GHOSTMESHInternet C2 Hunting · Widescan
GhostMesh is a distributed scanner and intelligence layer that fingerprints the internet for hostile infrastructure — Cobalt Strike, Sliver, Mythic, Empire team servers and the redirectors that hide them — and classifies them with explainable evidence, not guesswork.
Every scanned address collapses into a single card: geolocation, ASN and hoster, reverse DNS and Cloudflare status, every open port and banner, TLS certificates and fingerprints, a live screenshot, the threat classification with its evidence trail, and the other hosts that share its fingerprint. One IP, everything in one place.
JARM, JA3/JA3S, favicon hashes and certificate identity survive behind any redirector — the C2 signal you can't spoof away.
A versioned rule + signature engine produces weighted, auditable verdicts — you see exactly why a host was flagged, condition by condition.
Cluster infrastructure by shared TLS fingerprint to surface an actor's whole fleet from a single seed — one beacon becomes a hundred.
The mesh grows with its community. Two ways to contribute, both gamified — climb the reputation tiers and the global leaderboard.
Run a scanner on any VPS. It pulls jobs over outbound HTTPS, contributes telemetry, and earns reputation per completed job. Observation only — no exploitation, ever.
Write a detection rule. Once validated it runs on every future scan across the whole mesh, and you earn reputation for the submission plus more for every threat it catches — worth far more than a sensor. Good signatures are the moat.