{
	"id": "ba60588a-fe1b-4a2f-b537-c6efb2c415c0",
	"created_at": "2026-04-10T03:19:59.006616Z",
	"updated_at": "2026-04-10T03:22:17.662164Z",
	"deleted_at": null,
	"sha1_hash": "a11bbb6b09591acf90c2ffd8dac6d6b9404dd6a7",
	"title": "Identifying PrivateLoader Servers with Infrastructure Queries",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1573107,
	"plain_text": "Identifying PrivateLoader Servers with Infrastructure Queries\r\nBy Matthew\r\nPublished: 2023-11-26 · Archived: 2026-04-10 03:13:33 UTC\r\nThis is a quick post based on a tweet shared by @g0njxa. Here we will build a Censys query to identify servers\r\nrelated to an IP related to PrivateLoader.\r\nInitial Search\r\nWe can begin with an initial search on the IP Address using ip:185.198.57[.]117 .\r\nThis shows that the ip address is running two services on port 22 (SSH) and 80 (HTTP).\r\nhttps://embee-research.ghost.io/identifying-privateloader-servers-with-censys/\r\nPage 1 of 9\n\nInvestigating the address further, we can see a standard looking setup on SSH and a simple Apache server on port\r\n80.\r\nWithin the HTTP Service, there is a relatively long HTTP Title containing Apache HTTP Server Test Page\r\npowered by CentOS .\r\nThere is also a very long response body which appears to be a default Apache page. I made the\r\nassumption that the Title and Body are both defaults and hence it doesn't really matter which one is\r\nused as a pivot.\r\nNow so far everything looks \"default\" and not easily signatured, but we can still go ahead and attempt a pivot on\r\nthe HTML Title.\r\nservices.http.response.html_title=\"Apache HTTP Server Test Page powered by CentOS\"\r\nThis returns ~332,310 results. Which is way too many for the HTML Title to be used on it's own.\r\nhttps://embee-research.ghost.io/identifying-privateloader-servers-with-censys/\r\nPage 2 of 9\n\nRefining The Query By Limiting Service Count\r\nIf we recall from the initial search on the ip, there are only two running services (SSH and HTTP).\r\nWe can use this information to limit the search to servers with only 2 running services.\r\nservices.http.response.html_title=\"Apache HTTP Server Test Page powered by CentOS\" and\r\nservice_count:2\r\nThis reduces the results down to 78,741 . Not great but much better than before.\r\nRefining Results by Providing Specific Ports\r\nIf we look at the second result from our previous search, we can see that it is running two services.\r\nOne on port 80, and one on port 443.\r\nWe can go ahead and remove these by specifying that we only want servers with port 22 and 80.\r\nhttps://embee-research.ghost.io/identifying-privateloader-servers-with-censys/\r\nPage 3 of 9\n\nWe can refine our search with the query below, which cuts down the results to ~17000\r\nservices.http.response.html_title=\"Apache HTTP Server Test Page powered by CentOS\" and\r\nservice_count:2 and services.port:22 and services.port:80\r\nNow at this point I wasn't able to find any other useful pivot points within the HTTP or SSH services.\r\nWe can go ahead and pivot using the Autonomous System Number (ASN). This limits the results to servers/ips\r\nwithin a similar geographic location (or at least hosted by a similar hosting provider).\r\nIn my experience, the ASN should be used as a last resort when no other pivot points can be found. If\r\nan actor has set up their infrastructure well, then there will be servers across multiple ASN's and\r\ngeographic locations. Limiting to a single ASN will miss servers in a separate location, but it's very\r\nuseful when there aren't other options.\r\nWe can see the ASN number in the summary for the initial IP address.\r\nhttps://embee-research.ghost.io/identifying-privateloader-servers-with-censys/\r\nPage 4 of 9\n\nNow with the ASN Number added, we are down to only 12 results. A number as small as 12 is a good indicator\r\nthat the results are all related.\r\nservices.http.response.html_title=\"Apache HTTP Server Test Page powered by CentOS\" and\r\nservice_count:2 and services.port:22 and services.port:80 and autonomous_system.asn=\"60117\"\r\nInvestigating Results\r\nNow at this point, all of the servers look the same (simple and default services), so it's difficult to determine if\r\nthey are malicious using only Censys.\r\nSo we can go ahead and export a list and compare it to a reputation service like VirusTotal.\r\nThere are likely much better services out there than Virustotal, but VT is the standard and the most\r\naccessible so it's what we will use here\r\nhttps://embee-research.ghost.io/identifying-privateloader-servers-with-censys/\r\nPage 5 of 9\n\nWe can start by exporting an easy list of results from our search. This can be done with the \"report\" feature of\r\nCensys.\r\nFrom the report function, we can specify the ip field and go ahead and build a report. (We can leave the\r\n\"Number of Buckets\" at 50, since our search returned less than 50 results)\r\nBy scrolling down we can obtain the list in JSON format.\r\nhttps://embee-research.ghost.io/identifying-privateloader-servers-with-censys/\r\nPage 6 of 9\n\nFrom here we can use CyberChef and Extract IP Addresses to get an easy list without needing to deal with\r\nJSON.\r\nChecking Results in Virustotal\r\nLooking at the first result 185.45.192[.]24 , we can see 0 detections in Virustotal. But there is one\r\ncommunicating file with 55/70 detections.\r\nGiven the scan date of 2019-02-10 , it's possible that the IP was previously malicious and that is no longer the\r\ncase. But either way the IP is related to something shady.\r\nhttps://embee-research.ghost.io/identifying-privateloader-servers-with-censys/\r\nPage 7 of 9\n\nChecking on the second result of 185.45.192[.]74 , we can also observe 0 IP detections, but 5 malicious\r\ncommunicating files.\r\nMoving on, we can continue the same process and use it to determine more information.\r\nhttps://embee-research.ghost.io/identifying-privateloader-servers-with-censys/\r\nPage 8 of 9\n\nNow there isn't enough information to strongly correlate the servers back to PrivateLoader, but given the very\r\nsimilar setups and small number of results. We can assume they are suspicious.\r\nIn cases like these, typically the servers are related and used by the same group, but not yet actively\r\nused for malicious activities. Some servers are often reserved for later use or the usage is (so far) so\r\nminimal that it hasn't yet showed up on VT and other \"Free\" services.\r\nIt's also entirely possible that some of these are benign, but I think the likelihood is low. All results should be\r\nconsidered suspicious and blocked where possible.\r\n185.45.192[.]24 - 0/88 Detections, 1 communicating with with 55 detections.\r\n185.45.192[.]74 - 0/88 VT, 5 malicious communicating files.\r\n185.45.192[.]107 - 0/88 VT, no related files.\r\n185.45.192[.]112 - 0/88 VT, no related files.\r\n185.45.193[.]182 - 0/88 VT, no related files.\r\n185.82.200[.]15 - 0/88 VT, no related files.\r\n185.82.200[.]93 - 0/88 VT, no related files.\r\n185.82.202[.]126 - 5/88 VT, Observed SSH Brute Forcing\r\n185.117.75[.]107 - 0/88 VT, no related files.\r\n185.183.96[.]10 - 4/88 VT, Hosting Malware, Previously Trickbot\r\n185.198.57[.]70 - 12/88 VT, Previously Hosting Malware\r\n185.198.57[.]117 - 9/88 VT, Initial PrivateLoader IP\r\nSource: https://embee-research.ghost.io/identifying-privateloader-servers-with-censys/\r\nhttps://embee-research.ghost.io/identifying-privateloader-servers-with-censys/\r\nPage 9 of 9\n\nIt's also entirely considered suspicious possible that and blocked some of these are benign, where possible. but I think the likelihood is low. All results should be\n185.45.192[.]24 -0/88 Detections, 1 communicating with with 55 detections.\n185.45.192[.]74 -0/88 VT, 5 malicious communicating files.\n185.45.192[.]107 -0/88 VT, no related files. \n185.45.192[.]112 -0/88 VT, no related files. \n185.45.193[.]182 -0/88 VT, no related files. \n185.82.200[.]15 -0/88 VT, no related files. \n185.82.200[.]93 -0/88 VT, no related files. \n185.82.202[.]126 -5/88 VT, Observed SSH Brute Forcing\n185.117.75[.]107 -0/88 VT, no related files. \n185.183.96[.]10 -4/88 VT, Hosting Malware, Previously Trickbot\n185.198.57[.]70 -12/88 VT, Previously Hosting Malware\n185.198.57[.]117 -9/88 VT, Initial PrivateLoader IP\nSource: https://embee-research.ghost.io/identifying-privateloader-servers-with-censys/   \n   Page 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://embee-research.ghost.io/identifying-privateloader-servers-with-censys/"
	],
	"report_names": [
		"identifying-privateloader-servers-with-censys"
	],
	"threat_actors": [],
	"ts_created_at": 1775791199,
	"ts_updated_at": 1775791337,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a11bbb6b09591acf90c2ffd8dac6d6b9404dd6a7.pdf",
		"text": "https://archive.orkl.eu/a11bbb6b09591acf90c2ffd8dac6d6b9404dd6a7.txt",
		"img": "https://archive.orkl.eu/a11bbb6b09591acf90c2ffd8dac6d6b9404dd6a7.jpg"
	}
}