Corelight Bright Ideas Blog: NDR & Threat Hunting Blog

Detecting ScoutC2 Malware Through HTTP Artifacts | Corelight

Written by Corelight Labs Team | Jul 7, 2026 7:20:59 PM

At Corelight Labs, our mission is to help organizations stay a step ahead of evolving threats. When our researchers came across Censys' detailed write-up on ScoutC2, a rapidly growing open-source command-and-control (C2) framework favored by threat actors, we knew we needed to bolster community defenses quickly.

In this article, we'll provide an overview of ScoutC2, summarize the TTPs identified by Censys, and most importantly, explain how our internal Labs team rapidly developed Zeek®, SIEM, and Suricata® detections to identify ScoutC2 in a given network.

Background

A Linode host (cloud host) contained a ZIP archive with the source code for a C2 server and its backdoor build system. The toolkit consists of four key components:

  • C2 server: A central computer system used by the attacker to remotely manage and direct compromised host machines.
  • C2 admin client: The software interface or application used by the threat actor (the human operator) to interact with the C2 server.
  • Dropper builder: A specific component or module of the C2 framework used to generate the initial malicious file.
  • Payload: The malicious code or binary that is eventually executed on the victim's machine.

The builder generates a malicious executable that masquerades as a Microsoft Word document. Upon execution, the dropper installs two files in C:\ProgramData\Vault: steam2.exe and tier0_s.dll.

After execution, the agent enters a configurable sleep cycle before establishing communication with the designated C2 server. It issues an HTTP POST request to /admin/edit/upload_image.aspx to obtain new tasks and return task results. Each POST request is prefixed with a spoofed PNG file header; if this header is absent, the server rejects the request, as shown in the Wireshark screenshot below.

Tasks are managed via the /client_api endpoint using JSON-formatted POST requests. These requests are authenticated with a token defined at server startup, enabling administrators to query agents and assign tasks. As shown in the client terminal setup screenshot above, token is the keyword used for authentication between the client and server. Files uploaded by agents can be retrieved from the C2 server via the /file_storage/ endpoint using a GET request, with authentication using the startup-defined token.

Plaintext log searches

Since there are no references to this malware on VirusTotal or ANY.RUN, no publicly submitted PCAPs are available. However, because the Python source code for this malware is available, it is possible to generate PCAPs by running commands between the client and server.

A simple way to detect suspicious file-download traffic is to look for connections whose URIs contain a known ScoutC2 string. The following command searches all the compressed Zeek log lines containing the string "/file_storage/".

The command below is designed to detect ScoutC2 command-and-control communication. It pinpoints instances where an infected host uses a specific HTTP POST URI to both retrieve new instructions and exfiltrate data to the C2 server.

Note: This example searches compressed Zeek logs.

The following command searches for tasks issued via an HTTP POST URI. These tasks are used to provide client-related information to the C2 server.

SIEM searches

If your logs are stored in a SIEM like CrowdStrike's LogScale, you can perform the same type of analysis with a simple query that searches for HTTP events where the HTTP method and HTTP URI are one of the known strings:

Query 1:

The following screenshot shows the Zeek logs identified by this SIEM query:

This query filters on the HTTP POST method in Zeek logs with the specified URI string and MIME type as image/png in both network directions. Note: It uses a custom Zeek package that explicitly logs Zeek HTTP POST bodies, which vanilla Zeek does not log by default. More details for that package can be found here.

Query 2:

The following screenshot shows the Zeek logs identified by this SIEM query:

This query filters on the HTTP POST method in Zeek logs with the specified /client_api URI, looking for the presence of cmd: listagent in the HTTP POST body via regex.

Zeek code

For real-time detection, a custom set of three Zeek scripts monitors HTTP logs, and generates notices when a potential ScoutC2 malware match is found.

This script is a high-fidelity detector for anomalous network behavior. It flags HTTP POST requests sent to the URI /admin/edit/upload_image.aspx when both the client and server Content-Type headers are set to image/png. This behavior, which mimics a PNG file upload and response, can be used to detect specific malware families with high fidelity.

The following Zeek script inspects all HTTP requests and generates a notice whenever it finds a GET request with a URI that starts with /file_storage/. This behavior can be a strong indicator that a remote operator is downloading files from a compromised host, which is a common stage in a targeted attack.

The following signature file, scoutc2_list_agent_cmd.sig, is designed to quickly scan network traffic for a precise pattern. It looks for a TCP connection containing an HTTP request with the URI /client_api and a specific string in its body: \"cmd\": \"listagent\". When this exact pattern is found, the signature engine triggers a predefined event called scoutc2_malware_sig_match.

The following Zeek script then takes over. It's configured to listen for the scoutc2_malware_sig_match event triggered by the signature. When that event occurs, the script performs the following actions:

  • Gathers information about the connection: The source and destination IP addresses
  • Creates a detailed notice message: "ScoutC2 Operator Command POST /client_api, JSON body has listagent command"
  • Logs a notice in Zeek's notice.log file, alerting security teams to a detected C2 command

Suricata rules

You can also use Suricata signatures to detect this type of activity. The following set of rules detects suspicious strings in the HTTP URI and method fields.

This Suricata rule detects ScoutC2 malware by looking for a POST request to /admin/edit/upload_image.aspx. It specifically flags traffic where the request body mimics a PNG file and the Referer header is missing, a high-fidelity indicator of a malicious check-in.

This Suricata rule detects a ScoutC2 operator command. It flags a POST to /client_api where the JSON body contains a listagent command and the Referer header is missing, indicating a high-fidelity match for a specific C2 operation.

This Suricata rule detects a ScoutC2 operator downloading files from a command-and-control server. It flags any GET request to a URI starting with /file_storage?token=, specifically when the Referer header is missing. This combination of a unique path and missing header provides a high-fidelity alert for operator activity.

Conclusion

The rise of open-source C2 frameworks like ScoutC2 presents an ongoing challenge for security teams. As demonstrated, however, understanding the specific tactics, techniques, and procedures (TTPs) these frameworks employ makes it possible to develop high-fidelity detections. By analyzing network traffic for distinctive URI patterns, HTTP methods, and body content, security practitioners can effectively unmask ScoutC2 activity. The Zeek, SIEM, and Suricata signatures presented here offer multiple avenues for proactive defense against this evolving threat. To further sharpen these detections, security teams should consider deploying the log-add-http-post-bodies package. This addition surfaces HTTP POST body content within notice.log, providing responders with immediate visibility into malicious payloads and eliminating the need for cumbersome manual PCAP analysis.

To further explore strategies for identifying and neutralizing emerging threats, we encourage you to examine Corelight's technical documentation and engage with the global open-source community.

For more insights into threat detection and mitigation, we recommend checking out Corelight's resources and the broader open-source security community.