About Derp

Derp tracks active malware command-and-control infrastructure. Every day, we publish statistics on malware families, their C2 hosts, and associated indicators for anything with confirmed activity in the last 7 days.

What we track

Every host on this site was pulled from a malware sample's actual config, not inferred from network traffic or heuristics. If it's listed here, something was configured to phone home to it.

The data covers dozens of malware families across stealers, RATs, loaders, and botnets. Each family page shows daily observation counts, unique C2 hosts, behavioral tags, MITRE ATT&CK techniques, port distributions, and linked threat actors where attribution exists.

How it works

An automated pipeline runs hourly, pulling fresh malware samples and extracting C2 configuration data. That raw data lands in a database. Once a day, we aggregate the last 7 days of observations into the per-family summaries you see on the site.

The 7-day window keeps things current. Families drop off when they go quiet, and reappear when new samples surface. A host marked “new” on a given day has genuinely never been seen before, tracked against all-time history.

Research

We also publish original malware analysis and threat intelligence write-ups. These go deeper on specific samples, campaigns, and techniques we find interesting. You can read them on the research page, or subscribe via RSS.

Who this is for

Threat intelligence analysts, security researchers, and anyone curious about what malware infrastructure looks like right now. The data is presented as-is. Do what you want with it.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We are not affiliated with or endorsed by any of them.