Free and Open Source Threat Intelligence Feeds

APTNotes

lookup apt

634 IOCs

APTnotes is a repository of publicly-available papers and blogs (sorted by year) related to malicious campaigns/activity/software that have been associated with vendor-defined APT (Advanced Persistent Threat) groups and/or tool-sets.

Alexa Top 1 Million Domains List

domain enrichment reputation lookup

542.000 IOCs

The Alexa Top Sites service provides programmatic access to lists of websites ordered by Alexa Traffic Rank.

Alienvault

ip reputation

609 IOCs

AlphaSOC Ryuk Feed

ryuk ransomware malware domain apt

-24 IOCs

Below is a list of Internet domains registered by the Ryuk ransomware gang to distribute malware and act as C2 infrastructure. This threat actor continuously registers new domains that are in-turn uncovered and added to this list. Security teams can primarily use the list to retrospectively uncover compromised hosts.

Bambenek

ip domain dga botnet c2 malware

0 IOCs

The license for this data has changed. The data is now under copyright and requires a commercial license for any commercial use (including companies protecting themselves). Sub Feeds available for various families like Cryptolocker, Gozi, Locky or Quakbot. Link points to Master Feed of known, active and non-sinkholed C&Cs indicators

Binary Defense

ip

6.290 IOCs

Binary Defense Systems Artillery Threat Intelligence Feed and Banlist Feed. The ATIF feed may not be used for commercial resale or in products that are charging fees for such services.

Bitcoin Nodes

ip bitcoin reputation

7.029 IOCs

Full Bitcoin nodes list analysis, including geolocation map, history, retention policy, overlaps with other lists, etc. available at http://iplists.firehol.org/?ipset=bitcoin_nodes_1d. Generated by FireHOL's update-ipsets.sh, processed with FireHOL's iprange

Blackbook

domain malware c2

17.576 IOCs

Statistics:
Added: 2020-07-19 00:00

Checked: 2022-06-06 09:14

Byte Size: 296 KB

Lines: 17.576

blackbook is a historical (black)list of malicious domains created as part of the periodic automated heuristic check (i.e. WHOIS, HTTP, etc.) of newly reported entries from public lists of malicious URLs (currently CyberCrime, URLhaus, ScumBots, Benkow and VirusTracker). Main goal is listing those that are/were malware dedicated (e.g. C&C) - thus, excluding compromised sites. It is supposed to be used for detection of malware beaconing infected clients by inspection of associated DNS traffic, with significant reduce of false-positives.

Blocklist

ip malware reputation

20.684 IOCs

We report more than 70,000 attacks every 12 hours in real time using Whois (abuse-mailbox, abuse@, security@, email, remarks), the Ripe-Abuse-Finder, and the contact-database from abusix.org so we may find the abuse-address assigned to the offending host. Our reports are based on X-Arf (Network Abuse Reporting 2.0), so the abuse-department of the provider for the attacking host may parse our reports automatically.

BotScout

bot reputation abuse

1.372 IOCs

This list is composed of the most recently-caught bots. Our database contains bot 'signatures'. A signature is composed of a unique combination of the name the bot used when trying to register, the bot's email address, and the bot's IP address.

Bruteforceblocker

ssh bruteforce

329 IOCs

Its main purpose is to block SSH bruteforce attacks via firewall.

CINS Army List

ip reputation

15.000 IOCs

The CINS Army list is a subset of the CINS Active Threat Intelligence ruleset, and consists of IP addresses that meet one of two basic criteria: 1) The IP's recent Rogue Packet score factor is very poor, or 2) The IP has tripped a designated number of 'trusted' alerts across a given number of our Sentinels deployed around the world.

Cobaltstrike Server

ip reputation cobaltstrike

9.586 IOCs

This repository contains a historical list of Cobalt Strike (or NanoHTTPD) hosts that have been identified using the "extraneous space" fingerprint. The list is a CSV file with ip, port, first_seen, last_seen pairs, starting from 2014-01 till 2019-04-21.

Cruzit Blacklist

ip reputation

12.526 IOCs

Statistics:
Added: 2020-07-19 00:00

Checked: 2022-06-06 09:15

Byte Size: 173 KB

Lines: 12.529

Server Blacklist of known blacklisted IP adresses.

Cyber Crime Tracker

ip reputation botnet c2 malware

0 IOCs

badips.com is a community based IP blacklist service. You can report malicious IPs and you can download blacklists or query our API to find out if a IP is listed. Currently only observed last 7 days of any IPs with no considering of scores and categories - please review the API documentation!

Cyber Crime Tracker

url domain botnet c2 malware

22.699 IOCs

C2 and Botnet Tracker since 2012 - Top 5 Bots Pony, Lokibot, ZeuS, AZORult, Citadel

Emerging Threats

ip url malware c2

354 IOCs

Providing Snort and Suricata Rules - here: compromised IPs Feed

Florian Roth YARA Repository

yara

480 IOCs

Florian Roth YARA Rules signature repository.

GreenSnow

ip reputation

5.370 IOCs

GreenSnow is comparable with SpamHaus.org for attacks of any kind except for spam. Our list is updated automatically and you can withdraw at any time your IP address if it has been listed.

James Brine IoCs and STIXII

honeypot phishing ip stixx

177.781 IOCs

Collection of CTI from Australian and international honeypots covering ssh, telnet, ntp, git, redis, mssql, mysql, URIs, proxy, nmap scans, google dorking hosts, sip and ftp. Potential phishing domains by category as well as dropped domains for blocklist cleanup. STIX2 for the previous day published as json files.

Malware Domain List

domain malware

0 IOCs

Feed Description not available yet

Maxmind

ip reputation

581 IOCs

This feed provides a sample list of some of the most used IP addresses in the minFraud network that have been identified as higher risk.

Myip

ip reputation whois

909 IOCs

Latest Blacklist IP List to your website .htaccess file

Netlab 360

dga url malware

1.224.078 IOCs

Caution huge DGA Domain List, it is recommended to include the dedicated subfeeds, see Browse Link.
Families: bamital, banjori, blackhole,ccleaner, chinad, conficker cryptolocker, dircrypt, dyre, emotet, enviserv, feodo fobber, gameover, gspy, locky, madmax, matsnu mirai, murofet, mydoom, necurs, nymaim, omexo padcrypt, proslikefan, pykspa, qadars, ramnit, ranbyus rovnix, shifu, shiotob, simda, suppobox, symmi tempedreve, tinba, tinynuke, tofsee, vawtrak, vidro virut, xshellghost

Openfish

url phishing

500 IOCs

Community feed, update frequency 12 hours, only phishing URLs.

Phishtank

url phishing email

7.307 IOCs

Rutgers

ip reputation

1.864 IOCs

Sans Internet Storm Center DShield

ip malware

100 IOCs

Sblam

ip reputation

8.202 IOCs

HTTP spam sources identified by http://sblam.com - This is a list of HTML form (comment) spammers--not for blocking e-mail spam.

Seclookup

ip url domain hash

N/A IOCs

Seclookup provides APIs service to improve detection and analysis of common online threats. Seclookup APIs can enrich threat indicators in SIEM, provide comprehensive information on domain names, improve threat detection & response, and automate threat investigations. Our security service at seclookup provides smart threat intelligence APIs that can be easily integrated in your services and products. The best part is we are providing 1 million free lookup every month which is higher than any threat intelligence provider in industry.

Spamhaus

ip spam email

-3 IOCs

The DROP list will not include any IP address space under the control of any legitimate network - even if being used by "the spammers from hell".

Proxy List - IP address:Port CountryCode-Anonymity(Noa/Anm/Hia)-SSL_support(S)-Google_passed(+)

Talos Intelligence

ip reputation

0 IOCs

ThreatFox IOC Database

ip url domain hash

4.789 IOCs

Statistics:
Added: 2021-03-10 00:00

Checked: 2022-06-06 09:15

Byte Size: 1.052 MB

Lines: 4.799

ThreatFox is a free platform from abuse.ch with the goal of sharing indicators of compromise (IOCs) associated with malware with the infosec community, AV vendors and threat intelligence providers.

Tor

ip tor reputation

1.354 IOCs

Turris

ip reputation

9 IOCs

The data are processed and clasified every week and behaviour of IP addresses that accessed a larger number of Turris routers is evaluated. The result is a list of addresses that have tried to obtain information about services on the router or tried to gain access to them. We publish this so called "greylist" that also contains a list of tags for each address which indicate what behaviour of the address was observed.

Twitter IOC Hunter

ioc url domain hash mail cve

32 IOCs

IOC Feeds from Twitter tweets. Feed provides only daily tweets.

URLhaus

malware url

146.591 IOCs

Multiple subfeeds are available, like ZeuS Tracker, Ransomware Tracker, SSL Blacklist, Malware Bazar, Feodo Tracker.

VX Fault

url malware

101 IOCs

Statistics:
Added: 2020-06-19 00:00

Checked: 2022-06-06 09:13

Byte Size: 6 KB

Lines: 105

About Malwares, Rogues, Scarewares, SmitfraudFix. Feed contains only last 100 submissions.

Viriback

ip url malware c2

7.691 IOCs

Statistics:
Added: 2020-07-26 00:00

Checked: 2022-06-06 09:15

Byte Size: 578 KB

Lines: 7.692

C2 URL and IPs. Top 10 Families - Lokibot, Predator, AZORult, Kpot, Pony, AgentTesla, Oski, Nexus, BetaBot, Amadey