In one embodiment, a device obtains execution records regarding executions of a plurality of binaries. The execution records comprise command line arguments used during the execution. The device determines measures of similarity between the executions of the binaries based on their command line arguments. The device clusters the executions into clusters based on the determined measures of similarity. The device flags the command line arguments for a particular one of the clusters as an indicator of compromise for malware, based on at least one of the binaries associated with the particular cluster being malware.