Welcome to BeaconBeagle
Scraped-in-the-wild CobaltStrike beacon configurations & C2 intelligence
Browse all beacon IPs, architectures, and decoded configurations.
Explore C2 hosts, endpoints, protocols, and associated configs.
Faceted search across config fields, ASN, country, and organization.
Cobalt Strike is a commercial red-team tool used to simulate intrusions. Attackers also use cracked copies because it provides an end-to-end framework for post-exploitation.
A Beacon is its payload: a small implant dropped on a compromised machine. It maintains C2 communication, executes commands, moves laterally, and retrieves data. Beacons can communicate over HTTP(S), DNS, or other channels to blend into normal traffic.
They appear on malicious IPs because threat actors deploy their cracked Cobalt Strike servers on rented VPS infrastructure. Those servers expose the C2 endpoints that beacons call back to, making the IPs visible through scans, telemetry, or threat-intel feeds.
Follow us on Mastodon for real-time updates.