Practical queries for identifying malware infrastructure with FOFA.
https://en.fofa.info/
AsyncRAT
Hardcoded Certificate Values
cert.subject.cn="AsyncRAT Server" || cert.issuer.cn="AsyncRAT Server"
- Link
Cobalt Strike
Default Certificate Values
cert.issuer.cn="Major Cobalt Strike"
- Link
cert.issuer.org="cobaltstrike"
- Link
Amadey Bot
Re-used certificate values
cert.subject.cn="desas.digital"
- Link
Quasar RAT
Default certificate values.
cert.subject.cn="Quasar Server CA"
- Link
Laplas Clipper
Certificate values and favicon hash.
cert.subject.cn="Laplas.app"
- Link
icon_hash="1123908622"
- Link
Sliver C2
Default Certificate values
cert.subject.cn="multiplayer" && cert.issuer.cn="operators"
- Link
Mythic C2
Default favicon hash and html title
icon_hash="-859291042"
- Link
title=="Mythic"
- Link
Supershell Botnet
HTML titles and re-used favicon
icon_hash="-1010228102"
- Link
title="Supershell"
- Link