A “space” in the HTTP responses performed by various malicious agents (attackers) allowed Fox-IT researchers to identify them easily in the last year and a half.

https://seguranca-informatica.pt/falha-no-cobalt-strike-usado-para-identificar-servidores-maliciosos/#.XHsFDVNKhn4