/combining-pivot-points-to-identify-malware-infrastructure-redline-smokeloader-and-cobalt-strike/\r\nPage 14 of 14\n\n https://embee-research.ghost.io/combining-pivot-points-to-identify-malware-infrastructure-redline-smokeloader-and-cobalt-strike/      \nThe 4th result in the search has 0/88 detections on Virustotal. But has 11 recent communicating files that are very\nlikely to be malicious.       \nThe first communicating file has been marked as Amadey Clipper Module by the Thor scanner by Florian Roth.\n   Page 10 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://embee-research.ghost.io/combining-pivot-points-to-identify-malware-infrastructure-redline-smokeloader-and-cobalt-strike/"
	],
	"report_names": [
		"combining-pivot-points-to-identify-malware-infrastructure-redline-smokeloader-and-cobalt-strike"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434262,
	"ts_updated_at": 1775791463,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/975882c7e503e664f2b1570cb3b299a1e7c04ae8.pdf",
		"text": "https://archive.orkl.eu/975882c7e503e664f2b1570cb3b299a1e7c04ae8.txt",
		"img": "https://archive.orkl.eu/975882c7e503e664f2b1570cb3b299a1e7c04ae8.jpg"
	}
}