Industry Tool Detects Thousands of C2 Server RATs

A tool developed by two security companies that scans the internet for command and control (C2) servers has already uncovered thousands of malicious RATs, or remote access trojans, on computers and other internet-connected devices.

Shodan, a search engine used by many security researchers, lists information for open ports belonging to internet-connected devices. The company teamed up with threat intelligence firm Recorded Future to integrate a new online crawler into its search engine called Malware Hunter.

Malware Hunter scans the internet regularly over time to identify C2 servers for various malware like RATs. RATs are typically leveraged by hackers with malicious intent to record audio, video and keystrokes, as well as exfiltrate files and more. Malware Hunter can currently detect at least 10 kinds of RATs, including DarkComet, njRAT, Poison Ivy, Ghost RAT and Net Bus.

According to Shodan, it works “by pretending to be an infected client that's reporting back to a C2. Since we don't know where the C2s are located the crawler effectively reports back to every IP on the internet as if the target IP is a C2. If the crawler gets a positive response from the IP then we know that it's a C2.”

Recorded Future released a report, “Proactive Threat Identification Neutralizes Remote Access Trojan Efficacy,” which explains in detail how the tool makes it easier to find the source of malware on C2s that control botnets.

The Hacker News founder and CEO Mohit Kumar tested out Malware Hunter and has already found more than 5,700 malicious C2 servers. He also reports that the United States sits in the top three countries hosting C2 servers, leading at 72 percent, followed by Hong Kong (12 percent) and China (5.2 percent).

Bleeping Computer reported that Malware Hunter will be able to uncover other types of malware botnets besides RATs, such as those for backdoor trojans, DDoS and cryptominers, in the future.

Shodan users can log in with a free account to use the tool.

About the Author

Sri Ravipati is Web producer for THE Journal and Campus Technology. She can be reached at [email protected].

Featured

  • laptop displaying a phishing email icon inside a browser window on the screen

    Phishing Campaign Targets ED Grant Portal

    Threat researchers at cybersecurity company BforeAI have identified a phishing campaign spoofing the U.S. Department of Education's G5 grant management portal.

  • multiple computer monitors connected by glowing blue lines in a network grid

    Gartner Forecasts Increased Spending on Desktop as a Service as Cost Optimization, Sustainability Drive Adoption

    Gartner's 2025 Magic Quadrant for Desktop as a Service reveals that while secure remote access remains a key driver of DaaS adoption, a growing number of deployments now focus on broader efficiency goals.

  • stylized figures, resumes, a graduation cap, and a laptop interconnected with geometric shapes

    OpenAI to Launch AI-Powered Jobs Platform

    OpenAI announced it will launch an AI-powered hiring platform by mid-2026, directly competing with LinkedIn and Indeed in the professional networking and recruitment space. The company announced the initiative alongside an expanded certification program designed to verify AI skills for job seekers.

  • young man in a denim jacket scans his phone at a card reader outside a modern glass building

    Colleges Roll Out Mobile Credential Technology

    Allegion US has announced a partnership with Florida Institute of Technology (FIT) and Denison College, in conjunction with Transact + CBORD, to install mobile credential technologies campuswide. Implementing Mobile Student ID into Apple Wallet and Google Wallet will allow students access to campus facilities, amenities, and residence halls using just their phones.