Practical queries for identifying malware infrastructure with FOFA.

https://en.fofa.info/

AsyncRAT

Hardcoded Certificate Values

cert.subject.cn="AsyncRAT Server" || cert.issuer.cn="AsyncRAT Server" - Link

Cobalt Strike

Default Certificate Values

cert.issuer.cn="Major Cobalt Strike" - Link

cert.issuer.org="cobaltstrike" - Link

Amadey Bot

Re-used certificate values

cert.subject.cn="desas.digital" - Link

Quasar RAT

Default certificate values.

cert.subject.cn="Quasar Server CA" - Link

Laplas Clipper

Certificate values and favicon hash.

cert.subject.cn="Laplas.app" - Link

icon_hash="1123908622" - Link

Sliver C2

Default Certificate values

cert.subject.cn="multiplayer" && cert.issuer.cn="operators" - Link

Mythic C2

Default favicon hash and html title

icon_hash="-859291042" - Link

title=="Mythic" - Link

Supershell Botnet

HTML titles and re-used favicon

icon_hash="-1010228102" - Link

title="Supershell" - Link