01 ·
Identification through active fingerprinting
Global scanning of ports and SSL certificates with known Team Server characteristics. Beacon HTTP headers, JARM fingerprint, listener patterns.
We know where the attackers' servers hide.
Fortgale identifies and monitors daily over 800 active CobaltStrike servers worldwide. We extract configurations, watermarks and profiles — turning offensive infrastructure into defensive intelligence.
CTI standards
STIX/TAXII 2.1
MITRE ATT&CK
ISO 27001
Tracking techniques
JARM
Malleable C2 Profile
Watermark correlation
Why track C2s
From isolated IoC to attacker profile.
An isolated malicious IP is an alert. An IP correlated to a watermark, a campaign and a known actor is operational intelligence.
02 ·
Watermark = attacker identity
For each Team Server: extraction of licence watermark, payload type, sleep, jitter, Malleable Profile. The watermark correlates different campaigns to the same operator.
03 ·
From IoC to intelligence profile
Not just IPs/domains: a structured profile of the attacker (cluster, group, TTPs, infrastructure overlaps) integrated into SOC alerts.
Proof · tracking scale
Four numbers that hold C2 tracking up.
800+
Active CobaltStrike C2 servers
tracked every day
tracked every day
1,000+
New servers identified
every quarter
every quarter
4
Frameworks monitored
CobaltStrike · BruteRatel · Havoc · Metasploit
CobaltStrike · BruteRatel · Havoc · Metasploit
100 %
Configurations extracted
per identified server
per identified server
Profiling pipeline
Four steps · from global scan to operational intelligence.
01 · Detect
Server identification
Global scanning with active fingerprinting: ports, SSL certificates, JARM, Beacon HTTP headers, listener patterns.
02 · Extract
Configuration extraction
Each Team Server is queried. Extraction of watermark, payload type, sleep time, jitter, named pipe, DNS beacon, Malleable C2 Profile.
03 · Correlate
Correlation & attribution
The watermark is the operator's fingerprint: same watermark across different servers → same attacker. Infrastructure overlaps emerge.
04 · Operate
Operational intelligence
Output: blockable IoCs, attacker profiles, context for the SOC, threat hunting on already-observed patterns. Distributed via STIX/TAXII.
beacon_config_extract.jsonCobaltStrike · WM 1580103824
{
"BeaconType": "HTTPS",
"Port": 443,
"SleepTime": 60000,
"Jitter": 20,
"MaxGetSize": 1403644,
"Watermark": 1580103824,
"C2Server": "update-cdn[.]global,/dpixel",
"HttpPostUri": "/submit.php",
"MallProfile": "amazon",
"UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)",
"NamedPipe": "\\pipe\\msagent_*",
"DnsBeacon": "",
"SpawnTo": "svchost.exe"
// → Watermark correlated to campaign EU-2025-047
// → Attribution: ransomware cluster A
}Other C2 frameworks
Beyond CobaltStrike, three critical frameworks.
CobaltStrike is not alone. BruteRatel, Havoc and Metasploit are growing among criminals and APTs.
Criminal & APT
BruteRatel C4
Commercial CobaltStrike alternative. Adopted by Black Basta + APT. Native EDR bypass, AMSI bypass, direct syscall, sleep obfuscation.
Nation-state APT
Havoc Framework
Open source, growing among nation-state actors. Demon Agent, Reflective DLL, sleep obfuscation, process injection, HTTPS/SMB/DNS.
Criminal / opportunist
Metasploit
Pen-test framework. Used for post-exploitation by criminal operators. Meterpreter, reverse shell, staged payload, post-exploitation modules.
Defensive application
Six ways C2 tracking protects you.
01
Directly applicable IoCs
IPs, domains, certificates of active C2s distributed via STIX/TAXII to the customer's SIEM/EDR/firewall. Blockable preventively before an attack.
02
Context inside SOC alerts
When an alert correlates an IP to a known C2, the SOC receives the attacker profile: group, typical target sector, TTPs, overlaps.
03
Proactive threat hunting
Already-observed beacon, sleep, jitter, named pipe patterns become hunting queries. Active hunting on customer infrastructure.
04
Campaign early warning
When a new C2 cluster emerges against a sector, customers in that sector receive a dedicated advisory.
05
Threat actor reports
Technical profiles of actors using the framework: watermark, infrastructure, MITRE-mapped TTPs, target sectors, attribution.
06
Faster Incident Response
During IR: identifying the C2 framework and watermark accelerates attribution and containment.
Integrated defence
C2 tracking powers the entire stack.
Operational
Intelligence Feed
34k+ IoCs per week, ~16k from C2 and malware tracking. Distributed via STIX/TAXII to SIEM/EDR.
Discover the Feed →Strategic
Cyber Threat Intelligence
Structured profiles of 180+ adversaries with watermark, infrastructure and observed overlaps.
Discover CTI →Operational · SOC
Managed Detection & Response
The SOC's detection rules are powered by tracked C2s. Triage in <15 min, containment ~11 min.
Discover MDR →FAQ
Everything to know before talking to the team.
How does Fortgale identify CobaltStrike servers?
Active fingerprinting: scanning ports and SSL certificates with known Team Server traits, Beacon HTTP headers, JARM, Malleable C2 Profile. Each identified server is queried to extract the full config.
What is attacker profiling via C2 config?
The CobaltStrike Beacon contains a unique watermark associated with the purchased licence. Correlating identical watermarks across different servers and campaigns → attribution to the same operator. Infrastructure overlaps across groups become observable.
Why is BruteRatel more dangerous than CobaltStrike?
Designed to bypass modern EDRs (Defender, CrowdStrike, SentinelOne). Direct syscall, AMSI bypass, sleep obfuscation. Adopted by Black Basta and advanced ransomware groups.
Which C2 frameworks beyond CobaltStrike?
BruteRatel C4, Havoc (open source, nation-state), Metasploit (criminal post-exploitation), Sliver, Nighthawk, Deimos, emerging custom implants.
How is C2 tracking used in enterprise defence?
Three modes: direct IoCs (IPs/domains blockable preventively), context inside SOC alerts (attacker info), proactive threat hunting (already-observed beacon/config patterns).
C2 Tracking · Operational intelligence
The next CobaltStrike server is already being prepared.
Fortgale identifies it before it is used in an attack. Configurations, watermark, attacker profile — all available as operational intelligence for your security team.