From 939 to 85 : Hunting Cobalt Strike Servers

The report documents a Censys-based hunt for Cobalt Strike infrastructure, using pivots such as service tags, SSH host key fingerprints, version watermarks, and common HTTP 404 banners to narrow a broad dataset. The author identifies 85 low- or undetected Cobalt Strike servers across various ports and regions, shares a linked repository of IOCs, and includes a list of newly discovered IP:port indicators for defenders to hunt and block.