{
	"id": "792285e0-77f1-4483-a577-e0ba4c71b2fb",
	"created_at": "2026-04-06T00:15:27.854912Z",
	"updated_at": "2026-04-10T13:11:45.541193Z",
	"deleted_at": null,
	"sha1_hash": "fe52dee64e719ea763f6e8b485eb690cd77c5290",
	"title": "Threat Intelligence Query Examples - Real World Queries for Identifying Malware Infrastructure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 188109,
	"plain_text": "Threat Intelligence Query Examples - Real World Queries for\r\nIdentifying Malware Infrastructure\r\nBy Matthew\r\nPublished: 2023-06-07 · Archived: 2026-04-05 12:48:17 UTC\r\nAn informal page for storing Censys/Shodan queries that have returned interesting results.\r\nIncluding examples for -\r\nAsyncRAT, Solarmarker, Amadey, Quasar, Laplas, Sliver, Mythic, Qakbot + more\r\nAsyncRAT - Common x509 Certificates\r\nHardcoded values in x509 certificates used for TLS communication.\r\nservices.tls.certificates.leaf_data.subject.common_name:\"AsyncRAT Server\" or services.tls.certificates.leaf_dat\r\n(Link)\r\nCommonalities between ssh host key and running ports. Typically only ports 22 and 80. SSH host key is the\r\nprimary piece here.\r\nservices:(ssh.server_host_key.fingerprint_sha256 = \"c655bae831ca57a857b26d76a7c98a56a65d00fdab7d234a64addf8166e\r\nQakbot (Possibly Pikabot) - Masquerading as Slack\r\nQakbot C2's masquerading as a slack-related site. It is also possible that this is Pikabot which uses similar tactics.\r\nnot dns.reverse_dns.names:* and services.http.response.html_title:\"Slack is your productivity platform | Slack\"\r\nhttps://embee-research.ghost.io/shodan-censys-queries/\r\nPage 1 of 6\n\nCobalt Strike - Default Certificate Values\r\nVery generic Cobalt strike indicators based on default certificate values. Likely very unsophisticated actors.\r\nservices.tls.certificates.leaf_data.issuer.common_name=\"Major Cobalt Strike\" (Link)\r\nservices.tls.certificates.leaf_data.issuer.organization=\"cobaltstrike\" (Link)\r\nservices.tls.certificates.leaf_data.issuer.organizational_unit=\"AdvancedPenTesting\" (Link)\r\nservices.tls.certificates.leaf_data.subject.province=\"Cyberspace\" and\r\nservices.tls.certificates.leaf_data.subject.country=\"Earth\" (Link)\r\nssl.cert.subject.cn:\"Major Cobalt Strike\" (Link)\r\nssl.cert.issuer.cn:\"Major Cobalt Strike\" (Link)\r\nRemcos - Re-Used SSH Host Key and Usage of Hestia Control Panel\r\nAt least two of these servers are related to Remcos rat. There is a re-used ssh host key that is also related to\r\nJupyter/Solarmarker.\r\nservices:(ssh.server_host_key.fingerprint_sha256 = \"c655bae831ca57a857b26d76a7c98a56a65d00fdab7d234a64addf8166e\r\nAmadey Bot - Re-used Certificate Values\r\nRe-used CN name in TLS certificates, as well as unique and re-used HTTP response body containing Russian\r\nswear words. Full Analysis Here.\r\nservices.tls.certificates.leaf_data.subject.common_name:\"desas.digital\"\r\nhttps://embee-research.ghost.io/shodan-censys-queries/\r\nPage 2 of 6\n\nservices.http.response.body_hash:\"sha1:e084a66d16925abf43390c59d783f7a2fb49752d\"\r\nQuasar RAT - Re-used Certificate Values\r\nRe-used CN name used in TLS certificates. Full Analysis Here.\r\nservices.tls.certificates.leaf_data.subject.common_name: \"Quasar Server CA\"\r\n(Link)\r\nLaplas Clipper - Re-used Certificate Values\r\nRe-used CN name used in TLS certificates. Full Analysis here.\r\nservices.tls.certificates.leaf_data.subject.common_name:\"Laplas.app\" or services.tls.certificates.leaf_data.iss\r\n(Link)\r\nSliver C2 - Re-used Certificate Values\r\nRe-used CN names in TLS certificates. Twitter Post\r\nservices:(tls.certificates.leaf_data.subject.common_name:multiplayer and tls.certificates.leaf_data.issuer.comm\r\n(Link)\r\nMythic C2 - Default HTML Title + Default Favicon\r\nDefault HTML Titles, favicon hash and CN name.\r\n(services.http.response.html_title=\"Mythic\") or services.http.response.favicons.md5_hash=\"6be63470c32ef458926ab\r\n(Link)\r\nViper Servers - Default String + Favicon Hash\r\nQueries based on \"Viper\" string in html title and response. Not 100% sure what viper is.\r\nA lot of Viper servers seem to have cobalt strike running on alternate ports.\r\nhttp.html_hash:-1250764086 (Link)\r\n+http.title:\"viper\" +http.html:viper +\"Content-Length: 69\" (Link)\r\nservices.http.response.favicons.md5_hash=\"a7469955bff5e489d2270d9b389064e1\" (Link)\r\nhttps://embee-research.ghost.io/shodan-censys-queries/\r\nPage 3 of 6\n\nservices:(http.response.html_title:\"Viper\" and http.response.body:Viper and\r\nhttp.response.headers.content_length:69) (Link)\r\nCobalt Strike - Ja3 + Empty Certificate Values\r\nOverlapping ja3s and lack of issuer/common names in certificate.\r\nUnconfirmed if all are cobalt strike but at least a few were sucessful hits.\r\nservices:(tls.ja3s:475c9302dc42b2751db9edcac3b74891 and tls.certificates.leaf_data.subject.common_name=\"\" and t\r\n(Link)\r\nOpen Directories - .exe files on port 8000\r\nOpen directories residing on port 8000 and containing at least one .exe file. Reasonable number of false positives,\r\nbut a lot of interesting results. eg servers containing revshell.exe and similar.\r\nservices:(http.response.html_title:\"Directory Listing\" and http.response.body:*.exe and port:8000) and not serv\r\nOpen Directories - Referencing Netcat\r\nOpen directories containing references to netcat nc.exe\r\nservices.http.response.body:\"nc.exe\" or services.http.response.body:\"ncat.exe\"\r\nOpen Directories - Referencing Common Attack Tooling\r\nOpen Directories Containing references to attack tooling. procdump.exe , nc.exe , ngrok.exe etc.\r\nservices.http.response.body:\"procdump.exe\" or services.http.response.body:\"nc.exe\" or services.http.response.bo\r\nOpen Directories - Referencing Powershell Scripts\r\nOpen directories containing a file with .ps1 extension. Most of these contain suspicious Powershell scripts.\r\n(Any .ps1 script)\r\nservices:(http.response.body:*.ps1 and http.response.html_title:\"Directory Listing\" and banner:Python)\r\nservices:(http.response.html_title:\"Directory Listing\" and http.response.body:?.ps1)\r\n(Single char .ps1 name)\r\nhttps://embee-research.ghost.io/shodan-censys-queries/\r\nPage 4 of 6\n\nOpen Directories - Referencing Anydesk Remote Access Tooling\r\nOpen directories with references to Anydesk (remote access tooling). Typically in the form of anydesk.exe or\r\nanydesk.bat and coupled with other suspicious files.\r\nservices:((http.response.body:anydesk.*) and http.response.html_title:\"Directory listing\")\r\nOpen Directories - Short Executable Names\r\nOpen directories containing .exe files with single or double character exe names.\r\nservices:(http.response.html_title:\"Directory Listing\" and http.response.body:??.exe)\r\nservices:(http.response.html_title:\"Directory Listing\" and http.response.body:?.exe)\r\nOpen Directories - Single Char Batch Scripts\r\nSuspicious single-character .bat files inside of open directories. eg 1.bat\r\nservices:(http.response.html_title:\"Directory Listing\" and http.response.body:?.bat)\r\nOpen Directories - Executable and Script Files\r\nOpen directories containing a .exe file and at least one of .vbs,.ps1,.bat . Mostly malicious.\r\nservices:(http.response.body:.exe and (http.response.body:.vbs or http.response.body:ps1 or http.response.body\r\nProtonVPN Behind Dynamic DNS - Observed in AsyncRAT\r\nDynamic dns resolving to protonVPN instances. Observed with AsyncRAT fresh03.ddns[.net] resolving to\r\n(VPN) 46.166.182[.]34 . Difficult to confirm the nature of results as minimal services are running and port\r\nforwarding likely used.\r\nservices.tls.certificates.leaf_data.subject.common_name:*protonvpn.net and dns.names:*.ddns.net\r\nWhiteSnake Stealer - Common Patterns in HTTP Response\r\nCommon patterns in http responses for WhiteSnake stealer control panels.\r\nOriginal IP that inspired query is from RussianPanda's blog.\r\nservices:(http.response.body:DutchCoders and http.response.body:keybase and http.response.body:Virustotal)\r\nhttps://embee-research.ghost.io/shodan-censys-queries/\r\nPage 5 of 6\n\nSign up for Embee Research\r\nMalware Analysis and Threat Intelligence Research\r\nNo spam. Unsubscribe anytime.\r\nSource: https://embee-research.ghost.io/shodan-censys-queries/\r\nhttps://embee-research.ghost.io/shodan-censys-queries/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://embee-research.ghost.io/shodan-censys-queries/"
	],
	"report_names": [
		"shodan-censys-queries"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434527,
	"ts_updated_at": 1775826705,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fe52dee64e719ea763f6e8b485eb690cd77c5290.pdf",
		"text": "https://archive.orkl.eu/fe52dee64e719ea763f6e8b485eb690cd77c5290.txt",
		"img": "https://archive.orkl.eu/fe52dee64e719ea763f6e8b485eb690cd77c5290.jpg"
	}
}