Mythic C2 Detected – 188[.]124[.]51[.]141:7443
Mythic C2 Detection Alerts
Assessment of suspected infrastructure
Evidence driven summary with indicators, detections, and immediate defensive actions.
Summary
Shodan data show a TLS-enabled nginx host (188[.]124[.]51[.]141) with a Mythic certificate and a login portal at /new/login. The 403 IP-block page and TLS/JA3S/JARM fingerprints strongly suggest a Mythic C2 panel exposed on port 7443.
Key Evidence
| Facet | Value | Notes |
|---|---|---|
| IP address | 188[.]124[.]51[.]141 | Public host in Selectel network; AS49505 |
| server_software | nginx 1.25.5 | TLS-enabled web server; port 7443 |
| port | 7443 | TLS management port; not 80/443 |
| redirect_location | /new/login | HTTP 301 redirect to login portal |
| certificate_issuer | Mythic | Certificate subject O Mythic; suggests Mythic C2 usage |
| ja3s_fingerprint | 574866101f64002c6421cc329e4d5458 | TLS JA3S fingerprint |
| jarm_fingerprint | 1dd40d40d00040d00042d43d000000831b6af40378e2dd35eeac4e9311926e | JARM fingerprint |
| path_context | /new/login | Login portal path observed |
| html_title | Error 403 – IP Address Blocked | Blocked IP appears in HTML response |
Why this matters and what to do now
- What: Operational risk: a likely Mythic C2 management interface is publicly reachable on port 7443 with TLS, exposing potential control and data exfiltration points.
- Why: Technically, C2 panels expose beaconing endpoints and command channels. Public access increases the likelihood of unauthorised access or misconfiguration; attackers or miscreants could discover and misuse the panel.
- Do now: Block public access to port 7443 until validated
- Do now: Preserve logs and enable traffic monitoring for C2 beacon signatures
- Do now: Validate certificate provenance; verify legitimacy of the panel with the hosting provider if needed
- Do now: Analyze outbound traffic for beacon indicators across the network
- Do now: If confirmed as C2, coordinate incident response and containment actions
Assessment
The evidence is consistent with a Mythic C2 panel exposed publicly on port 7443. The certificate subject and issuer are Mythic, and the JA3S/JARM fingerprints align with known C2 deployments. The presence of a /new/login path and a 403 IP-block HTML page further supports an access-controlled management interface. Alternatively, it could be a misconfigured or unrelated admin portal using a Mythic certificate. Public exposure raises risk of discovery and misuse. Correlation with outbound beacon traffic is required to confirm C2 activity.
Indicators
| Type | Value | Context |
|---|---|---|
| ja3s_fingerprint | 574866101f64002c6421cc329e4d5458 | TLS server handshake for 188[.]124[.]51[.]141 |
| jarm_fingerprint | 1dd40d40d00040d00042d43d000000831b6af40378e2dd35eeac4e9311926e | Observed in Shodan data |
| certificate_subject | Mythic | Certificate subject; issuer also Mythic |
| port | 7443 | TLS port; likely admin interface |
| server_software | nginx 1.25.5 | Web server |
| redirect_location | /new/login | HTTP redirect to login portal |
Detections & Hunting
- Suspicious public exposure of a Mythic C2 panel on port 7443 with TLS
- HTTP 301/403 responses and login path /new/login
- HTML block message suggests IP-based access control
Mitigations
- Limit exposure by restricting inbound access to port 7443 (e.g., VPN or allow-list only)
- Enable monitoring and log collection for C2 beacon traffic
- Verify certificate provenance; if legitimate, ensure access is properly authenticated and isolated; otherwise decommission or relocate
Confidence
Moderate, Strong indicators (Mythic certificate, JA3S/JARM, login path) support C2 likelihood, but cannot confirm activity without traffic correlation.
Support Our Work
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.
