This repository contains a historical list of Cobalt Strike (or NanoHTTPD) hosts that have been identified using the "extraneous space" fingerprint. Read more about this technique in the following blog post: https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/
The list is a CSV file with ip, port, first_seen, last_seen pairs, starting from 2015-01 till 2019-02-26 and can be found here:
The data is derived from Rapid7 Labs OpenData sets which has a historical archive of HTTP and HTTPS scan data: https://opendata.rapid7.com