Derp.ca

About Derp

Derp tracks active malware infrastructure across two dimensions: where malware is controlled from (C2) and where it's delivered from (distribution). Every day, we publish per-family statistics, geographic breakdowns, and hosting provider analysis for anything with confirmed activity in the last 7 days.

What we track

Command & control (C2) hosts are servers that malware is configured to phone home to. These are extracted directly from malware configs found during sandbox analysis, not from network traffic or behavioral heuristics. If a C2 host is listed here, a sample was built to communicate with it.

Distribution hosts are servers that deliver malware payloads. These are URLs where samples are hosted for download, sourced from community threat intelligence feeds. Distribution infrastructure tends to look very different from C2, often compromised devices and residential ISPs rather than cloud providers.

The data covers >140 malware families across stealers, RATs, loaders, and botnets. Each family page shows daily unique C2 host counts and linked threat actors where attribution exists. The homepage shows geographic and hosting provider leaderboards for both C2 and distribution infrastructure.

The data is published as-is from our sources with no manual filtering, suppression, or modification. If we are ever legally compelled to alter, withhold, or remove data, we will disclose that here.

Research

We publish original malware analysis and threat intelligence write-ups on the research page. These go deeper on specific samples, campaigns, and techniques we find interesting. Available via RSS.

How do we decide what to publish?

Threat feed anomalies, things trending in the security community on social media, or just stuff we find interesting. There's no editorial board or content calendar. This is a passion project, done independently, and our only goal is to make the internet a safer place. We like the internet.

Has Derp ever been paid to publish content?

Nothing on Derp has been sponsored or paid for. We've worked with security vendors on malware projects and been paid under contract for that work, but none of it involved publishing content on this site.

Who this is for

Threat intelligence analysts, security researchers, and anyone curious about what malware infrastructure looks like right now. Do what you want with it.

Why Derp.ca?

The beaver told us to. We don't question the beaver.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. We are not affiliated with or endorsed by any of them.

adam:ONEadam:ONETria.geTria.geIPinfoIPinfoabuse.chabuse.chCanadian Centre for Cyber SecurityCanadian Centre for Cyber SecurityVirusTotalVirusTotal

Special thanks to ADAMnetworks, IPinfo, and Recorded Future for providing researcher access to their platforms. We're genuinely grateful.

About the author

Derp is built and maintained by Kirk. We like the internet.

Get in touch

Got something interesting to share, or want to work together? Reach out at [email protected].