clustering

10 min read

Free

Explorative Clustering of Malicious Infrastructure with ClusterHawk

Over 2,700 malicious IP addresses were analyzed in an explorative clustering experiment using ClusterHawk to group adversarial infrastructure. The objective: determine whether Command-and-Control (C2) servers cluster by operational similarity alone, without relying on predefined family signatures.

clusteringmalware-infrastructurec2-serversthreat-intelligencemachine-learninginfrastructure-analysis
CR

By Chawkr Reports

15/10/2025

Explorative Clustering of Malicious Infrastructure with ClusterHawk

Overview

Over 2714 malicious IP addresses were analyzed in an explorative clustering experiment using ClusterHawk to group adversarial infrastructure.

Objective:

To determine whether clusters of Command-and-Control (C2) servers could be automatically grouped by operational similarity - without any predefined family signatures or prior training.

The dataset covered a wide mix of offensive frameworks and malware families: Metasploit, Cobalt Strike, Sliver, Mythic, GoPhish, Viper, Hak5 Cloud C2, ShadowPad, PANDA, and several commodity RATs (DcRAT, DarkComet, XtremeRAT, Supershell, etc.).

Why This Is Difficult

Clustering malicious infrastructure is not the same as classifying malware samples. Each C2 family exposes different fingerprints and behaviors:

  • Network protocols: HTTP, HTTPS, DNS, SSH, custom TCP
  • Banner/service traits: Shodan metadata, certificates, ports
  • Operational context: hosting provider, ASN, geography, uptime cadence
  • Vulnerability dependencies: specific exploits or beacons used by Sliver, Cobalt Strike, etc.

No single feature space can cleanly separate all of these simultaneously. Some traits are family-specific, others shared or noisy. That's why clustering is exploratory - it finds structure only where structure exists.

The dataset

MontySecurity C2-Tracker (Oct 13, 2025)

  • Total IPs: 2714 (malicious only)
  • Unique malware families: 44 distinct actor labels
  • Sources: MontySecurity C2-Tracker feeds (as of Oct 13, 2025)

Imbalance snapshot

FamilyIP Count%Category
Metasploit Framework51418.7%Dominant
Sliver43415.8%Dominant
Cobalt Strike37113.5%Dominant
Viper2258.2%Dominant
GoPhish2187.9%Major
PANDA1686.1%Major
Hak5 Cloud C21324.8%Major
BurpSuite1194.3%Major
Mythic1094.0%Significant
Supershell953.5%Significant

The remaining 34 families form a classic long-tail:

  • 21 families (<10 IPs each)
  • 14 families (<5 IPs each)
  • 6 families with just a single IP

Imbalance ratio: 514:1 (largest vs. smallest family) Top 10 families: 87.9% of all infrastructure

Such imbalance makes "perfect clustering" mathematically impossible without prior training or feature selection.

Understanding Purity and Entropy

Purity measures how homogeneous a cluster is with respect to its dominant malware family:

Purity = IPs of most common label / total IPs in cluster

  • 1.0 → completely homogeneous
  • 0.9+ → high confidence
  • < 0.5 → mixed or shared infrastructure

Entropy complements purity: low entropy = organized, single-purpose ops; high entropy = multi-actor or commodity hosting.

Purity in context of Dataset imbalance

Actual clustering performance:

  • Weighted average purity: 55%
  • High-purity clusters (≥90%): 14
  • Perfect purity clusters (100%): 6

Perfect purity clusters by family: | Family | Cluster Size | % of Total Family IPs | Significance | |--------|--------------|----------------------|--------------| | Viper C2 | 78 IPs | 34.7% | Major operational cluster | | ShadowPad | 8 IPs | 44.4% | Nearly half of all ShadowPad IPs | | Viper C2 | 45 IPs | 20.0% | Secondary operational cluster | | GoPhish | 3 IPs | 1.4% | Small but pure cluster | | Sliver C2 | 7 IPs | 1.7% | Specialized deployment | | Viper C2 | 3 IPs | 1.3% | Highly specialized cluster |

Imbalance-adjusted insights:

  • Perfect purity clusters represent families with consistent operational patterns despite small absolute sizes
  • ShadowPad's 44.4% perfect purity cluster shows the algorithm successfully identified distinctive features for a rare family (18 total IPs)
  • Viper C2's multiple perfect clusters (126 total IPs across 3 clusters) demonstrate sophisticated infrastructure compartmentalization
  • The 514:1 imbalance makes perfect purity clusters particularly valuable for attribution, as they represent highly distinctive operational signatures

What These Numbers Actually Mean

Achieving 100% or even 75% average purity is impossible in a dataset like this. With 44 malware families, massive class imbalance, and overlapping infrastructure, no unsupervised algorithm can fully separate everything - unless it's pretrained on family-specific features.

ClusterHawk isn't pretrained. It's fully dynamic: you can drop in any dataset - raw IPs, mixed malware, even benign + malicious blends - and it adapts automatically. No thresholds. No model updates. No fine-tuning.

Yet in this uncontrolled environment, it still uncovered coherent operational groups, with purity up to 100% for certain families and 55 % overall weighted purity - clear evidence of genuine separability where it actually exists.

That's the point: ClusterHawk doesn't fabricate structure; it reveals the real one.

Results

MetricValue
Total IPs2714
Clusters formed60
Special cases (not clustered)2
Weighted purity55%
Clusters ≥0.9 purity14
Perfect-purity clusters (1.0)6
Low-purity clusters (<0.5)30

High-purity clusters emerged for families with strong and unique infrastructure traits:

  • Viper C2 (three clusters, 100% purity) - 126 total assets across dedicated infrastructure
  • Sliver (seven clusters ≥0.94 purity) - 343+ assets indicating coordinated deployment
  • ShadowPad (100% purity) - 8 assets in specialized cluster
  • Metasploit Framework (96% purity) - 239 assets in largest single-tool cluster

Other frameworks, such as Cobalt Strike and Hak5 Cloud C2, produced more mixed clusters - expected given their widespread use and shared network characteristics. The dataset's inherent imbalance (44 unique actor labels with varying representation) made clustering challenging, yet the algorithm successfully identified distinct operational patterns.

Cross-cluster analysis: When families share infrastructure

While ClusterHawk successfully identified 14 high-purity clusters, 44 clusters (76% of all clusters) exhibited purity below 0.9, which reveals significant cross-family infrastructure sharing. These "impure" clusters provide critical insights into how different malware families often operate in shared environments.

Figure 1: Distribution of purity, cluster size relationships, and entropy-based complexity across 60 clusters.

Key findings from impure clusters:

  • Prevalence of mixed infrastructure: 44 out of 60 clusters contain multiple malware families, indicating widespread infrastructure sharing
  • Most problematic families: Metasploit Framework and Cobalt Strike each appear as dominant families in 8 impure clusters, suggesting they frequently share infrastructure with other tools
  • High-entropy clusters: Several clusters show extreme diversity, with Cluster 13 containing 22 different malware families across 132 IPs

Notable mixed clusters:

ClusterSizePurityEntropyDominant FamilyUnique LabelsSignificance
C13132 IPs0.2843.51Cobalt Strike (38 IPs)22 familiesMost diverse cluster
C7196 IPs0.5183.02Metasploit (102 IPs)29 familiesLargest mixed cluster
C18128 IPs0.2092.97Hak5 Cloud C2 (27 IPs)17 familiesHigh diversity, low purity
C087 IPs0.2613.26Metasploit (23 IPs)15 familiesComplex multi-family environment

What mixed clusters reveal:

  • Shared hosting infrastructure: Multiple families using the same cloud providers, VPS services, or compromised legitimate servers
  • Common attack vectors: Different malware families exploiting the same vulnerabilities or using similar network configurations
  • Multi-tool operations: Threat actors deploying diverse toolkits across shared infrastructure for different campaign phases
  • Generic C2 frameworks: Commodity tools (Metasploit, Cobalt Strike) being used alongside specialized malware, creating operational overlap

Operational implications:

Mixed clusters represent the reality of modern threat operations where:

  • Infrastructure reuse is common across different malware families
  • Shared vulnerabilities create similar network fingerprints across unrelated tools
  • Multi-stage campaigns require diverse tooling deployed on common infrastructure
  • Generic hosting makes attribution more challenging but reveals broader operational patterns

This cross-cluster analysis demonstrates that while some families maintain distinct operational signatures (high-purity clusters), many operate in shared digital terrain where family boundaries blur - providing defenders with insights into broader threat infrastructure patterns beyond individual malware families.

Interpretation

The clustering reveals a realistic topology of today's offensive infrastructure:

  • Distinct, high-purity clusters correspond to families with unique operational blueprints - custom TLS certificates, consistent port patterns, static hosting footprints.
  • Large, mixed clusters correspond to commodity frameworks reused by multiple actors, where overlaps in hosting and configuration blur family boundaries.

Notable clustering successes despite dataset imbalance:

  • Sliver C2 fragmented across 9 clusters but maintained >90% purity in 7 of them, indicating consistent operational patterns despite hosting variations
  • Viper C2 achieved perfect purity across 3 clusters (126 assets), which demonstrates highly specialized infrastructure management
  • Metasploit Framework formed the largest single-tool cluster (239 assets, 96% purity) despite being dispersed across 29 total clusters

This confirms that while some malware ecosystems are neatly separable, others fundamentally share the same digital terrain. Even with advanced feature engineering, cross-family separability is inherently limited - not a shortcoming of the algorithm, but a reflection of how these systems coexist online.

Key insight

Explorative clustering succeeds when distinct behaviors exist - and fails honestly when they don't.

ClusterHawk's output mirrors the real operational picture: a mix of clear-cut C2 enclaves and blended, shared-infrastructure clusters.

Clustering challenges and successes

The dataset imbalance challenge: With 44 unique actor labels and extreme imbalance (514:1 ratio between largest and smallest families), traditional clustering approaches would struggle. The top 3 families (Metasploit, Sliver, Cobalt Strike) represent ~48% of all IPs, while 21 families (48%) have fewer than 10 IPs each. However, the ensemble method successfully identified operational patterns even when families shared 1-5 key features.

Feature convergence analysis:

  • Universal features (HTTP responses, SSL patterns) appeared across all clusters, which created artificial similarity
  • Hosting provider convergence grouped diverse families based on cloud infrastructure rather than operational behavior
  • Vulnerability signatures (CVE-2012-4360, CVE-2022-28330) created false clustering signals across unrelated families

Operational intelligence insights:

  • High-entropy clusters (>3.0 entropy) like Cluster 13 (3.51 entropy, 22 different families) indicate complex multi-actor environments
  • Low-entropy clusters (<0.5 entropy) like Cluster 15 (0.146 entropy, 97.92% Sliver C2 purity) demonstrate disciplined operational compartmentalization
  • Perfect purity clusters (0.0 entropy) represent single-purpose infrastructure with zero operational contamination

Example highlights

  • Sliver C2 IPs, purity 0.94, cleanly isolated across 143 assets.
  • Viper C2 IPs, purity 1.00, completely homogeneous with 78 assets.
  • Metasploit Framework, purity 0.96, largest single-tool cluster with 239 assets.
  • One large cluster, mixed infrastructure, purity 0.52, representing generic attacker infrastructure across 196 assets.

What this means for defenders

ClusterHawk can now:

  • Identify high-confidence C2 clusters for automated tagging and enrichment.
  • Flag ambiguous clusters for manual or family-specific analysis.
  • Track temporal drift of infrastructure as campaigns evolve.

Defensive intelligence priorities:

  • Perfect purity clusters (6 clusters, 0.0 entropy) enable zero-false-positive detection rules
  • High-purity Sliver C2 infrastructure (343+ assets across 7 clusters) provides consistent hunting opportunities
  • Mixed clusters with high entropy require sub-clustering analysis to identify distinct operational components
  • Viper infrastructure group (126 assets across 3 clusters) has significant payload staging capabilities

Attribution confidence levels:

  • High confidence (80-90%): Perfect purity clusters with single-purpose infrastructure
  • Medium confidence (60-75%): High-purity clusters with consistent deployment patterns
  • Low confidence (15-35%): Mixed clusters requiring additional intelligence collection

The result goes beyond classification: it gives you situational awareness of the global C2 picture.

Conclusion

Clustering all malware families together is inherently biased - each behaves differently and shares few common features. Yet ClusterHawk demonstrates that even under these constraints, our clustering can extract structure from chaos, isolating families that truly behave alike while mapping where behaviors overlap.

Key achievements despite dataset challenges:

  • Successfully identified 14 high-purity clusters (>90%) from an imbalanced dataset with 44 unique actor labels
  • Achieved perfect purity (1.0) in 6 clusters representing specialized, single-purpose infrastructure
  • Maintained operational coherence for modern frameworks like Sliver C2 across geographically distributed clusters
  • Provided actionable intelligence for 126 Viper assets and 343+ Sliver C2 assets across dedicated infrastructure groups

The clustering revealed the operational reality: Some threat actors maintain highly compartmentalized, purpose-built infrastructure (perfect purity clusters), while others operate in shared environments where tool boundaries blur (mixed clusters). This isn't a clustering failure - it's an accurate reflection of how modern offensive infrastructure actually works.

In short: the algorithm found what reality allows - and that's exactly what good clustering should do.

Try ClusterHawk Yourself

Want to replicate this analysis or explore your own malicious infrastructure datasets? ClusterHawk enables security researchers and threat intelligence teams to perform similar clustering experiments on their own data.

Key capabilities:

  • Upload your own IP datasets for clustering analysis
  • Generate comprehensive reports with cluster portraits and attribution insights
  • Extract persistent infrastructure profiles for long-term actor tracking
  • Identify high-purity clusters for zero-false-positive detection rules

Get started today: Join ClusterHawk and begin exploring the hidden structure in your threat intelligence data.

Comments (0)