Free and Open Source Threat Intelligence Feeds

APTNotes
lookup apt
634 IOCs
Maintainers: David Westcott, Kiran Bandla


CSV JSON
online
Statistics:
Added: 2020-07-12 00:00
Checked: 2022-06-06 09:15
Byte Size: 136 KB
Lines: 635
APTnotes is a repository of publicly-available papers and blogs (sorted by year) related to malicious campaigns/activity/software that have been associated with vendor-defined APT (Advanced Persistent Threat) groups and/or tool-sets.
Alexa Top 1 Million Domains List
domain enrichment reputation lookup
542.000 IOCs
Alexa Top Sites by Amazon Web Services


CSV
online
Statistics:
Added: 2020-08-22 00:00
Checked: 2022-06-06 09:13
Byte Size: 5.0 MB
Lines: 542.000
The Alexa Top Sites service provides programmatic access to lists of websites ordered by Alexa Traffic Rank.
Alienvault
ip reputation
609 IOCs
Alienvault is now AT&T Cybersecurity.


TXT
online
Statistics:
Added: 2020-07-18 00:00
Checked: 2022-06-06 09:13
Byte Size: 39 KB
Lines: 617
Generic reputation feed.
AlphaSOC Ryuk Feed
ryuk ransomware malware domain apt
-24 IOCs
AlphaSOC Ryuk ransomware campaign infrastructure

Statistics:
Added: 2020-11-28 00:00
Checked: 2022-06-06 09:13
Byte Size: 127 bytes
Lines: 1
Below is a list of Internet domains registered by the Ryuk ransomware gang to distribute malware and act as C2 infrastructure. This threat actor continuously registers new domains that are in-turn uncovered and added to this list. Security teams can primarily use the list to retrospectively uncover compromised hosts.
Bambenek
ip domain dga botnet c2 malware
0 IOCs
Bambenek Consulting is a leading consultancy led by industry veteran John Bambenek. Services include the Well Fed Intelligence feeds used by thousands of organizations all over the world.

Statistics:
Added: 2020-07-18 00:00
Checked: 2022-06-06 09:13
Byte Size: 0 bytes
Lines: 0
The license for this data has changed. The data is now under copyright and requires a commercial license for any commercial use (including companies protecting themselves). Sub Feeds available for various families like Cryptolocker, Gozi, Locky or Quakbot. Link points to Master Feed of known, active and non-sinkholed C&Cs indicators
Binary Defense
ip
6.290 IOCs
Binary Defense Systems Artillery Threat Intelligence Feed and Banlist Feed


TXT
online
Statistics:
Added: 2020-08-30 00:00
Checked: 2022-06-06 09:14
Byte Size: 89 KB
Lines: 6.303
Binary Defense Systems Artillery Threat Intelligence Feed and Banlist Feed. The ATIF feed may not be used for commercial resale or in products that are charging fees for such services.
Bitcoin Nodes
ip bitcoin reputation
7.029 IOCs
Bitnodes is currently being developed to estimate the size of the Bitcoin network by finding all the reachable nodes in the network.


TXT
online
Statistics:
Added: 2020-07-19 00:00
Checked: 2022-06-06 09:13
Byte Size: 97 KB
Lines: 7.059
Full Bitcoin nodes list analysis, including geolocation map, history, retention policy, overlaps with other lists, etc. available at http://iplists.firehol.org/?ipset=bitcoin_nodes_1d. Generated by FireHOL's update-ipsets.sh, processed with FireHOL's iprange
Blackbook
domain malware c2
17.576 IOCs

TXT CSV
online
Statistics:
Added: 2020-07-19 00:00
Checked: 2022-06-06 09:14
Byte Size: 296 KB
Lines: 17.576
blackbook is a historical (black)list of malicious domains created as part of the periodic automated heuristic check (i.e. WHOIS, HTTP, etc.) of newly reported entries from public lists of malicious URLs (currently CyberCrime, URLhaus, ScumBots, Benkow and VirusTracker). Main goal is listing those that are/were malware dedicated (e.g. C&C) - thus, excluding compromised sites. It is supposed to be used for detection of malware beaconing infected clients by inspection of associated DNS traffic, with significant reduce of false-positives.
Blocklist
ip malware reputation
20.684 IOCs
www.blocklist.de is a free and voluntary service provided by a Fraud/Abuse-specialist, whose servers are often attacked via SSH-, Mail-Login-, FTP-, Webserver- and other services.


TXT
online
Statistics:
Added: 2020-07-19 00:00
Checked: 2022-06-06 09:15
Byte Size: 288 KB
Lines: 20.684
We report more than 70,000 attacks every 12 hours in real time using Whois (abuse-mailbox, abuse@, security@, email, remarks), the Ripe-Abuse-Finder, and the contact-database from abusix.org so we may find the abuse-address assigned to the offending host. Our reports are based on X-Arf (Network Abuse Reporting 2.0), so the abuse-department of the provider for the attacking host may parse our reports automatically.
BotScout
bot reputation abuse
1.372 IOCs
BotScout helps prevent automated web scripts, known as bots, from registering on forums, polluting databases, spreading spam, and abusing forms on web sites.


TXT
online
Statistics:
Added: 2020-07-19 00:00
Checked: 2022-06-06 09:13
Byte Size: 21 KB
Lines: 1.409
This list is composed of the most recently-caught bots. Our database contains bot 'signatures'. A signature is composed of a unique combination of the name the bot used when trying to register, the bot's email address, and the bot's IP address.
Bruteforceblocker
ssh bruteforce
329 IOCs
BruteForceBlocker is a perl script, that works along with pf – firewall developed by OpenBSD team.


TXT
online
Statistics:
Added: 2020-07-19 00:00
Checked: 2022-06-06 09:13
Byte Size: 16 KB
Lines: 330
Its main purpose is to block SSH bruteforce attacks via firewall.
CINS Army List
ip reputation
15.000 IOCs
Leveraging data from our network of Sentinel devices and other trusted InfoSec sources, CINS is a Threat Intelligence database that provides an accurate and timely score for any IP address in the world.


TXT
online
Statistics:
Added: 2020-07-19 00:00
Checked: 2022-06-06 09:15
Byte Size: 211 KB
Lines: 15.000
The CINS Army list is a subset of the CINS Active Threat Intelligence ruleset, and consists of IP addresses that meet one of two basic criteria: 1) The IP's recent Rogue Packet score factor is very poor, or 2) The IP has tripped a designated number of 'trusted' alerts across a given number of our Sentinels deployed around the world.
Cobaltstrike Server
ip reputation cobaltstrike
9.586 IOCs
Historical list of {Cobalt Strike,NanoHTTPD} servers


CSV
online
Statistics:
Added: 2020-07-19 00:00
Checked: 2022-06-06 09:13
Byte Size: 381 KB
Lines: 9.587
This repository contains a historical list of Cobalt Strike (or NanoHTTPD) hosts that have been identified using the "extraneous space" fingerprint. The list is a CSV file with ip, port, first_seen, last_seen pairs, starting from 2014-01 till 2019-04-21.
Cruzit Blacklist
ip reputation
12.526 IOCs

TXT CSV
online
Statistics:
Added: 2020-07-19 00:00
Checked: 2022-06-06 09:15
Byte Size: 173 KB
Lines: 12.529
Server Blacklist of known blacklisted IP adresses.
Cyber Crime Tracker
ip reputation botnet c2 malware
0 IOCs
www.badips.com is an abuse tracker with a simple API to report and consume blocklists.

Statistics:
Added: 2020-07-18 00:00
Checked: 2022-06-06 09:13
Byte Size: 0 bytes
Lines: 0
badips.com is a community based IP blacklist service. You can report malicious IPs and you can download blacklists or query our API to find out if a IP is listed. Currently only observed last 7 days of any IPs with no considering of scores and categories - please review the API documentation!
Cyber Crime Tracker
url domain botnet c2 malware
22.699 IOCs
Atmos Strategic Monitoring


TXT
online
Statistics:
Added: 2020-07-18 00:00
Checked: 2022-06-06 09:13
Byte Size: 856 KB
Lines: 22.699
C2 and Botnet Tracker since 2012 - Top 5 Bots Pony, Lokibot, ZeuS, AZORult, Citadel
Emerging Threats
ip url malware c2
354 IOCs
Proofpoint Suricata Rules


TXT
online
Statistics:
Added: 2020-08-03 00:00
Checked: 2022-06-06 09:13
Byte Size: 5 KB
Lines: 354
Providing Snort and Suricata Rules - here: compromised IPs Feed
Florian Roth YARA Repository
yara
480 IOCs
Nextron Systems is the global leading provider for compromise assessment software.


YARA
online
Statistics:
Added: 2020-08-14 00:00
Checked: 2022-06-06 09:13
Byte Size: 375 KB
Lines: 480
Florian Roth YARA Rules signature repository.
GreenSnow
ip reputation
5.370 IOCs
GreenSnow is a team consisting of the best specialists in computer security, we harvest a large number of IPs from different computers located around the world.


TXT
online
Statistics:
Added: 2020-07-20 00:00
Checked: 2022-06-06 09:15
Byte Size: 75 KB
Lines: 5.370
GreenSnow is comparable with SpamHaus.org for attacks of any kind except for spam. Our list is updated automatically and you can withdraw at any time your IP address if it has been listed.
James Brine IoCs and STIXII
honeypot phishing ip stixx
177.781 IOCs
James Brine IoCs and STIXII


TXT
online
Statistics:
Added: 2021-02-05 00:00
Checked: 2022-06-06 09:15
Byte Size: 2.424 MB
Lines: 177.781
Collection of CTI from Australian and international honeypots covering ssh, telnet, ntp, git, redis, mssql, mysql, URIs, proxy, nmap scans, google dorking hosts, sip and ftp. Potential phishing domains by category as well as dropped domains for blocklist cleanup. STIX2 for the previous day published as json files.
Malware Domain List
domain malware
0 IOCs
Malware Domain List is a non-commercial community project.

Statistics:
Added: 2020-07-20 00:00
Checked: 2022-06-06 09:13
Byte Size: 0 bytes
Lines: 0
Feed Description not available yet
Maxmind
ip reputation
581 IOCs
MaxMind provides IP intelligence through the GeoIP brand.


HTML
online
Statistics:
Added: 2020-07-24 00:00
Checked: 2022-06-06 09:13
Byte Size: 80 KB
Lines: 581
This feed provides a sample list of some of the most used IP addresses in the minFraud network that have been identified as higher risk.
Myip
ip reputation whois
909 IOCs
#1 World Live Whois IP Source


TXT
online
Statistics:
Added: 2020-07-24 00:00
Checked: 2022-06-06 09:15
Byte Size: 23 KB
Lines: 928
Latest Blacklist IP List to your website .htaccess file
Netlab 360
dga url malware
1.224.078 IOCs
Network Security Research Lab at 360, PassiveDNS, DDoSMon, NetworkScan Mon, DGA Feeds


TXT
online
Statistics:
Added: 2020-06-20 00:00
Checked: 2022-06-06 09:13
Byte Size: 80.033 MB
Lines: 1.224.083
Caution huge DGA Domain List, it is recommended to include the dedicated subfeeds, see Browse Link.
Families: bamital, banjori, blackhole,ccleaner, chinad, conficker cryptolocker, dircrypt, dyre, emotet, enviserv, feodo fobber, gameover, gspy, locky, madmax, matsnu mirai, murofet, mydoom, necurs, nymaim, omexo padcrypt, proslikefan, pykspa, qadars, ramnit, ranbyus rovnix, shifu, shiotob, simda, suppobox, symmi tempedreve, tinba, tinynuke, tofsee, vawtrak, vidro virut, xshellghost
Openfish
url phishing
500 IOCs
Timely. Accurate. Relevant Threat Intelligence.


TXT
online
Statistics:
Added: 2020-07-24 00:00
Checked: 2022-06-06 09:13
Byte Size: 27 KB
Lines: 500
Community feed, update frequency 12 hours, only phishing URLs.
Phishtank
url phishing email
7.307 IOCs
PhishTank is a collaborative clearing house for data and information about phishing on the Internet.


CSV XML JSON
online
Statistics:
Added: 2020-08-03 00:00
Checked: 2022-06-06 09:13
Byte Size: 1.34 MB
Lines: 7.308
Open phishing data.
Rutgers
ip reputation
1.864 IOCs
Rutgers - School of Arts and Sciences


TXT
online
Statistics:
Added: 2020-07-26 00:00
Checked: 2022-06-06 09:15
Byte Size: 26 KB
Lines: 1.864
Known attackers
Sans Internet Storm Center DShield
ip malware
100 IOCs
The ISC was created in 2001 following the successful detection, analysis, and widespread warning of the Li0n worm. Today, the ISC provides a free analysis and warning service to thousands of Internet users and organizations.


TXT
online
Statistics:
Added: 2020-08-03 00:00
Checked: 2022-06-06 09:13
Byte Size: 2 KB
Lines: 100
Top IPs
Sblam
ip reputation
8.202 IOCs
Sblam! is a web service that blocks spammy posts in blog comments, forums and guestbooks.


TXT
online
Statistics:
Added: 2020-07-26 00:00
Checked: 2022-06-06 09:13
Byte Size: 115 KB
Lines: 8.205
HTTP spam sources identified by http://sblam.com - This is a list of HTML form (comment) spammers--not for blocking e-mail spam.
Seclookup
ip url domain hash
N/A IOCs
Seclookup provides APIs service for domain scaning at Mass scale assisting enterprises and SOC teams in better detecting cyber threats and preventing fraud.


TXT JSON
online
Statistics:
Added: 2022-06-06 00:00
Checked: 2022-06-06 09:13
Byte Size: 0 bytes
Lines: N/A
Seclookup provides APIs service to improve detection and analysis of common online threats. Seclookup APIs can enrich threat indicators in SIEM, provide comprehensive information on domain names, improve threat detection & response, and automate threat investigations. Our security service at seclookup provides smart threat intelligence APIs that can be easily integrated in your services and products. The best part is we are providing 1 million free lookup every month which is higher than any threat intelligence provider in industry.
Spamhaus
ip spam email
-3 IOCs
The Spamhaus Project is an international nonprofit organization that tracks spam and related cyber threats such as phishing, malware and botnets.


TXT
online
Statistics:
Added: 2020-08-03 00:00
Checked: 2022-06-06 09:13
Byte Size: 19 bytes
Lines: 1
The DROP list will not include any IP address space under the control of any legitimate network - even if being used by "the spammers from hell".
Spys
ip proxy
399 IOCs
Free proxy list. HTTP, SSL/HTTPS, SOCKS proxies. Live proxy servers.


TXT
online
Statistics:
Added: 2020-07-26 00:00
Checked: 2022-06-06 09:15
Byte Size: 11 KB
Lines: 408
Proxy List - IP address:Port CountryCode-Anonymity(Noa/Anm/Hia)-SSL_support(S)-Google_passed(+)
Talos Intelligence
ip reputation
0 IOCs
Cisco Talos threat intelligence and research group

Statistics:
Added: 2020-07-26 00:00
Checked: 2022-06-06 09:14
Byte Size: 0 bytes
Lines: 0
IP Blacklist
ThreatFox IOC Database
ip url domain hash
4.789 IOCs
ThreatFox from abuse.ch


TXT JSON
online
Statistics:
Added: 2021-03-10 00:00
Checked: 2022-06-06 09:15
Byte Size: 1.052 MB
Lines: 4.799
ThreatFox is a free platform from abuse.ch with the goal of sharing indicators of compromise (IOCs) associated with malware with the infosec community, AV vendors and threat intelligence providers.
Tor
ip tor reputation
1.354 IOCs
Tor is free and open-source software for enabling anonymous communication.


TXT
online
Statistics:
Added: 2020-07-26 00:00
Checked: 2022-06-06 09:13
Byte Size: 19 KB
Lines: 1.354
Tor Exit Nodes
Turris
ip reputation
9 IOCs
Project Turris is a service helping to protect its user's home network with the help of a special router.


CSV
online
Statistics:
Added: 2020-07-26 00:00
Checked: 2022-06-06 09:13
Byte Size: 644 bytes
Lines: 10
The data are processed and clasified every week and behaviour of IP addresses that accessed a larger number of Turris routers is evaluated. The result is a list of addresses that have tried to obtain information about services on the router or tried to gain access to them. We publish this so called "greylist" that also contains a list of tags for each address which indicate what behaviour of the address was observed.
Twitter IOC Hunter
ioc url domain hash mail cve
32 IOCs
Twitter IOC Hunter project


JSON
online
Statistics:
Added: 2020-08-27 00:00
Checked: 2022-06-06 09:13
Byte Size: 13 KB
Lines: 32
IOC Feeds from Twitter tweets. Feed provides only daily tweets.
URLhaus
malware url
146.591 IOCs
URLhaus is a project operated by abuse.ch. The purpose of the project is to collect, track and share malware URLs, helping network administrators and security analysts to protect their network and customers from cyber threats.


TXT CSV
online
Statistics:
Added: 2020-06-01 00:00
Checked: 2022-06-06 09:13
Byte Size: 5.46 MB
Lines: 146.600
Multiple subfeeds are available, like ZeuS Tracker, Ransomware Tracker, SSL Blacklist, Malware Bazar, Feodo Tracker.
VX Fault
url malware
101 IOCs
VX Fault

Statistics:
Added: 2020-06-19 00:00
Checked: 2022-06-06 09:13
Byte Size: 6 KB
Lines: 105
About Malwares, Rogues, Scarewares, SmitfraudFix. Feed contains only last 100 submissions.
Viriback
ip url malware c2
7.691 IOCs
Malware C2 Tracker List


CSV
online
Statistics:
Added: 2020-07-26 00:00
Checked: 2022-06-06 09:15
Byte Size: 578 KB
Lines: 7.692
C2 URL and IPs. Top 10 Families - Lokibot, Predator, AZORult, Kpot, Pony, AgentTesla, Oski, Nexus, BetaBot, Amadey