Practical queries for identifying malware infrastructure with FOFA.
AsyncRAT
Hardcoded Certificate Values
cert.subject.cn="AsyncRAT Server" || cert.issuer.cn="AsyncRAT Server" – Link
Cobalt Strike
Default Certificate Values
cert.issuer.cn="Major Cobalt Strike" – Link
cert.issuer.org="cobaltstrike" – Link
Amadey Bot
Re-used certificate values
cert.subject.cn="desas.digital" – Link
Quasar RAT
Default certificate values.
cert.subject.cn="Quasar Server CA" – Link
Laplas Clipper
Certificate values and favicon hash.
cert.subject.cn="Laplas.app" – Link
icon_hash="1123908622" – Link
Sliver C2
Default Certificate values
cert.subject.cn="multiplayer" && cert.issuer.cn="operators" – Link
Mythic C2
Default favicon hash and html title
icon_hash="-859291042" – Link
title=="Mythic" – Link
Supershell Botnet
HTML titles and re-used favicon
icon_hash="-1010228102" – Link
title="Supershell" – Link
