10+ RATs

3,000+ C2s identified

24/ 7 Coverage


Frequently Asked Questions


What is malware hunter?

Malware Hunter is a specialized Shodan crawler that explores the Internet looking for command & control (C2s) servers for botnets. It does this by pretending to be an infected client that's reporting back to a C2. Since we don't know where the C2s are located the crawler effectively reports back to every IP on the Internet as if the target IP is a C2. If the crawler gets a positive response from the IP then we know that it's a C2.


Why did my security software raise an alert?

Malware Hunter doesn't perform any attacks and the requests it sends don't contain any malicious content. The reason your security product raised an alert is because it is using a signature that should only be used for traffic leaving the network (egress) but is incorrectly being applied to incoming traffic (ingress). In other words: the security product is using a signature that was meant to detect when a computer on your network was infected and reporting back to a C2. However, the signature is also being applied to all traffic going into your network which is why it's raising a false alert.


Where can I learn more about this method?

Recorded Future has released a report and article that explains the technique in more detail and how it helps to pre-emptively find the malware C2s:
View Report (PDF)


Can I see the results?

Yes! If an IP is classified as a C2 then you will see the "malware" tag on it. And all the results of Malware Hunter can be found by searching on Shodan. Note that you will need to have a Corporate subscription to download the full list of results.



Want to Help?

We're always looking for new malware to detect and help track down C2s! If you'd like to join the effort please email us at:

support@shodan.io