Internet C2 Hunting · Widescan

Find command-and-control infrastructure before it finds you.

GhostMesh is a distributed scanner and intelligence layer that fingerprints the internet for hostile infrastructure — Cobalt Strike, Sliver, Mythic, Empire team servers and the redirectors that hide them — and classifies them with explainable evidence, not guesswork.

JARM/JA3
TLS fingerprinting
100+
C2 signatures
IPv4
widescan reach
0-touch
observation only

What the mesh knows

Every scanned address collapses into a single card: geolocation, ASN and hoster, reverse DNS and Cloudflare status, every open port and banner, TLS certificates and fingerprints, a live screenshot, the threat classification with its evidence trail, and the other hosts that share its fingerprint. One IP, everything in one place.

Fingerprint depth

JARM, JA3/JA3S, favicon hashes and certificate identity survive behind any redirector — the C2 signal you can't spoof away.

Explainable detection

A versioned rule + signature engine produces weighted, auditable verdicts — you see exactly why a host was flagged, condition by condition.

Correlation

Cluster infrastructure by shared TLS fingerprint to surface an actor's whole fleet from a single seed — one beacon becomes a hundred.

Contribute & earn

The mesh grows with its community. Two ways to contribute, both gamified — climb the reputation tiers and the global leaderboard.

Deploy a shell

Run a scanner on any VPS. It pulls jobs over outbound HTTPS, contributes telemetry, and earns reputation per completed job. Observation only — no exploitation, ever.

Submit a signature

Write a detection rule. Once validated it runs on every future scan across the whole mesh, and you earn reputation for the submission plus more for every threat it catches — worth far more than a sensor. Good signatures are the moat.

Reputation tiers
DORMANT0
SIGNAL100
LINKED1k
SYNCED5k
MESHED15k
ASCENDANT50k