Overview
This investigation maps a Command & Control (C2) infrastructure cluster to real-world locations using:
- Passive DNS resolution
- BGP AS-path analysis
- Shodan geolocation
- Physical datacenter correlation
Note: All IPs shown are sanitized/fictional for demonstration.
Infrastructure Map
Analysis
Node Alpha (San Francisco)
Primary C2 communicating with ~169 unique domains (as seen in Flowsint graph above). Key relationships:
- akamai[.] → RESOLVES →
12.34.56.78 - gridlog[.] → RESOLVES →
12.34.56.78 - github[.] → RESOLVES →
12.34.56.78
Attribution Confidence
| Indicator | Confidence |
|---|---|
| ASN overlap | High |
| Cert fingerprint | Medium |
| Behavioral pattern | High |
Tools Used
- Flowsint (graph analysis)
- Shodan
- PassiveTotal
- BGPView