Malware Hunter, the project developed by Shodan and Recorded Future to find C&C Servers

Pierluigi Paganini May 02, 2017

Shodan and security firm Recorded Future launched Malware Hunter, a service that allows scanning the Internet to identify botnet C&C servers.

Malware researchers have a new powerful weapon in their arsenal, a joint project from Shodan and security firm Recorded Future dubbed Malware Hunter allow them to scan the Internet to identify botnet C&C servers.

The malware Hunter it able to identify botnet command and control (C&C) servers for various malware and botnets.

The results of the scan conducted with the Malware Hunter have been integrated into Shodan.

The researchers have designed specialized crawlers, to scan the Internet looking for computers and devices configured to function as a botnet C&C server by pretending to be infected computer that is reporting back to the command and control server.

The crawlers report to the maintainers of the project every IP address discovered during the scan that provides a response usually associated with a RAT.

“Port scanning tools are often used to identify and count specific services available to the public Internet, and using these same tools to identify and profile RATs is advantageous both for law enforcement and operational defenders.”

“RATs return specific responses (strings) when a proper request is presented on the RAT controller’s listener port,” state the report published by Recorded Future.

“In some cases, even a basic TCP three-way handshake is sufficient to elicit a RAT controller response. The unique response is a fingerprint indicating that a RAT controller (control panel) is running on the computer in question.”

According to the researchers, the Malware Hunter service has already found more than 5,700 Malicious C&C Servers, 18 of them located in my country, Italy.

To see Malware Hunter results, log in the Shodan service and search for ‘category:malware‘.

malware hunter it

According to current results obtained by the Malware Hunter service, top 3 countries hosting command and control servers are United States (72%), Hong Kong (12%) and China (5.2%).

Most common Remote Access Trojan (RAT) that are widely used are Gh0st RAT (93.5%), DarkComet (3.7%).

“Shodan’s signatures also include RATs, specifically Black Shades, Dark Comet, njRAT, XtremeRAT, Poison Ivy, and Net Bus. Thus Shodan is a valuable and useful originating intelligence source for identifying live RAT controllers. While the number of results varies, Shodan typically identifies between 400 and 600 individual RAT controllers on any given day. The results from September 18, 2015, can be downloaded from Recorded Future’s GitHub page” continues the report.

Enjoy the service.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Malware Hunter, Shodan)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini August 05, 2025

Zero Day Quest returns: Microsoft ups the stakes with $5M bug bounty

Pierluigi Paganini August 05, 2025