Favicons can be used to identify malicious websites.[^1] They can also be used to fingerprint threat actors.[^1] You can cross-reference the hash of a DarkNet website with a public database of website searches to find an IP address linked to an Apache server.[^1] If the hash is distinct and there are no other IP addresses associated with the Favicon, then it is possible that the IP address also hosts the Tor service.[^1] This method also works for any on-page data.[^1] The favicon is an icon that is associated with a URL displayed in the browser.[^2] Favicons are a visual badge for web properties.[^2] Favicon files are stored in the web root directory as favicon.ico.[^2] The wordpress websites contain cyrillic characters and the Russian country code.[^2]
[[Quantum Ransomware Group]] – was found with favicon fingerprinting
[[African Initiative]] – identical websites were matched using favicon fingerprintin
Backlinks
[[Cybersecurity]]
[[DarkNet]]
[[De-Anonymizing Ransomware]]
[[Hash Function]]
IP Addresses
[[Shodan]]
[[Threat Actor]]
Sources
[1]SilentPush-DarkWebScanning
[2]talosintelligence_de-anonymizingRansomware