An extraneous space in the HTTP responses of webservers run by a variety of malicious actors allowed researchers to identify them pretty easily.

Source : Bug in Cobalt Strike pentesting tool used to identify malicious servers – Help Net Security