Fingerprinting C2s with Shodan

This report demonstrates rapid threat-intelligence pivoting from a known PupyRAT C2 IP (103.79.76.40) by using Shodan SSL certificate quirks (OU=CONTROL and randomized Organization values) and TLS handshake errors to identify and enumerate ~40 related hosts, produce IOCs, and observe additional malicious services (including Metasploit). The author provides tuned Shodan queries, CLI extraction steps, and a vetted list of IPs for tracking and blocking, concluding the cluster likely represents a specific threat actor group (probable China-based) rather than default PupyRAT infrastructure.