An extraneous space in the HTTP responses of webservers run by a variety of malicious actors allowed researchers to identify them pretty easily.
Source : Bug in Cobalt Strike pentesting tool used to identify malicious servers – Help Net Security
Source : Bug in Cobalt Strike pentesting tool used to identify malicious servers – Help Net Security