This repository contains a historical list of Cobalt Strike (or NanoHTTPD) hosts that have been identified using the "extraneous space" fingerprint.
Read more about this technique in the following blog post:
The list is a CSV file with ip, port, first_seen, last_seen
pairs, starting from 2014-01 till 2019-04-21 and can be found here:
The data is derived from Rapid7 Labs OpenData sets which has a historical archive of HTTP and HTTPS scan data: https://opendata.rapid7.com