Kicking ACKs and taking domain names
Only domain trees from most common 8* C2 shown
Follow @SarlackLab on BlueSky/Mastodon for daily updates on malicious servers
Map history and C2 trends available in /C2-Logs/ directory
The redder: a square appears, the more command-and-control (C2) servers are hosted in that /8 space.
XKCD has a comic explaining IPv4 Hilbert curves
- 23.235.128.0/19
- 154.213.32.0/19
- 124.220.0.0/14
- 1.94.0.0/15
- 3.120.0.0/13
- 113.44.0.0/16
- 148.66.0.0/19
- 101.42.0.0/15
- 147.185.221.0/24
- 154.216.32.0/20
- 23.227.202.128/28
- 147.185.221.0/24
- 176.65.142.0/24
- 176.65.144.0/24
- 176.65.134.0/24
- 176.65.140.0/23
- 86.54.42.0/24
- 156.238.233.0/24
- 196.251.69.0/24
- 62.60.226.0/24
I built the Sarlack to "devour malware in a sandbox". The server automatically grabbed and analyzed malware samples for personal research and to assist my SOC. While studying network detection trends, I began to notice patterns among malicious IP addresses and abused parent-domains. I created maps to visualize this threat landscape using the fantastic resources provided by abuse.ch, drb-ra, Dee, Fred HK, Benkow_, Good__Bear, and Paul Melson (as well as the IOCs that the Sarlack uncovers too).
Read more about Sarlack-Lab map generation here