#Mythic

Open-source modular C2 framework by SpecterOps - pluggable agents and C2 profiles


#Mythic

Open-source modular C2 by SpecterOps

IOCs by window

Today

0

IOCs tagged #Mythic

Week

0

IOCs tagged #Mythic

Month

2

IOCs tagged #Mythic

Year

1,143

IOCs tagged #Mythic

Counts as of 2026-04-29. Regenerated daily.

About #Mythic

  • Type: open-source modular C2 framework maintained by SpecterOps. Designed around pluggable agents (Apollo, Athena, Poseidon, Apfell, Medusa) and pluggable C2 profiles (HTTP, websocket, SMB, dynamic DNS) so operators can mix and match for the engagement.
  • Abuse pattern: primarily a red-team / authorised-engagement tool, but the open-source nature means real-world intrusions occasionally surface (especially Apollo and Athena agents). Lower mass-volume than Sliver or Cobalt Strike but appears in higher-effort intrusions.
  • Detection signals: agent-specific YARA (Apollo .NET, Athena .NET, Poseidon Go, Apfell macOS), default mTLS certificates, distinctive web-UI ports on listeners. JA3 / JA4 fingerprints depend on the chosen C2 profile.
  • References: Mythic on GitHub · Malpedia.

Recent IOCs tagged #Mythic

Latest 2 IOCs from the past 30 days. Live JSON: api.tweetfeed.live/v1/month/mythic.

Date Type Value Source
Apr 16, 11:11 url http://137.184.76.171 @smica83
Apr 16, 11:11 ip 137.184.76.171 @smica83

Past-month volume is low; the year aggregate (1,143) reflects historical activity. For a longer window, query api.tweetfeed.live/v1/year/mythic.

Related tags

Tags that frequently co-occur with #Mythic.

See all tags on the Dashboard or browse the full IOC feed.

Frequently asked questions

What is Mythic?

Mythic is an open-source modular C2 framework maintained by SpecterOps. Unlike monolithic frameworks, Mythic is built around pluggable agents - Apollo (.NET, Windows), Athena (.NET, multi-platform), Poseidon (Go, multi-platform), Apfell (macOS), Medusa (Python) - and pluggable C2 profiles (HTTP, websocket, SMB, dynamic DNS). Operators mix and match for each engagement.

Is Mythic primarily used legitimately or maliciously?

Primarily a red-team and authorised-engagement tool. The open-source nature means real-world intrusions occasionally surface - most often using the Apollo or Athena agents - but mass-volume in commodity malware is low. The IOCs on this page reflect Mythic infrastructure researchers have observed in real intrusions, not the upstream tool itself.

How is this list updated?

Every 15 minutes. The TweetFeed pipeline scrapes RSS feeds from public Twitter/X security researcher accounts and lists, extracts IOCs, tags them with the relevant malware family or threat actor, and republishes the result in CSV, JSON and RSS. Mythic-tagged IOCs are surfaced on this page within the next 15-minute tick. The page itself is regenerated daily by a GitHub Action.

What is the license? Can I use this commercially?

All TweetFeed IOC data, including this Mythic subset, is released under CC0 1.0 Universal (Public Domain Dedication). No attribution required, no warranty. Commercial use is allowed. The TweetFeed website code and branding are not covered by CC0.

License

Mythic IOC data: CC0 1.0 Public Domain. No attribution required, no warranty. Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).