#c2

Command and Control infrastructure (URLs, IPs, domains) hosting attacker servers and beacons

Subscribe (RSS)


#c2

Command and Control servers (URLs, IPs, domains)

Subscribe (RSS)

IOCs by window

Today

1

IOCs tagged #c2

Week

49

IOCs tagged #c2

Month

170

IOCs tagged #c2

Year

24,483

IOCs tagged #c2

Counts as of 2026-05-16. Regenerated daily.

About #c2

  • Definition: infrastructure that an adversary uses to maintain a covert channel with compromised hosts. MITRE ATT&CK tracks it as Tactic TA0011 (Command and Control), with techniques covering application-layer protocols, encrypted channels, fast flux DNS, domain fronting and many others.
  • Common variants: Cobalt Strike Beacon, Sliver, Mythic, Havoc, Empire, plus bespoke implants. Infrastructure ranges from single-VPS HTTP listeners to complex chains with redirectors, fronting domains and CDN-hidden ingress.
  • Detection: DNS reputation, JA3/JA4 TLS fingerprinting, beacon-jitter analysis, sinkhole + traffic-analytics, certificate transparency for short-lived certs, and YARA on memory-resident agents.
  • References: MITRE ATT&CK TA0011 · see also tag-specific pages for #cobaltstrike, #sliver, #mythic, #havoc.

Recent IOCs tagged #c2

Latest 10 IOCs from the past 30 days. Live JSON: api.tweetfeed.live/v1/month/c2.

Date Type Value Source
May 16, 07:15 ip 31.7.61.61 @Fact_Finder03
May 15, 18:00 domain nid-navercwu.servecounterstrike.com @phatomcandle
May 15, 18:00 url http://nid-navercwu.servecounterstrike.com @phatomcandle
May 15, 18:00 url http://27.102.137.150 @phatomcandle
May 15, 18:00 ip 27.102.137.150 @phatomcandle
May 15, 12:01 ip 152.53.154.171 @Fact_Finder03
May 15, 04:27 ip 82.165.117.72 @Fact_Finder03
May 15, 04:27 sha256 28355d24778995371c72eb59629f622c0e4c1d023148f0ab8a3dbe7a0582... @Fact_Finder03
May 15, 04:27 sha256 485ddc0020a483f5e97a1ea91f6d915f7cfb909bf9662fbb4655eafc93ca... @Fact_Finder03
May 14, 08:47 ip 178.16.53.166 @Fact_Finder03

Related tags

Tags that frequently co-occur with #c2.

See all tags on the Dashboard or browse the full IOC feed.

Frequently asked questions

What is C2 (Command and Control)?

Command and Control is the channel adversaries use to communicate with compromised hosts during an intrusion. The MITRE ATT&CK framework groups all related techniques under tactic TA0011. C2 infrastructure can be a single VPS hosting an HTTP listener, or a long chain involving redirectors, fronting domains and CDN-hidden ingress to evade detection.

Which C2 frameworks generate the most IOCs on TweetFeed?

Cobalt Strike, Sliver, Mythic, Havoc and bespoke implants dominate the corpus. Each has its own dedicated tag on TweetFeed for finer filtering: see #cobaltstrike, #sliver, #mythic, #havoc. The #c2 umbrella tag is broader and includes everything researchers flag as C2 infrastructure regardless of framework.

How is this list updated?

Every 15 minutes. The TweetFeed pipeline scrapes RSS feeds from public Twitter/X security researcher accounts and lists, extracts IOCs, tags them with the relevant malware family or threat actor, and republishes the result in CSV, JSON and RSS. C2-tagged IOCs are surfaced on this page within the next 15-minute tick. The page itself is regenerated daily by a GitHub Action.

What is the license? Can I use this commercially?

All TweetFeed IOC data, including this C2 subset, is released under CC0 1.0 Universal (Public Domain Dedication). No attribution required, no warranty. Commercial use is allowed. The TweetFeed website code and branding are not covered by CC0.

License

C2 IOC data: CC0 1.0 Public Domain. No attribution required, no warranty. Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).