Practical queries for identifying malware infrastructure with FOFA.


Hardcoded Certificate Values"AsyncRAT Server" ||"AsyncRAT Server" - Link

Cobalt Strike

Default Certificate Values"Major Cobalt Strike" - Link"cobaltstrike" - Link

Amadey Bot

Re-used certificate values"" - Link

Quasar RAT

Default certificate values."Quasar Server CA" - Link

Laplas Clipper

Certificate values and favicon hash."" - Link

icon_hash="1123908622" - Link

Sliver C2

Default Certificate values"multiplayer" &&"operators" - Link

Mythic C2

Default favicon hash and html title

icon_hash="-859291042" - Link

title=="Mythic" - Link

Supershell Botnet

HTML titles and re-used favicon

icon_hash="-1010228102" - Link

title="Supershell" - Link