building-c2-redirector-infrastructure
Fail
Audited by Socket on Jun 23, 2026
2 alerts found:
SecurityMalwareSecuritySKILL.md
MEDIUMSecurityMEDIUM
SKILL.md
Malwarereferences/api-reference.md
HIGHMalwareHIGH
references/api-reference.md
This module/configuration fragment is highly indicative of malicious C2 infrastructure. It implements selective request fingerprinting (User-Agent/URI) to proxy matching traffic to a TEAMSERVER while redirecting non-matching traffic to a DECOY (302), and it includes additional covert ingress options (socat and iptables DNAT) plus disabled upstream TLS verification. The presence of generator tooling tied to Cobalt Strike malleable profiles strongly reinforces intent.
Confidence: 80%Severity: 97%
Audit Metadata