C2 Tracker

Websitehttps://github.com/montysecurity/C2-Tracker
CategoryThreat Intelligence

C2 Tracker is a threat intelligence project by Montysecurity that identifies active command-and-control servers used by malware and offensive security frameworks. It tracks IPs and domains associated with known C2 frameworks including Cobalt Strike, Metasploit, Sliver, Brute Ratel, Havoc, and others. We use this data on robtex.com and rbls.org to flag IPs that are currently or recently operating as malware command infrastructure.

Source:C2 Tracker

What is C2 Tracker?

Command-and-control (C2) servers are the backbone of most cyberattacks. After malware infects a target system, it connects back to a C2 server to receive instructions, exfiltrate data, or download additional payloads. Identifying these servers is critical for network defense because blocking C2 communication can neutralize malware even after initial compromise.

C2 Tracker focuses specifically on identifying the server-side infrastructure of popular offensive frameworks:

  • Cobalt Strike - The most widely used commercial red team framework, frequently abused by threat actors. Identifiable by specific JARM fingerprints, TLS certificates, and beacon patterns
  • Metasploit - Open-source penetration testing framework with recognizable Meterpreter listener characteristics
  • Sliver - Modern open-source C2 framework gaining popularity as a Cobalt Strike alternative
  • Brute Ratel - Commercial adversary simulation tool that has leaked to criminal groups
  • Havoc - Open-source post-exploitation framework
  • Mythic - Collaborative red team platform
  • Posh C2 - PowerShell-based C2 framework

The project uses active scanning techniques to detect these frameworks based on their network signatures, TLS certificate patterns, HTTP response characteristics, and JARM fingerprints. This approach identifies C2 servers even when operators attempt to hide them behind CDNs or domain fronting.

The resulting dataset is published on GitHub and updated regularly as new C2 servers are detected and old ones go offline.

How We Use This Data

On IP lookup and reputation pages across robtex.com and rbls.org, we check queried IPs against the C2 Tracker database. When a match is found, we display which C2 framework was detected and when it was last observed. This is a high-severity indicator, as active C2 servers represent direct attack infrastructure.

C2 Tracker data is particularly valuable for incident response. If an organization detects suspicious outbound connections, checking the destination IP against C2 Tracker can immediately confirm whether the traffic is reaching known malware infrastructure. This accelerates triage from "suspicious connection" to "confirmed C2 communication" and enables faster containment.

The framework identification also provides tactical intelligence. Knowing that a C2 server runs Cobalt Strike versus Sliver helps incident responders anticipate the attacker's capabilities and likely techniques.

FAQ

If an IP is flagged as a C2 server, does that mean it is actively attacking systems right now?
It means the IP was detected running C2 framework software at the time of scanning. C2 servers can be active for weeks or months, or they can be taken down quickly. Some are used for legitimate red team exercises rather than criminal activity. However, any connection to a known C2 server from your network should be treated as a serious indicator of compromise and investigated immediately.
Why do some C2 servers appear on cloud hosting platforms like AWS or Azure?
Attackers frequently use cloud infrastructure for C2 because it is easy to provision, provides reliable connectivity, and the IP ranges are often whitelisted by corporate firewalls. Cloud providers work to shut down abuse, but the ease of spinning up new instances means C2 servers constantly appear and disappear across cloud platforms.
How does C2 Tracker differ from general IP blocklists?
General blocklists flag IPs for various types of abuse (spam, scanning, brute force). C2 Tracker specifically identifies malware command infrastructure using framework-specific detection signatures. An IP on C2 Tracker is not just "suspicious" but has been positively identified as running specific attack software. This makes it a higher-confidence, more actionable indicator than a generic blocklist entry.