Threat Brief: Active C2 Infrastructure - February 14, 2026
- Patrick Duggan
- Feb 13
- 3 min read
Updated: 4 days ago
# Threat Brief: Active C2 Infrastructure - February 14, 2026
**Classification:** TLP:WHITE
**Published:** February 13, 2026
**Valid Through:** February 17, 2026 (Weekend Coverage)
Executive Summary
16 confirmed command-and-control servers identified via ThreatFox certificate anomaly detection heading into the Valentine's Day weekend. Notable findings include a **Kimsuky (DPRK)** server with 180+ exploitable CVEs, and **four C2 servers hosted on Microsoft Azure and AWS** infrastructure.
All 16 IPs recommend immediate block action.
Critical Priority
139.99.86.89 - Kimsuky APT (North Korea)
| Attribute | Value |
|-----------|-------|
| **Threat Actor** | Kimsuky (APT43) |
| **Location** | Singapore (OVH) |
| **VT Detections** | 11/93 |
| **Certificate** | Self-signed, expired, CN=localhost |
| **Ports** | 80, 443 |
| **CVEs Exposed** | 180+ (Apache 2.4.25, OpenSSL 1.0.2j, PHP 5.6.30) |
This server exhibits textbook DPRK operational security failures: ancient software stack, self-signed certificates, and DGA-style issuer patterns. The exposed CVE surface suggests either a compromised host or intentionally vulnerable honeypot-style infrastructure.
**MITRE ATT&CK:** T1071.001 (Web Protocols), T1573.002 (Asymmetric Cryptography)
Cloud Provider C2s - Abuse Reports Recommended
Four C2 servers are actively hosted on major cloud providers. These represent abuse of legitimate infrastructure and should be reported:
| IP | Provider | Malware | Region |
|----|----------|---------|--------|
| 52.151.31.52 | **Microsoft Azure** | Cobalt Strike | US |
| 4.154.22.123 | **Microsoft Azure** | Meterpreter | US |
| 52.90.129.186 | **Amazon AWS** | Havoc | US-East |
| 13.43.94.7 | **Amazon AWS** | Havoc | UK (London) |
**Abuse Contacts:**
- Microsoft: `[email protected]`
- Amazon: `[email protected]`
Sliver C2 Surge
Open-source Sliver C2 framework continues to replace Cobalt Strike as the tool of choice for red teams and threat actors alike. Four servers identified this sweep:
| IP | Location | ISP | VT Score |
|----|----------|-----|----------|
| 217.217.254.115 | Singapore | Contabo | 10/93 |
| 185.239.239.35 | Germany | ZAP-Hosting | 10/93 |
| 212.86.116.106 | Ukraine | Virtual Systems | 6/93 |
| 51.44.178.101 | France | OVH | - |
All exhibit self-signed certificates with IP addresses as Common Names - a reliable detection signal.
Infostealer Infrastructure
Vidar Stealer Cluster
Three Vidar C2 servers identified, all using self-signed certs with IP-as-CN pattern:
| IP | Location | ISP |
|----|----------|-----|
| 46.224.11.92 | Germany | Hetzner |
| 151.247.22.188 | Canada | 12651980 Canada Inc |
| 151.247.22.211 | Canada | 12651980 Canada Inc |
| 46.225.137.109 | Germany | Hetzner |
The Canadian IPs share the same shell company ISP - likely a single actor's infrastructure.
Fickle Stealer
| IP | Location | ISP |
|----|----------|-----|
| 185.100.233.121 | Netherlands | WorldStream |
Relatively new stealer variant. Self-signed cert. Low VT detection (3/93) suggests fresh infrastructure.
Microsoft pulls this feed daily. AT&T pulls this feed daily. Starlink pulls this feed daily. Get the DugganUSA STIX feed — $9/mo →
Additional C2s
| IP | Malware | Location | ISP | VT |
|----|---------|----------|-----|-----|
| 78.192.214.83 | Cobalt Strike | France | Free SAS | 8/93 |
| 103.69.194.63 | Cobalt Strike | Vietnam | Soha Co | 7/93 |
| 206.189.213.116 | Havoc | US | DigitalOcean | 3/93 |
| 195.184.233.126 | Remcos | Netherlands | B2 Net | 1/93 |
| 45.155.69.147 | AdaptixC2 | Netherlands | RapidSeedbox | 9/93 |
| 104.156.155.94 | Unknown | US | Vultr | - |
Detection Signatures
Certificate Anomalies (All 16 IPs)
- `SELF_SIGNED` - No CA chain
- `IP_AS_CN` - IP address used as Common Name
- `EXPIRED_CERT` - Certificate validity expired
- `CERT_MISMATCH` - CN doesn't match hostname
- `DGA_ISSUER` - Randomized issuer string
Snort/Suricata Rule (Generic Self-Signed C2)
IOC Export
Firewall Block List (Copy/Paste Ready)
STIX 2.1 Bundle
Available via API: `https://analytics.dugganusa.com/api/v1/stix-feed?days=1`
Methodology
IOCs sourced from ThreatFox certificate anomaly feed, enriched via DugganUSA threat intelligence API combining:
- AbuseIPDB reputation
- VirusTotal detections
- Shodan port/CVE exposure
- OTX pulse correlation
- GreyNoise classification
All 16 IPs verified as malicious with high-confidence block recommendations.
About This Brief
Published by DugganUSA Threat Intelligence. Free STIX 2.1 feed available at `analytics.dugganusa.com`.
For questions: [email protected]
*This threat brief is provided as-is for defensive purposes. Block at your own risk assessment.*
*Her name was Renee Nicole Good.*
*His name was Alex Jeffery Pretti.*
The cheapest, fastest, most accurate threat feed on the internet.
275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.
Comments