Derp.ca

About Derp

Derp.ca is a malware infrastructure tracker and research notebook. It brings together sandbox results, malware configuration data, and community threat intelligence to give a daily view of where malware is calling home, where payloads are being served from, and which families are active right now.

Derp is built and maintained by Matt Kirkland, an independent malware researcher and infrastructure analyst focused on command-and-control tracking, sandbox-derived telemetry, and practical threat intelligence. You can find him as @KirkDerpca on X and on LinkedIn.

Got something interesting to share, or want to work together? Reach out at kirk@derp.ca.

What Derp Tracks

Derp tracks two related parts of malware infrastructure: command-and-control hosts and distribution hosts. C2 hosts are the servers a sample is built to contact after it runs. Distribution hosts are the places payloads are hosted and downloaded from. Keeping those separate matters because they usually look different, sit on different networks, and tell different parts of the story.

Each day, Derp publishes a rolling 7-day view across malware families, hosting providers, countries, ASNs, and infrastructure types. Family pages show daily unique C2 counts, plus added context where we have it. The homepage gives the broader picture: which families are moving, where infrastructure is clustering, and whether active hosts sit in cloud, ISP, business, education, government, or unknown space.

Derp also includes a separate ransomware tracker. That view follows active groups, recent victim claims, affected sectors and countries, and the public reporting tied to each group.

Research & Briefings

On the research page, Derp publishes original malware analysis and daily threat intelligence roundups. Standard research investigations focus on specific samples, campaigns, infrastructure, and tradecraft. You can subscribe to the Security Research RSS feed for detailed reports, and the Daily Cybercrime RSS feed for rolling briefs.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. We are not affiliated with or endorsed by any of them.

adam:ONE adam:ONE Tria.ge Tria.ge IPinfo IPinfo abuse.ch abuse.ch Ransomware.live Ransomware.live VirusTotal VirusTotal

Special thanks to ADAMnetworks, IPinfo, and Recorded Future for providing researcher access to their platforms. We're genuinely grateful.