faq
What does the C2 Feed provide?
The C2 Feed provides high-confidence malicious infrastructure identified through Hunt’s scanning processes. The feed is delivered as a newline-delimited JSON dataset and is accessed through an API endpoint.
Returned entries may include IP address, hostname, scan URI, port, timestamp, malware name, malware subsystem, confidence score, and additional metadata.
How is data in the C2 Feed generated?
Hunt scans the internet for malware protocols, SSL certificates, and JARM/JA4 hashes. Hosting providers that favor malicious activity are subject to additional scanning.
Custom validation logic is applied to C2 candidates, and signatures and validators are updated by the Hunt Research team to enhance accuracy and discovery.
What time range does the C2 Feed return?
Each request to the C2 Feed returns data from the last 7 days relative to the time the feed is requested.
The C2 Feed is updated on a daily basis and accessed through API requests.
