{
	"id": "979475a0-853c-41cf-bd01-9b15158e0535",
	"created_at": "2026-04-06T00:18:18.926161Z",
	"updated_at": "2026-04-10T03:21:27.955451Z",
	"deleted_at": null,
	"sha1_hash": "c1bb64c592eb64bb867fc9ba687ef9d043744f10",
	"title": "Identifying Qakbot Servers with Regex and TLS Certificates",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1722770,
	"plain_text": "Identifying Qakbot Servers with Regex and TLS Certificates\r\nBy Matthew\r\nPublished: 2023-11-30 · Archived: 2026-04-05 14:01:53 UTC\r\nIn this post we will leverage regular expressions and TLS certificates to capture 83 dispersed Qakbot servers.\r\nThese servers are well made and there are minimal traditional patterns (ports, service names, ASN's) that can be\r\nused for signaturing. Instead we will focus on commonalities within the subject_dn and issuer_dn fields to\r\nidentify servers.\r\nThis is a relatively advanced technique that will require a basic understanding of regular expressions,\r\nand also a paid/researcher license for Censys.\r\nThe final query is shown below. A link can be found here.\r\nservices.tls.certificates.leaf_data.subject_dn=/C=\\w\\w, OU=[a-zA-Z0-9 \\.]+, CN=[a-z]+\\.[a-z]+/ and services.tls\r\nNote that this post is primarily a demonstration of technical concepts that can be used to identify\r\nmalware. We have not 100% validated that all results are Qakbot (although most appear to be), and we\r\nare relying on the initial ThreatFox tag being accurate.\r\nInitial Server From ThreatFox\r\nThe initial server IP of 74.12.147[.]243:2222 was obtained from ThreatFox. Initially shared by the Twitter user\r\n@drb_ra.\r\nhttps://embee-research.ghost.io/advanced-threat-intel-queries-catching-83-qakbot-servers-with-regex-censys-and-tls-certificates/\r\nPage 1 of 16\n\nBy searching the IP address on Censys, we can quickly identify a suspicious certificate running on the reported\r\n2222 port.\r\nThis certificate contains seemingly random text. With long values and only alphabetical characters.\r\nUsing \"View All Data\", we can gather more information about the service running on 2222 .\r\nThis reveals an empty service banner that can be later used as a pivot point or as a field to narrow down search\r\nresults.\r\nhttps://embee-research.ghost.io/advanced-threat-intel-queries-catching-83-qakbot-servers-with-regex-censys-and-tls-certificates/\r\nPage 2 of 16\n\nThe exact structure of the TLS Certificate can be established with this view.\r\nThe search box next to services.tls.certificates.leaf_data.subject_dn can be used to pre-build an exact\r\nquery.\r\nWe will use this pre-built query as a base for our regular expression.\r\nHow To Convert Values Into Regular Expressions\r\nWe can go ahead and modify the search parameter to a regular expression.\r\nA summary of the changes can be found below.\r\nC=US -\u003e C=\\w\\w - We will let the C field matches on any two characters\r\nOU=Vzbxanrbu Eivhtmjiabe Qjihwitl -\u003e OU=[a-zA-Z0-9 ]+ - We can let the OU field matches any\r\nsequence of alphabetical characters, allowing for a space in between.\r\nCN=motnooz.biz -\u003e CN=[a-z]+\\.[a-z]+ - we will let the CN field match on any domain containing only\r\nlowercase letters.\r\nhttps://embee-research.ghost.io/advanced-threat-intel-queries-catching-83-qakbot-servers-with-regex-censys-and-tls-certificates/\r\nPage 3 of 16\n\nAfter modifying the query as above, we can also add a filter for our original IP. This ensures that the same IP is\r\nmatched and hasn't been lost. This is a means of quickly verifying that a regex works as intended.\r\nWe can see below that the same Initial IP is matched, meaning that the regex probably works.\r\nWith the Regex validated, We can now go ahead and remove the IP Address, leaving only the subject_dn field.\r\nThis modified search results in 778 servers, many of which don't completely follow the certificate structure we\r\nwant.\r\nValidating Search Results\r\nIf we inspect the first returned result of 75.98.168[.]215 , we can see that the subject_dn matches our regular\r\nexpression structure, but the issuer_dn is different to our initial Qakbot.\r\nhttps://embee-research.ghost.io/advanced-threat-intel-queries-catching-83-qakbot-servers-with-regex-censys-and-tls-certificates/\r\nPage 4 of 16\n\nBelow is the first returned result (Which does not match our pattern). Note that it contains the - character in the\r\nCN and O fields.\r\nBelow is the original Qakbot C2. Note the lack of special characters and numerical values.\r\nThe initial search returns results that match our subject_dn regular expression.\r\nBut there are results with a completely different (and not matching) structure on the issuer_dn .\r\nWe can go back to our initial Qakbot C2 and follow the same process as before to build a regular expression on\r\nthe issuer_dn field.\r\nWe can then validate the regular expression by including the initial IP address.\r\nhttps://embee-research.ghost.io/advanced-threat-intel-queries-catching-83-qakbot-servers-with-regex-censys-and-tls-certificates/\r\nPage 5 of 16\n\nSince the issuer_dn field has not been validated; We can now go ahead and add the issuer_dn query to the\r\ninitial subject_dn search. We can also include the initial IP for validation.\r\nAt this point, we have a total query of\r\nservices.tls.certificates.leaf_data.subject_dn=/C=\\w\\w, OU=[a-zA-Z0-9 \\.]+, CN=[a-z]+\\.[a-z]+/ and services.tls\r\nThe above search confirms that we haven't lost our initial hit, meaning the regex is valid, and the initial IP can be\r\nremoved.\r\nBy removing the Initial IP Address and including only the subject_dn and issuer_dn , we're now down to a\r\nmanageable number of 83 results.\r\nhttps://embee-research.ghost.io/advanced-threat-intel-queries-catching-83-qakbot-servers-with-regex-censys-and-tls-certificates/\r\nPage 6 of 16\n\nInspecting the first two hits, we can confirm that we have matches on our intended certificate structure.\r\nFurther Validation With Report Building\r\nTo save time validating every result individually, we use the \"build report\" function of Censys to hone in on the\r\nsubject_dn or issuer_dn fields.\r\nhttps://embee-research.ghost.io/advanced-threat-intel-queries-catching-83-qakbot-servers-with-regex-censys-and-tls-certificates/\r\nPage 7 of 16\n\nThis confirms that most of the returned servers match our intended structure.\r\nHoning in on Domain/Host Names\r\nWe can also use the \"build report\" function to hone in on common_name fields used in the TLS certificates.\r\nhttps://embee-research.ghost.io/advanced-threat-intel-queries-catching-83-qakbot-servers-with-regex-censys-and-tls-certificates/\r\nPage 8 of 16\n\nQuery Refinement\r\nThere are potentially some false positives within the 83 returned results, so if we like, we can go ahead and add\r\nthe empty banner hash from the initial IP.\r\nThis will reduce the hits down to 49. But it's possible that this may remove some malicious results. I did not\r\nvalidate this as it's very time-consuming, and the majority of servers seem to be malicious either way.\r\nValidating Results With Virustotal\r\nhttps://embee-research.ghost.io/advanced-threat-intel-queries-catching-83-qakbot-servers-with-regex-censys-and-tls-certificates/\r\nPage 9 of 16\n\nPerforming a quick search on some of the returned hits on Virustotal.\r\nMost seem related to Qakbot, although we have not confirmed this 100%.\r\nhttps://embee-research.ghost.io/advanced-threat-intel-queries-catching-83-qakbot-servers-with-regex-censys-and-tls-certificates/\r\nPage 10 of 16\n\nConclusion\r\nWe now have a functioning query that captures 83 servers. We have not had to rely on port numbers, port ranges,\r\nor ASN locations to hone in.\r\nHere is another copy of our final query.\r\nservices.tls.certificates.leaf_data.subject_dn=/C=\\w\\w, OU=[a-zA-Z0-9 \\.]+, CN=[a-z]+\\.[a-z]+/ and services.tls\r\nIf we observe the returned results below, we can see that the ASNs and port numbers vary greatly between the\r\nresults, meaning that many traditional query styles will not work.\r\nhttps://embee-research.ghost.io/advanced-threat-intel-queries-catching-83-qakbot-servers-with-regex-censys-and-tls-certificates/\r\nPage 11 of 16\n\nRelated Content\r\nIf you found this content useful, check out other related posts in the free Threat Intelligence Section.\r\nAdvanced Regex Queries - BianLian\r\nPractical Queries for Identifying Malware - Part 3\r\nCombining Simple Pivot Points to Identify Infrastructure\r\nSign up for Embee Research\r\nMalware Analysis and Threat Intelligence Research\r\nNo spam. Unsubscribe anytime.\r\nComplete List of Qakbot Infrastructure\r\nIP Addresses\r\n2[.]50[.]137[.]133\r\n23[.]93[.]65[.]180\r\n24[.]187[.]255[.]114\r\n24[.]187[.]255[.]116\r\n24[.]187[.]255[.]117\r\n24[.]255[.]174[.]187\r\n31[.]117[.]63[.]201\r\n35[.]134[.]202[.]121\r\nhttps://embee-research.ghost.io/advanced-threat-intel-queries-catching-83-qakbot-servers-with-regex-censys-and-tls-certificates/\r\nPage 12 of 16\n\n37[.]210[.]162[.]30\r\n39[.]40[.]144[.]179\r\n41[.]38[.]97[.]237\r\n41[.]99[.]46[.]66\r\n45[.]65[.]51[.]130\r\n46[.]251[.]130[.]164\r\n47[.]16[.]64[.]215\r\n47[.]149[.]234[.]6\r\n50[.]99[.]8[.]5\r\n60[.]48[.]77[.]48\r\n64[.]46[.]22[.]26\r\n64[.]229[.]117[.]137\r\n67[.]60[.]147[.]240\r\n68[.]160[.]236[.]23\r\n68[.]163[.]65[.]72\r\n70[.]27[.]15[.]38\r\n70[.]29[.]135[.]118\r\n70[.]49[.]34[.]218\r\n70[.]52[.]230[.]48\r\n70[.]121[.]156[.]34\r\n72[.]190[.]100[.]201\r\n74[.]12[.]145[.]202\r\n74[.]12[.]145[.]207\r\n74[.]12[.]147[.]243\r\n76[.]142[.]13[.]8\r\n77[.]124[.]85[.]166\r\n78[.]97[.]123[.]229\r\n79[.]130[.]51[.]242\r\n80[.]192[.]52[.]128\r\n81[.]151[.]251[.]196\r\n82[.]76[.]99[.]171\r\n83[.]110[.]196[.]111\r\n83[.]110[.]223[.]89\r\n84[.]155[.]8[.]44\r\n84[.]215[.]202[.]8\r\n85[.]49[.]243[.]230\r\n85[.]243[.]247[.]137\r\n86[.]97[.]84[.]192\r\n86[.]207[.]26[.]60\r\n86[.]236[.]11[.]235\r\n87[.]223[.]92[.]180\r\n88[.]249[.]231[.]161\r\nhttps://embee-research.ghost.io/advanced-threat-intel-queries-catching-83-qakbot-servers-with-regex-censys-and-tls-certificates/\r\nPage 13 of 16\n\n90[.]4[.]74[.]222\r\n95[.]76[.]193[.]223\r\n95[.]149[.]166[.]38\r\n96[.]43[.]115[.]158\r\n96[.]248[.]1[.]183\r\n97[.]118[.]24[.]246\r\n100[.]2[.]41[.]26\r\n102[.]157[.]101[.]136\r\n102[.]157[.]244[.]251\r\n104[.]157[.]102[.]161\r\n108[.]4[.]77[.]65\r\n108[.]49[.]159[.]2\r\n109[.]48[.]28[.]129\r\n121[.]121[.]101[.]31\r\n124[.]13[.]232[.]162\r\n125[.]209[.]114[.]181\r\n136[.]232[.]179[.]26\r\n141[.]164[.]249[.]90\r\n149[.]75[.]147[.]46\r\n151[.]48[.]137[.]184\r\n161[.]142[.]99[.]88\r\n168[.]149[.]47[.]164\r\n172[.]77[.]204[.]25\r\n172[.]91[.]3[.]194\r\n173[.]30[.]189[.]100\r\n174[.]164[.]68[.]180\r\n179[.]158[.]101[.]198\r\n186[.]182[.]15[.]91\r\n187[.]147[.]137[.]67\r\n188[.]48[.]72[.]229\r\n189[.]253[.]235[.]140\r\n190[.]134[.]148[.]34\r\n197[.]2[.]11[.]142\r\n201[.]103[.]222[.]151\r\n201[.]244[.]108[.]183\r\n217[.]165[.]233[.]123\r\nSubject Common Names\r\nepyhm[.]net\r\ntwmbelz[.]org\r\niene[.]info\r\nctxehfdug[.]net\r\nhttps://embee-research.ghost.io/advanced-threat-intel-queries-catching-83-qakbot-servers-with-regex-censys-and-tls-certificates/\r\nPage 14 of 16\n\nutip[.]biz\r\njaonioi[.]org\r\nvcivoqeqfh[.]us\r\nineieutzvt[.]mobi\r\ntuayjhrdwg[.]mobi\r\noxouy[.]mobi\r\niemjmedtey[.]biz\r\nouxtetbtn[.]biz\r\nghoaetksiwo[.]net\r\nfwoht[.]org\r\ntqouhdk[.]mobi\r\npidewaeetbu[.]us\r\naihpe[.]mobi\r\nzemureisir[.]info\r\noialk[.]com\r\nihaknpq[.]us\r\njqseote[.]us\r\ngzfjtyr[.]com\r\naeztfeq[.]net\r\nqbez[.]info\r\nomloeceqiu[.]biz\r\nztiorhvb[.]net\r\nlfad[.]mobi\r\negatcwojan[.]us\r\nzcstobno[.]us\r\nfaexgkbimwe[.]org\r\nbdae[.]info\r\nxoehdsoeao[.]org\r\niekztmiw[.]com\r\noojfkdbgiec[.]info\r\nioiu[.]us\r\njaouem[.]info\r\nxocsuioij[.]biz\r\neuydxykaie[.]org\r\nipzc[.]net\r\nlmatetu[.]mobi\r\nwoaitgja[.]info\r\nkmeyihr[.]org\r\nbvgfkdinjla[.]net\r\nmrokouejcei[.]mobi\r\nztmt[.]org\r\nepmsxuv[.]info\r\nhttps://embee-research.ghost.io/advanced-threat-intel-queries-catching-83-qakbot-servers-with-regex-censys-and-tls-certificates/\r\nPage 15 of 16\n\nvsasikavjed[.]biz\r\nyieziqg[.]biz\r\nzvtilriljat[.]net\r\nvzxei[.]net\r\nfbiafxq[.]info\r\npmeooxard[.]org\r\ngimcyeeoof[.]org\r\nqocu[.]org\r\neeapissopx[.]biz\r\notihelb[.]biz\r\newaguarw[.]org\r\nhaeoieee[.]info\r\ngokeokaut[.]biz\r\nczqphiwowf[.]biz\r\nieaorbuq[.]net\r\ntcnzewxk[.]us\r\nlynle[.]biz\r\nhzlfitjo[.]net\r\nalcvi[.]info\r\nwcyoloy[.]mobi\r\ntemthdmeo[.]org\r\nzufmpz[.]mobi\r\nlijivtamo[.]mobi\r\nkouxe[.]org\r\naidoxovuncx[.]mobi\r\nrtouaxye[.]biz\r\nzevjeo[.]mobi\r\naispzwot[.]biz\r\npaod[.]org\r\niqtfotoe[.]mobi\r\ntwdifusycee[.]biz\r\nfrkneeatb[.]info\r\neehpeplhr[.]us\r\naodkhtecx[.]net\r\nefpohwf[.]net\r\noesyahoixic[.]us\r\nmotnooz[.]biz\r\nSource: https://embee-research.ghost.io/advanced-threat-intel-queries-catching-83-qakbot-servers-with-regex-censys-and-tls-certificates/\r\nhttps://embee-research.ghost.io/advanced-threat-intel-queries-catching-83-qakbot-servers-with-regex-censys-and-tls-certificates/\r\nPage 16 of 16\n\n https://embee-research.ghost.io/advanced-threat-intel-queries-catching-83-qakbot-servers-with-regex-censys-and-tls-certificates/   \nPerforming a quick search on some of the returned hits on Virustotal.\nMost seem related to Qakbot, although we have not confirmed this 100%.\n   Page 10 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://embee-research.ghost.io/advanced-threat-intel-queries-catching-83-qakbot-servers-with-regex-censys-and-tls-certificates/"
	],
	"report_names": [
		"advanced-threat-intel-queries-catching-83-qakbot-servers-with-regex-censys-and-tls-certificates"
	],
	"threat_actors": [],
	"ts_created_at": 1775434698,
	"ts_updated_at": 1775791287,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c1bb64c592eb64bb867fc9ba687ef9d043744f10.pdf",
		"text": "https://archive.orkl.eu/c1bb64c592eb64bb867fc9ba687ef9d043744f10.txt",
		"img": "https://archive.orkl.eu/c1bb64c592eb64bb867fc9ba687ef9d043744f10.jpg"
	}
}