#c2

Command and Control infrastructure (URLs, IPs, domains) hosting attacker servers and beacons


#c2

Command and Control servers (URLs, IPs, domains)

IOCs by window

Today

9

IOCs tagged #c2

Week

27

IOCs tagged #c2

Month

85

IOCs tagged #c2

Year

27,242

IOCs tagged #c2

Counts as of 2026-04-29. Regenerated daily.

About #c2

  • Definition: infrastructure that an adversary uses to maintain a covert channel with compromised hosts. MITRE ATT&CK tracks it as Tactic TA0011 (Command and Control), with techniques covering application-layer protocols, encrypted channels, fast flux DNS, domain fronting and many others.
  • Common variants: Cobalt Strike Beacon, Sliver, Mythic, Havoc, Empire, plus bespoke implants. Infrastructure ranges from single-VPS HTTP listeners to complex chains with redirectors, fronting domains and CDN-hidden ingress.
  • Detection: DNS reputation, JA3/JA4 TLS fingerprinting, beacon-jitter analysis, sinkhole + traffic-analytics, certificate transparency for short-lived certs, and YARA on memory-resident agents.
  • References: MITRE ATT&CK TA0011 · see also tag-specific pages for #cobaltstrike, #sliver, #mythic, #havoc.

Recent IOCs tagged #c2

Latest 10 IOCs from the past 30 days. Live JSON: api.tweetfeed.live/v1/month/c2.

Date Type Value Source
Apr 29, 08:00 ip 31.57.156.127 @Fact_Finder03
Apr 29, 08:00 sha256 64e6353f01583ef365ee3e835cff0c21b21e523b9c466c2a6cc99910a643... @Fact_Finder03
Apr 29, 07:47 ip 79.7.152.162 @Fact_Finder03
Apr 29, 07:47 sha256 901fc6771ccdfc5194dfa63f949cce05298c999a813af2cec2ebf2dcc50a... @Fact_Finder03
Apr 29, 07:47 sha256 6c513a3caaf0e368f8336a307b1d4ccb2ad16fdc8428d8397acd0b2594bb... @Fact_Finder03
Apr 29, 06:09 ip 165.245.250.220 @Fact_Finder03
Apr 29, 04:26 url http://108.181.153.57:9616 @Cyberteam008
Apr 29, 04:26 ip 108.181.153.57 @Cyberteam008
Apr 29, 04:26 md5 b915e9fe3d5541e75609b220ed2e88b0 @Cyberteam008
Apr 28, 07:40 ip 144.31.221.172 @Fact_Finder03

Related tags

Tags that frequently co-occur with #c2.

See all tags on the Dashboard or browse the full IOC feed.

Frequently asked questions

What is C2 (Command and Control)?

Command and Control is the channel adversaries use to communicate with compromised hosts during an intrusion. The MITRE ATT&CK framework groups all related techniques under tactic TA0011. C2 infrastructure can be a single VPS hosting an HTTP listener, or a long chain involving redirectors, fronting domains and CDN-hidden ingress to evade detection.

Which C2 frameworks generate the most IOCs on TweetFeed?

Cobalt Strike, Sliver, Mythic, Havoc and bespoke implants dominate the corpus. Each has its own dedicated tag on TweetFeed for finer filtering: see #cobaltstrike, #sliver, #mythic, #havoc. The #c2 umbrella tag is broader and includes everything researchers flag as C2 infrastructure regardless of framework.

How is this list updated?

Every 15 minutes. The TweetFeed pipeline scrapes RSS feeds from public Twitter/X security researcher accounts and lists, extracts IOCs, tags them with the relevant malware family or threat actor, and republishes the result in CSV, JSON and RSS. C2-tagged IOCs are surfaced on this page within the next 15-minute tick. The page itself is regenerated daily by a GitHub Action.

What is the license? Can I use this commercially?

All TweetFeed IOC data, including this C2 subset, is released under CC0 1.0 Universal (Public Domain Dedication). No attribution required, no warranty. Commercial use is allowed. The TweetFeed website code and branding are not covered by CC0.

License

C2 IOC data: CC0 1.0 Public Domain. No attribution required, no warranty. Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).