clustering
10 min read
FreeExplorative Clustering of Malicious Infrastructure with ClusterHawk
Over 2,700 malicious IP addresses were analyzed in an explorative clustering experiment using ClusterHawk to group adversarial infrastructure. The objective: determine whether Command-and-Control (C2) servers cluster by operational similarity alone, without relying on predefined family signatures.
By Chawkr Reports
15/10/2025
Explorative Clustering of Malicious Infrastructure with ClusterHawk
Overview
Over 2714 malicious IP addresses were analyzed in an explorative clustering experiment using ClusterHawk to group adversarial infrastructure.
Objective:
To determine whether clusters of Command-and-Control (C2) servers could be automatically grouped by operational similarity - without any predefined family signatures or prior training.
The dataset covered a wide mix of offensive frameworks and malware families: Metasploit, Cobalt Strike, Sliver, Mythic, GoPhish, Viper, Hak5 Cloud C2, ShadowPad, PANDA, and several commodity RATs (DcRAT, DarkComet, XtremeRAT, Supershell, etc.).
Why This Is Difficult
Clustering malicious infrastructure is not the same as classifying malware samples. Each C2 family exposes different fingerprints and behaviors:
- Network protocols: HTTP, HTTPS, DNS, SSH, custom TCP
- Banner/service traits: Shodan metadata, certificates, ports
- Operational context: hosting provider, ASN, geography, uptime cadence
- Vulnerability dependencies: specific exploits or beacons used by Sliver, Cobalt Strike, etc.
No single feature space can cleanly separate all of these simultaneously. Some traits are family-specific, others shared or noisy. That's why clustering is exploratory - it finds structure only where structure exists.
The dataset
MontySecurity C2-Tracker (Oct 13, 2025)
- Total IPs: 2714 (malicious only)
- Unique malware families: 44 distinct actor labels
- Sources: MontySecurity C2-Tracker feeds (as of Oct 13, 2025)
Imbalance snapshot
| Family | IP Count | % | Category |
|---|---|---|---|
| Metasploit Framework | 514 | 18.7% | Dominant |
| Sliver | 434 | 15.8% | Dominant |
| Cobalt Strike | 371 | 13.5% | Dominant |
| Viper | 225 | 8.2% | Dominant |
| GoPhish | 218 | 7.9% | Major |
| PANDA | 168 | 6.1% | Major |
| Hak5 Cloud C2 | 132 | 4.8% | Major |
| BurpSuite | 119 | 4.3% | Major |
| Mythic | 109 | 4.0% | Significant |
| Supershell | 95 | 3.5% | Significant |
The remaining 34 families form a classic long-tail:
- 21 families (<10 IPs each)
- 14 families (<5 IPs each)
- 6 families with just a single IP
Imbalance ratio: 514:1 (largest vs. smallest family) Top 10 families: 87.9% of all infrastructure
Such imbalance makes "perfect clustering" mathematically impossible without prior training or feature selection.
Understanding Purity and Entropy
Purity measures how homogeneous a cluster is with respect to its dominant malware family:
Purity = IPs of most common label / total IPs in cluster
- 1.0 → completely homogeneous
- 0.9+ → high confidence
- < 0.5 → mixed or shared infrastructure
Entropy complements purity: low entropy = organized, single-purpose ops; high entropy = multi-actor or commodity hosting.
Purity in context of Dataset imbalance
Actual clustering performance:
- Weighted average purity: 55%
- High-purity clusters (≥90%): 14
- Perfect purity clusters (100%): 6
Perfect purity clusters by family: | Family | Cluster Size | % of Total Family IPs | Significance | |--------|--------------|----------------------|--------------| | Viper C2 | 78 IPs | 34.7% | Major operational cluster | | ShadowPad | 8 IPs | 44.4% | Nearly half of all ShadowPad IPs | | Viper C2 | 45 IPs | 20.0% | Secondary operational cluster | | GoPhish | 3 IPs | 1.4% | Small but pure cluster | | Sliver C2 | 7 IPs | 1.7% | Specialized deployment | | Viper C2 | 3 IPs | 1.3% | Highly specialized cluster |
Imbalance-adjusted insights:
- Perfect purity clusters represent families with consistent operational patterns despite small absolute sizes
- ShadowPad's 44.4% perfect purity cluster shows the algorithm successfully identified distinctive features for a rare family (18 total IPs)
- Viper C2's multiple perfect clusters (126 total IPs across 3 clusters) demonstrate sophisticated infrastructure compartmentalization
- The 514:1 imbalance makes perfect purity clusters particularly valuable for attribution, as they represent highly distinctive operational signatures
What These Numbers Actually Mean
Achieving 100% or even 75% average purity is impossible in a dataset like this. With 44 malware families, massive class imbalance, and overlapping infrastructure, no unsupervised algorithm can fully separate everything - unless it's pretrained on family-specific features.
ClusterHawk isn't pretrained. It's fully dynamic: you can drop in any dataset - raw IPs, mixed malware, even benign + malicious blends - and it adapts automatically. No thresholds. No model updates. No fine-tuning.
Yet in this uncontrolled environment, it still uncovered coherent operational groups, with purity up to 100% for certain families and 55 % overall weighted purity - clear evidence of genuine separability where it actually exists.
That's the point: ClusterHawk doesn't fabricate structure; it reveals the real one.
Results
| Metric | Value |
|---|---|
| Total IPs | 2714 |
| Clusters formed | 60 |
| Special cases (not clustered) | 2 |
| Weighted purity | 55% |
| Clusters ≥0.9 purity | 14 |
| Perfect-purity clusters (1.0) | 6 |
| Low-purity clusters (<0.5) | 30 |
High-purity clusters emerged for families with strong and unique infrastructure traits:
- Viper C2 (three clusters, 100% purity) - 126 total assets across dedicated infrastructure
- Sliver (seven clusters ≥0.94 purity) - 343+ assets indicating coordinated deployment
- ShadowPad (100% purity) - 8 assets in specialized cluster
- Metasploit Framework (96% purity) - 239 assets in largest single-tool cluster
Other frameworks, such as Cobalt Strike and Hak5 Cloud C2, produced more mixed clusters - expected given their widespread use and shared network characteristics. The dataset's inherent imbalance (44 unique actor labels with varying representation) made clustering challenging, yet the algorithm successfully identified distinct operational patterns.
Interpretation
The clustering reveals a realistic topology of today's offensive infrastructure:
- Distinct, high-purity clusters correspond to families with unique operational blueprints - custom TLS certificates, consistent port patterns, static hosting footprints.
- Large, mixed clusters correspond to commodity frameworks reused by multiple actors, where overlaps in hosting and configuration blur family boundaries.
Notable clustering successes despite dataset imbalance:
- Sliver C2 fragmented across 9 clusters but maintained >90% purity in 7 of them, indicating consistent operational patterns despite hosting variations
- Viper C2 achieved perfect purity across 3 clusters (126 assets), which demonstrates highly specialized infrastructure management
- Metasploit Framework formed the largest single-tool cluster (239 assets, 96% purity) despite being dispersed across 29 total clusters
This confirms that while some malware ecosystems are neatly separable, others fundamentally share the same digital terrain. Even with advanced feature engineering, cross-family separability is inherently limited - not a shortcoming of the algorithm, but a reflection of how these systems coexist online.
Key insight
Explorative clustering succeeds when distinct behaviors exist - and fails honestly when they don't.
ClusterHawk's output mirrors the real operational picture: a mix of clear-cut C2 enclaves and blended, shared-infrastructure clusters.
Clustering challenges and successes
The dataset imbalance challenge: With 44 unique actor labels and extreme imbalance (514:1 ratio between largest and smallest families), traditional clustering approaches would struggle. The top 3 families (Metasploit, Sliver, Cobalt Strike) represent ~48% of all IPs, while 21 families (48%) have fewer than 10 IPs each. However, the ensemble method successfully identified operational patterns even when families shared 1-5 key features.
Feature convergence analysis:
- Universal features (HTTP responses, SSL patterns) appeared across all clusters, which created artificial similarity
- Hosting provider convergence grouped diverse families based on cloud infrastructure rather than operational behavior
- Vulnerability signatures (CVE-2012-4360, CVE-2022-28330) created false clustering signals across unrelated families
Operational intelligence insights:
- High-entropy clusters (>3.0 entropy) like Cluster 13 (3.51 entropy, 22 different families) indicate complex multi-actor environments
- Low-entropy clusters (<0.5 entropy) like Cluster 15 (0.146 entropy, 97.92% Sliver C2 purity) demonstrate disciplined operational compartmentalization
- Perfect purity clusters (0.0 entropy) represent single-purpose infrastructure with zero operational contamination
Example highlights
- Sliver C2 IPs, purity 0.94, cleanly isolated across 143 assets.
- Viper C2 IPs, purity 1.00, completely homogeneous with 78 assets.
- Metasploit Framework, purity 0.96, largest single-tool cluster with 239 assets.
- One large cluster, mixed infrastructure, purity 0.52, representing generic attacker infrastructure across 196 assets.
What this means for defenders
ClusterHawk can now:
- Identify high-confidence C2 clusters for automated tagging and enrichment.
- Flag ambiguous clusters for manual or family-specific analysis.
- Track temporal drift of infrastructure as campaigns evolve.
Defensive intelligence priorities:
- Perfect purity clusters (6 clusters, 0.0 entropy) enable zero-false-positive detection rules
- High-purity Sliver C2 infrastructure (343+ assets across 7 clusters) provides consistent hunting opportunities
- Mixed clusters with high entropy require sub-clustering analysis to identify distinct operational components
- Viper infrastructure group (126 assets across 3 clusters) has significant payload staging capabilities
Attribution confidence levels:
- High confidence (80-90%): Perfect purity clusters with single-purpose infrastructure
- Medium confidence (60-75%): High-purity clusters with consistent deployment patterns
- Low confidence (15-35%): Mixed clusters requiring additional intelligence collection
The result goes beyond classification: it gives you situational awareness of the global C2 picture.
Conclusion
Clustering all malware families together is inherently biased - each behaves differently and shares few common features. Yet ClusterHawk demonstrates that even under these constraints, our clustering can extract structure from chaos, isolating families that truly behave alike while mapping where behaviors overlap.
Key achievements despite dataset challenges:
- Successfully identified 14 high-purity clusters (>90%) from an imbalanced dataset with 44 unique actor labels
- Achieved perfect purity (1.0) in 6 clusters representing specialized, single-purpose infrastructure
- Maintained operational coherence for modern frameworks like Sliver C2 across geographically distributed clusters
- Provided actionable intelligence for 126 Viper assets and 343+ Sliver C2 assets across dedicated infrastructure groups
The clustering revealed the operational reality: Some threat actors maintain highly compartmentalized, purpose-built infrastructure (perfect purity clusters), while others operate in shared environments where tool boundaries blur (mixed clusters). This isn't a clustering failure - it's an accurate reflection of how modern offensive infrastructure actually works.
In short: the algorithm found what reality allows - and that's exactly what good clustering should do.
Try ClusterHawk Yourself
Want to replicate this analysis or explore your own malicious infrastructure datasets? ClusterHawk enables security researchers and threat intelligence teams to perform similar clustering experiments on their own data.
Key capabilities:
- Upload your own IP datasets for clustering analysis
- Generate comprehensive reports with cluster portraits and attribution insights
- Extract persistent infrastructure profiles for long-term actor tracking
- Identify high-purity clusters for zero-false-positive detection rules
Get started today: Join ClusterHawk and begin exploring the hidden structure in your threat intelligence data.
