0x01. Executive Summary
During cyberattacks, adversaries often rely on Command-and-Control (C2) servers, loader servers, or even their own "workstations" for staging and data transfer. In some cases, these systems inadvertently expose themselves by enabling web servers with directory browsing or file download functionality.
Our analysis revealed multiple Cobalt Strike controllers and attacker-operated machines that publicly exposed malicious binaries, exploitation scripts, payloads, and scan results. In certain instances, external actors had already traversed these directories and downloaded entire toolkits — indicating the presence of "hunters" actively targeting hacker workstations to steal their tools and intelligence.
0x02. Background
While hackers seek to compromise and exfiltrate data from their victims, they are equally vulnerable to counter-exploitation. For example, a hacker may unknowingly download a scanning tool laced with a backdoor, thereby falling under the control of a more sophisticated operator.
This report explores how publicly exposed web servers — commonly used by attackers for quick malware distribution and data transfer — can be discovered through cyberspace search engines like ZoomEye. We demonstrate how such exposure enables security researchers (or rival actors) to become “hunters behind the hackers,” intercepting the very tools meant for malicious campaigns.
Many attackers prefer lightweight methods for distributing malware, such as spinning up a temporary HTTP service and instructing compromised hosts to fetch files via curl or wget. Languages like Python make this trivial with a one-line command: python3 -m http.server
While efficient, this practice leaves attackers themselves exposed. Any party identifying the server can collect the tools, exploits, and even stolen data stored there.
0x03. Methodology: Using ZoomEye to Locate Hacker Workstations
To systematically discover attacker-operated machines, we leveraged ZoomEye to search for web servers exposing directory listings. By combining title fingerprints with keywords frequently associated with exploitation frameworks, we could identify attacker "workstations" with high confidence.
Example queries in ZoomEye:
Vulnerability exploits:
(title="Index of /" || title="Directory List" || title="Directory listing for /") && "exp"
log4j exploitation tools:
(title="Index of /" || title="Directory List" || title="Directory listing for /") && "log4j"
Cobalt Strike:
(title="Index of /" || title="Directory List" || title="Directory listing for /") && "cobaltstrike"
Metasploit:
(title="Index of /" || title="Directory List" || title="Directory listing for /") && "Metasploit"
Exploits with CVE identifiers:
(title="Index of /" || title="Directory List" || title="Directory listing for /") && "cve"
Payloads and test binaries:
(title="Index of /" || title="Directory List" || title="Directory listing for /") && "payload"
(title="Index of /" || title="Directory List" || title="Directory listing for /") && "calc.exe"
One such exposed host revealed a toolkit containing:
- Cobalt Strike payloads
- Exploits for CVE-2019–7609
- General-purpose payload code
- Exploits for Apache James Server RCE
- Multiple CVE-tagged exploitation tools
- General-purpose exploit code
Such findings highlight how attacker workstations can unintentionally serve as open repositories of offensive tradecraft.
0x04. Evidence of Existing "Hunters"
Our investigation also uncovered indications that attackers themselves are being systematically targeted. For example, one workstation hosted at 83.136.*.*:8000 contained a nohup.out log file that recorded inbound requests.
Analysis of this log revealed multiple suspicious IP addresses, including 34.140.*.*, which performed recursive downloads across all directories. These were not search engine crawlers but deliberate actors — likely “hunters” — collecting every accessible file.
Three additional IP addresses exhibited identical behavior, strongly suggesting the existence of a broader ecosystem of hunters scanning the internet for attacker workstations and harvesting their contents.
0x05. Conclusion
Hackers may operate solo — limited by their own skills and blind spots — or within teams where narrowly defined roles leave critical gaps in security awareness. These structural weaknesses make their infrastructure vulnerable to discovery and exploitation.
By using tools like ZoomEye, defenders and rival threat actors alike can identify attacker workstations, capture their toolkits, and gain valuable insights into adversary tradecraft.
In short, not all hackers are skilled defenders. Many become prey to higher-level hunters. This dynamic illustrates the constant evolution of offense and defense in cyberspace — where the question is no longer just who gets hacked, but who hunts the hacker.
Top comments (0)