Tracking Pyramid C2: Identifying Post-Exploitation Servers in Hunt

This report analyzes Pyramid, an open-source Python post-exploitation C2 server, describing distinctive HTTP/S behaviors (401 responses, BaseHTTP/Python Server header, WWW-Authenticate Basic realm, and a specific JSON error body hash), provides detection query examples to find related infrastructure, and lists identified IPs and domains—several of which overlap with ransomware-affiliated activity.