{
	"id": "334d9fb9-746a-476d-a614-371d1571c49e",
	"created_at": "2026-04-06T00:18:26.845137Z",
	"updated_at": "2026-04-10T03:32:21.670672Z",
	"deleted_at": null,
	"sha1_hash": "d48d4b89e3fa402cd56461daf284987b9674d515",
	"title": "Detecting Threats in Real-time With Active C2 Information",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 92316,
	"plain_text": "Detecting Threats in Real-time With Active C2 Information\r\nBy Takahiro Haruyama, Omar Elgebaly\r\nPublished: 2020-09-22 · Archived: 2026-04-02 12:29:20 UTC\r\nOften security practitioners rely on the reputation of IP Addresses to determine if traffic to and from that IOC is\r\nmalicious. In practice, the reputation of IOCs, IPs specifically is only updated when public repositories or tracking\r\nprojects have observed the command and control server (C2) being used maliciously. This visibility can be\r\nbeneficial in more commoditized attacks or campaigns, however, with targeted attacks, C2 servers are often not\r\ndisclosed until well after they’re no longer utilized. For several months the VMware Threat Analysis Unit™\r\n(TAU) has been identifying and reversing different malware families that were good candidates where TAU can\r\ndiscover real-time C2 instances.\r\nAs an example, look at the VirusTotal result against one IP address below. At the time of this report, AV engines\r\ndetected it as harmless (0/73).\r\nFigure 1: VT result against one IP address\r\nHowever, TAU is sure it’s malicious. In fact, the IP is a Winnti 4.0 C2 server. The C2 is active as of the time of\r\nthis writing. How can we conclude that?\r\nSince last year, TAU has developed a system to discover active malware C2 servers on the Internet and used this\r\nintelligence to support incident response cases.  Today we are pleased to announce that this active C2 information\r\nwill be available to our EDR and Enterprise EDR customers.\r\nHow to utilize the active C2 information\r\nThe information that TAU collects will be made available in the Known IOC Watchlist, under the Active C2\r\nreport.  It should be noted that this report will be updated on a routine basis. As we continue to discover new C2s,\r\nwe will automatically add those to the report. Conversely older ones C2 IP addresses no longer being used, will be\r\nremoved after 30 days of the last day they were observed. To further reiterate this point, if a C2 server is\r\nhttps://blogs.vmware.com/security/2020/09/detecting-threats-in-real-time-with-active-c2-information.html\r\nPage 1 of 3\n\ndiscovered it will be added to the report when it is recompiled every Tuesday. Later when it is determined that the\r\nC2 is no longer active, the IP address will remain in the report for an additional 30 days, at which time it will be\r\nremoved. This time frame allows for security practitioners ample time to identify malware samples that may still\r\nbe present on endpoints that are attempting to communicate with discovered C2s.\r\nSupported Malware families and Penetration testing tools\r\nTAU has currently identified 6 families for which, we are actively attempting to discover C2 servers. The table\r\nbelow details the malware and penetration tools, where TAU is discovering the respective C2 servers. The process\r\nby which we discover these C2 servers is a snapshot in time, and it is possible that transient C2 servers can be\r\nstood up and taken down without being observed. The table also describes the protocols that we discover for each\r\nfamily, the date the initial discovery started, whether configuration information can be extracted as part of the\r\nprocess, and the current C2s observed for each family. TAU is constantly adding to the table below as new\r\nfamilies are analyzed and deemed to be good candidates for the discovery process.\r\nmalware or tool\r\nname\r\nsupported protocols\r\ndiscovery\r\nstart\r\nconfig\r\nextraction\r\naccumulated total\r\n(since start date)\r\nHYDSEVEN\r\nNetWire\r\nTCP Nov. 2019 no 0\r\nWinnti 4.0 TCP/TLS/UDP/HTTP/HTTPS Dec. 2019 no 19\r\nCobalt Strike HTTP/HTTPS/DNS/ExternalC2 Feb. 2020 yes 3023\r\nPoshC2 HTTP/HTTPS Jun. 2020 yes 2\r\nDacls (aka\r\nMATA)\r\nTLS Aug. 2020 no 49\r\nComRAT v4 HTTP/HTTPS Aug. 2020 no 1\r\nTable 1: malware and penetration tools supported by the system\r\nIn order to discover C2 servers, the system emulates malware’s customized protocols strictly. The results of the\r\ndiscovery process to date have not produced any significant false positives. If interested in more details, please\r\ncheck previous write-ups regarding HYDSEVEN NetWire and Winnti 4.0. Additionally, the system extracts\r\nconfiguration values by downloading/decoding samples when possible (e.g., Cobalt Strike). Note we do not\r\ncircumvent any technological measure like authentication for the discovery.\r\nTAU will continue to analyze additional malware and penetration tools and embed the C2 discovery functions into\r\nthe system in order to improve our own visibility against the latest threats. By providing network-specific IOCs in\r\ncombination with the native capabilities of EDR tools, customers will be able to enhance their ability to detect\r\nthreats in real-time.\r\nKnown IOC Feed\r\nhttps://blogs.vmware.com/security/2020/09/detecting-threats-in-real-time-with-active-c2-information.html\r\nPage 2 of 3\n\nCustomers can review the VMware Carbon Black User Exchange post to understand where to find the Active C2\r\nfeed as well as how to subscribe to the watchlist.\r\nSource: https://blogs.vmware.com/security/2020/09/detecting-threats-in-real-time-with-active-c2-information.html\r\nhttps://blogs.vmware.com/security/2020/09/detecting-threats-in-real-time-with-active-c2-information.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blogs.vmware.com/security/2020/09/detecting-threats-in-real-time-with-active-c2-information.html"
	],
	"report_names": [
		"detecting-threats-in-real-time-with-active-c2-information.html"
	],
	"threat_actors": [
		{
			"id": "4d5f939b-aea9-4a0e-8bff-003079a261ea",
			"created_at": "2023-01-06T13:46:39.04841Z",
			"updated_at": "2026-04-10T02:00:03.196806Z",
			"deleted_at": null,
			"main_name": "APT41",
			"aliases": [
				"WICKED PANDA",
				"BRONZE EXPORT",
				"Brass Typhoon",
				"TG-2633",
				"Leopard Typhoon",
				"G0096",
				"Grayfly",
				"BARIUM",
				"BRONZE ATLAS",
				"Red Kelpie",
				"G0044",
				"Earth Baku",
				"TA415",
				"WICKED SPIDER",
				"HOODOO",
				"Winnti",
				"Double Dragon"
			],
			"source_name": "MISPGALAXY:APT41",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2a24d664-6a72-4b4c-9f54-1553b64c453c",
			"created_at": "2025-08-07T02:03:24.553048Z",
			"updated_at": "2026-04-10T02:00:03.787296Z",
			"deleted_at": null,
			"main_name": "BRONZE ATLAS",
			"aliases": [
				"APT41 ",
				"BARIUM ",
				"Blackfly ",
				"Brass Typhoon",
				"CTG-2633",
				"Earth Baku ",
				"GREF",
				"Group 72 ",
				"Red Kelpie ",
				"TA415 ",
				"TG-2633 ",
				"Wicked Panda ",
				"Winnti"
			],
			"source_name": "Secureworks:BRONZE ATLAS",
			"tools": [
				"Acehash",
				"CCleaner v5.33 backdoor",
				"ChinaChopper",
				"Cobalt Strike",
				"DUSTPAN",
				"Dicey MSDN",
				"Dodgebox",
				"ForkPlayground",
				"HUC Proxy Malware (Htran)"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434706,
	"ts_updated_at": 1775791941,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d48d4b89e3fa402cd56461daf284987b9674d515.pdf",
		"text": "https://archive.orkl.eu/d48d4b89e3fa402cd56461daf284987b9674d515.txt",
		"img": "https://archive.orkl.eu/d48d4b89e3fa402cd56461daf284987b9674d515.jpg"
	}
}