Recorded Future, a threat intelligence company together with Shodan, which is an internet search engine connecting services to internet devices, have created an online crawler which they call the Malware Hunter.

What does it do?

The Malware Hunter is a program that sends out signals similar to what a Trojan would send to its control-and-command (C&C) center. If the impersonated signals produce a response from recipient computers, then they are considered as C&C servers. Primarily, the crawler is hunting down remote administration tool (RAT) control centers which affect the user’s webcam system wherein the camera starts recording a video or audio.

Malware Hunter website’s homepage

How does it work?

The program does this by constantly scanning for various Remote Access Trojan (RAT) programs that are sold illegally on various internet forums. The list of servers that are serving as the control panels for the Trojan programs is updated in real-time, and as such, researchers, security experts and other relevant parties can use the information to build effective firewalls and security features that would block these programs.

  • “Malware Hunter is a specialized Shodan crawler that explores the Internet looking for command & control (C2s) servers for botnets. It does this by pretending to be an infected client that’s reporting back to a C2.”

Are there any flaws?

One of the problems that have been encountered is that when Malware Hunter is scanning for potential C&C servers, false alerts have been produced in the user’s security system according to reportsHowever, one of the creators of Malware Hunter said the alerts are because Malware Hunter is being applied to incoming traffic rather than to outgoing traffic.

Till now, Malware Hunter has identified 5,700 RAT servers with Gh0st RAT having the majority of the servers. Gh0st RAT is a Chinese-created malware that has also been used previously for various cyber crimes since 2009.

Malware Hunter versus VirusTotal

Malware Hunter, according to its creators is meant to be the most robust form of online crawler and as such, it was compared with VirusTotal, which is yet another type of malware aggregation platform created by Google.

Malware Hunter was therefore put to the test whereby the program was made to scan since 2015. The results included 633 RAT controllers that were identified. This was cross-checked with, VirusTotal, which showed 153 of the controllers.

This implied that Malware Hunter was able to identify threats even before they had been submitted to VirusTotal.

Malware Hunter is indeed a powerful program that allows for rigorous scanning for RAT control centers. Nevertheless, it is yet to be known whether or not the control centers identified using Malware Hunter will be blocked by various security researchers and firewall builders.

For more technical details click here to read the 15-page report compiled by Recorded Future.


DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.

Jahanzaib Hassan