For All Your Cyber Security Needs

Get Only The Data You Need

From malicious IPs to malware samples, we offer a series of historically rich and reliable IoCs feeds to help companies of all sizes fill their threat intelligence gaps and better focus scarce IT resources. They are offered individually or in packages, depending on your needs.

Data Packages

These are packages of the most requested feed combinations. You can also purchase the specific feeds you need, whether it’s one, several, or all of them. Feed bundles and multi-year subscriptions offer significant discounts.

Request a FREE evaluation or contact us for more information.



  • Free data evaluation & technical consultation
  • Unlimited-use commercial license
  • Hourly feed updates
  • Unlimited downloads
  • Annual and multi-year subscriptions
  • Free feed customization


  • Dedicated account manager
  • Priority tech support
  • Implementation assistance


Big Data

This package provides access to all our Enterprise data feeds.

Build Your Own

Select only the data feed(s) you need.


This package provides the IoCs most important for protecting against and detecting ransomware infections. C2s and DGAs are the command structure for malware and ransomware, from which instructions or additional payloads are received and to which stolen data is sent. The malware and ransomware URLs are known to be hosting binaries, so preventing access to them stops an immediate infection. Keep your users from accessing known phishing sites to safeguard your company’s credentials.

  • C2 Addresses, Drop Zones & Control Panels
  • Domain Names Generated by DGAs
  • Malware & Ransomware URLs (Sanitized)
  • Phishing URLs


The Secure-IT package provides the necessary IoCs for threat detection, response, and blocking purposes. The data is compatible with a variety of TIPs, SIEMs, SOARs and other security tools for seamless integration.

  • Cryptomining (Free)
  • Bitcoin Blockchain Strings (Free)
  • C2 Addresses, Drop Zones & Control Panels
  • DNS-over-HTTPS (DoH) Resolvers
  • Domain Names Generated by DGAs
  • Malware URLs (Sanitized)
  • Phishing


The Research-IT package was designed for companies that conduct threat research or for those with a mature security program, including machine learning/AI tools, that can make use of a large amount/wide range of IoCs.

  • Cryptomining (Free)
  • Bitcoin Blockchain Strings (Free)
  • C2 Addresses, Drop Zones & Control Panels
  • DNS-over-HTTPS (DoH) Resolvers
  • Domains Names Generated by DGAs
  • Malicious IPs
  • Malware URLs (Unsanitized: with malware file name and extension)
  • Newly Registered Domains
  • Phishing (Including add-ons: screenshots, perceptual hashes, and raw HTML content)

Data Feed Descriptions


Bitcoin became the most popular cryptocurrency in the world and, apart from its legitimate uses, is commonly utilized to receive ransom payments among other criminal activities. Bitcoin transaction or blockchain string data can be especially interesting to threat researchers and companies monitoring data sources for potential brand infringement.

The Bitcoin Transactions Feed includes easy-to-parse information on all blocks and transactions since the genesis block on January 3, 2009. An average of 50,000 transactions happen every day. We produce a simple JSON file for each transaction, as soon as information is available.


The Bitcoin Blockchain Strings Data Feed contains all the text from the Bitcoin blockchain since its inception. This includes information that ranges from miner names, poems, and tributes to URLs that point to obscure and illegal websites, encoded files, and malicious source code. This data feed is available for free to our Enterprise customers. Updated every 6 hours.


Malicious IPsCommand & Control Addresses + MITRE ATT&CK

Most malware and ransomware families implement some sort of communication with a command and control (C2) system that is responsible for relaying stolen financial information, personal data, and anything the malware captures. It is also used to instruct the malicious software which institutions to target and receive webinjects.

With this feed of C2 addresses, drop zones, and control panels, companies can block access, create alerts on IDS/IPS systems or investigate communications between samples and C2s. It contains the addresses used as C2s by more than 460 malicious families and includes information on MITRE ATT&CK TTPS and groups.  Updated every hour.


C2s + MITRE ATT&CK Sample Feed

{ “C2_URL”: “tcp://”, “malware_family”: “njRAT”, “detection_timestamp”: “2017-09-07 00:47:40”, “MITRE_ATTACK”: [{ “id”: “S0385”, “name”: “njRAT”, “reference”: “https://attack.mitre.org/software/S0385”, “aliases”: [ “njRAT”, “Njw0rm”, “LV”, “Bladabindi” ], “type”: “malware”, “description”: “[njRAT](https://attack.mitre.org/software/S0385) is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East.(Citation: Fidelis njRAT June 2013)”, “platforms”: [ “Windows” ], “techniques”: [{ “id”: “T1132”, “description”: “Data Encoding”, “reference”: “https://attack.mitre.org/techniques/T1132”, “defenses_bypassed”: [] }, { “id”: “T1107”, “description”: “File Deletion”, “reference”: “https://attack.mitre.org/techniques/T1107”, “defenses_bypassed”: [ “Host forensic analysis” ] }, { “id”: “T1091”, “description”: “Replication Through Removable Media”, “reference”: “https://attack.mitre.org/techniques/T1091”, “defenses_bypassed”: [] }, { “id”: “T1503”, “description”: “Credentials from Web Browsers”, “reference”: “https://attack.mitre.org/techniques/T1503”, “defenses_bypassed”: [] }, { “id”: “T1033”, “description”: “System Owner/User Discovery”, “reference”: “https://attack.mitre.org/techniques/T1033”, “defenses_bypassed”: [] }, { “id”: “T1059”, “description”: “Command-Line Interface”, “reference”: “https://attack.mitre.org/techniques/T1059”, “defenses_bypassed”: [] }, { “id”: “T1113”, “description”: “Screen Capture”, “reference”: “https://attack.mitre.org/techniques/T1113”, “defenses_bypassed”: [] }, { “id”: “T1060”, “description”: “Registry Run Keys / Startup Folder”, “reference”: “https://attack.mitre.org/techniques/T1060”, “defenses_bypassed”: [] }, { “id”: “T1125”, “description”: “Video Capture”, “reference”: “https://attack.mitre.org/techniques/T1125”, “defenses_bypassed”: [] }, { “id”: “T1094”, “description”: “Custom Command and Control Protocol”, “reference”: “https://attack.mitre.org/techniques/T1094”, “defenses_bypassed”: [] }, { “id”: “T1065”, “description”: “Uncommonly Used Port”, “reference”: “https://attack.mitre.org/techniques/T1065”, “defenses_bypassed”: [] }, { “id”: “T1083”, “description”: “File and Directory Discovery”, “reference”: “https://attack.mitre.org/techniques/T1083”, “defenses_bypassed”: [] }, { “id”: “T1112”, “description”: “Modify Registry”, “reference”: “https://attack.mitre.org/techniques/T1112”, “defenses_bypassed”: [ “Host forensic analysis” ] }, { “id”: “T1089”, “description”: “Disabling Security Tools”, “reference”: “https://attack.mitre.org/techniques/T1089”, “defenses_bypassed”: [ “File monitoring”, “Host intrusion prevention systems”, “Signature-based detection”, “Log analysis”, “Anti-virus” ] }, { “id”: “T1076”, “description”: “Remote Desktop Protocol”, “reference”: “https://attack.mitre.org/techniques/T1076”, “defenses_bypassed”: [] }, { “id”: “T1018”, “description”: “Remote System Discovery”, “reference”: “https://attack.mitre.org/techniques/T1018”, “defenses_bypassed”: [] }, { “id”: “T1082”, “description”: “System Information Discovery”, “reference”: “https://attack.mitre.org/techniques/T1082”, “defenses_bypassed”: [] }, { “id”: “T1105”, “description”: “Remote File Copy”, “reference”: “https://attack.mitre.org/techniques/T1105”, “defenses_bypassed”: [] }, { “id”: “T1010”, “description”: “Application Window Discovery”, “reference”: “https://attack.mitre.org/techniques/T1010”, “defenses_bypassed”: [] }, { “id”: “T1120”, “description”: “Peripheral Device Discovery”, “reference”: “https://attack.mitre.org/techniques/T1120”, “defenses_bypassed”: [] }, { “id”: “T1005”, “description”: “Data from Local System”, “reference”: “https://attack.mitre.org/techniques/T1005”, “defenses_bypassed”: [] }, { “id”: “T1056”, “description”: “Input Capture”, “reference”: “https://attack.mitre.org/techniques/T1056”, “defenses_bypassed”: [] } ], “groups”: [{ “id”: “G0078”, “name”: “Gorgon Group”, “url”: “https://attack.mitre.org/groups/G0078”, “aliases”: [ “Gorgon Group” ] }, { “id”: “G0043”, “name”: “Group5”, “url”: “https://attack.mitre.org/groups/G0043”, “aliases”: [ “Group5” ] }, { “id”: “G0096”, “name”: “APT41”, “url”: “https://attack.mitre.org/groups/G0096”, “aliases”: [ “APT41” ] } ] }] }

Cryptomining | Cryptojacking

Cryptocurrency mining is a website monetization service in which a JavaScript code utilizes the visitor’s CPU to mine. It is advertised as an alternative to online ads, however, it is frequently being employed without users’ consent.

Our  Cryptomining Data Feed features sites that use these scripts. An additional JSON file is provided that contains snippets of the code found running on the website. This data feed is available for free to our Enterprise customers. Updated every day.


Malicious IPs

DDoS Attacks (Real-Time)

DDoS attacks are a major threat to companies of all sizes. Many systems and protocols widely available on the Internet are abused by attackers to generate abnormal amounts of traffic, including NTP, DNS, CharGEN, SSDP, among others. These are the services that our honeypots mimic to capture real-time information about attacks, without taking part in them.

In addition to DDoS mitigation strategies, access to data on the latest attacks is vital to understanding the current landscape and its trends. We maintain a data feed containing live records showing the victims of amplification and reflection DDoS attacks that have happened in the last 24 hours. It is produced with data collected by sensors deployed all over the Internet. Updated every 20 minutes.

Formats:    Malicious IPs

DNS-over-HTTPS (DoH) Resolvers

DNS-over-HTTPS (DoH) resolvers. In the context of cybersecurity, particularly an enterprise environment, DoH allows users to bypass the DNS-level controls – and internet usage policies – put in place to protect your network against known threats. For example, DoH users are able to access malicious sites and infected machines can communicate with command and control servers. Many security tools and solutions are made ineffective by the use of DoH, yet the task of protecting your users and organization’s data remains the same.

We developed this feed to help security teams control the use of DoH in their environment, or, alternatively, for researchers looking to track its adoption and utilization. To keep this information fresh and useful, we actively search for new servers on a continuous basis. Updated every hour.

Learn more here.

Formats: Malicious IPs   

Malicious IPs

DNS RPZ Firewall

RPZ (Response Policy Zone) DNS was developed by the ISC as an open and vendor-neutral component of the BIND Domain Name Server. RPZ functions as a DNS firewall in which rules are expressed in specially constructed zone files. This segmented structure provides an effective – and granular – method of leveraging threat data for the detection and prevention of malware and ransomware activities at the DNS level.

Our customers can choose to use a combination or all six RPZ zone files, including domains hosting (1) C2s, (2) Cryptominers, (3) DGAs (used by over 40 malware and ransomware families), (4) DNS-over-HTTPS Servers, (5) Malware, and (6) Phishing sites. Configuration instructions are available here. Updated every hour.

Formats: Malicious Ips

Malicious IPs

Domain Names Generated via DGAs

Malware Patrol acquires and monitors domain generation algorithms (DGAs) used by multiple malware and ransomware families. Most ransomware won’t be able to encrypt files if they are unable to reach a C2 server to retrieve cryptographic keys. Blocking access to domains generated via DGA is an effective way to prevent data loss and extortion. Monitoring DNS queries and network traffic to such domains is a way to determine computers in the internal network may be infected. Updated every hour.      

Formats:    Malicious IPs      

Malicious IPs

Malicious Domains

Contain domains actively involved in malicious activities. This data is derived from five of our Enterprise feeds: Cryptomining, Command & Control (C2) Addresses, Domain Names Generated via DGAs, Malware & Ransomware URLs, and Phishing URLs.  Monitoring, as well as, blocking access to these sites is a simple and effective network protection measure. Updated every hour.

Formats:Malicious IPs            

Malicious IPs

Malicious IPs

This feed contains IP addresses known to actively host malicious files and C2 systems for malware and ransomware. Monitoring traffic destined to such addresses, as well as potentially blocking access to the ones that host C2s, for example, is an effective network protection measure and provides valuable information for research purposes. Updated every hour.


Formats:    Malicious IPs            

Malware & Ransomware URLs

 This is used to block access to URLs hosting malware, as a method to prevent the infection of network devices. Also, companies that want to use malware data for research purposes will find this very useful.

We offer the feed with URLs in two formats: (1) sanitized, which includes protocol, hostname, domain name, and directories, but not the binary file name; and (2) unsanitized, which includes protocol, hostname, domain name, directories and also the file name and extension of the malware. Sanitized feeds are useful when there is no need to download the binary or to block it granularly. When downloading and/or monitoring the malware is important, the unsanitized feed is a better choice. Updated every hour.

Formats:    Malicious IPs         

Malicious IPs

Malware Hashes or Binaries

Samples are collected around the internet and analyzed by our internal systems and multiple anti-virus products. If no malware is detected, our automated engines make an analysis of the binary to determine its potential to be a new (unclassified) sample as well as packer detection and binary and PE header characteristics. Once a binary is classified as malware, the sample and its hashes are immediately made available to customers.

Malware Hashes Feed contains MD5 and SHA-1 hashes of malware and ransomware samples currently available on the internet. Updated every hour.

Formats:    Malicious IPs        

Malware Binaries (Samples) Feed contains malicious binaries currently available on the internet, shared immediately after categorization. We can alert customers about new malware uploaded by sending POST requests via HTTP and HTTPS or email messages. Updated every hour.


Malicious IPs

Newly Registered Domains

On average, 200,000 new domains are registered every day. Most of these names are created for legitimate purposes, but there is a significant portion that only exists for malicious purposes. These include look-a-likes, typo-squatting, and brand-abusive domains.

Malware Patrol not only collects information about all new names but also correlates this information with indicators of compromise (IOCs) from our other data feeds. Updated every hour.

Formats: Malicious IPs

TLDs Monitored

aaa, aarp, abarth, abb, abbott, abbvie, abc, able, abogado, abudhabi, ac, academy, accenture, accountant, accountants, aco, active, actor, ad, adac, ads, adult, ae, aeg, aero, aetna, af, afamilycompany, afl, africa, ag, agakhan, agency, ai, aig, aigo, airbus, airforce, airtel, akdn, al, alfaromeo, alibaba, alipay, allfinanz, allstate, ally, alsace, alstom, am, amazon, americanexpress, americanfamily, amex, amfam, amica, amsterdam, an, analytics, android, anquan, anz, ao, aol, apartments, app, apple, aq, aquarelle, ar, arab, aramco, archi, army, arpa, art, arte, as, asda, asia, associates, at, athleta, attorney, au, auction, audi, audible, audio, auspost, author, auto, autos, avianca, aw, aws, ax, axa, az, azure, ba, baby, baidu, banamex, bananarepublic, band, bank, bar, barcelona, barclaycard, barclays, barefoot, bargains, baseball, basketball, bauhaus, bayern, bb, bbc, bbt, bbva, bcg, bcn, bd, be, beats, beauty, beer, bentley, berlin, best, bestbuy, bet, bf, bg, bh, bharti, bi, bible, bid, bike, bing, bingo, bio, biz, bj, bl, black, blackfriday, blanco, blockbuster, blog, bloomberg, blue, bm, bms, bmw, bn, bnl, bnpparibas, bo, boats, boehringer, bofa, bom, bond, boo, book, booking, boots, bosch, bostik, boston, bot, boutique, box, bq, br, bradesco, bridgestone, broadway, broker, brother, brussels, bs, bt, budapest, bugatti, build, builders, business, buy, buzz, bv, bw, by, bz, bzh, ca, cab, cafe, cal, call, calvinklein, cam, camera, camp, cancerresearch, canon, capetown, capital, capitalone, car, caravan, cards, care, career, careers, cars, cartier, casa, case, caseih, cash, casino, cat, catering, catholic, cba, cbn, cbre, cbs, cc, cd, ceb, center, ceo, cern, cf, cfa, cfd, cg, ch, chanel, channel, charity, chase, chat, cheap, chintai, chloe, christmas, chrome, chrysler, church, ci, cipriani, circle, cisco, citadel, citi, citic, city, cityeats, ck, cl, claims, cleaning, click, clinic, clinique, clothing, cloud, club, clubmed, cm, cn, co, coach, codes, coffee, college, cologne, com, comcast, commbank, community, company, compare, computer, comsec, condos, construction, consulting, contact, contractors, cooking, cookingchannel, cool, coop, corsica, country, coupon, coupons, courses, cpa, cr, credit, creditcard, creditunion, cricket, crown, crs, cruise, cruises, csc, cu, cuisinella, cv, cw, cx, cy, cymru, cyou, cz, dabur, dad, dance, data, date, dating, datsun, day, dclk, dds, de, deal, dealer, deals, degree, delivery, dell, deloitte, delta, democrat, dental, dentist, desi, design, dev, dhl, diamonds, diet, digital, direct, directory, discount, discover, dish, diy, dj, dk, dm, dnp, do, docs, doctor, dodge, dog, doha, domains, doosan, dot, download, drive, dtv, dubai, duck, dunlop, duns, dupont, durban, dvag, dvr, dz, earth, eat, ec, eco, edeka, edu, education, ee, eh, email, emerck, energy, engineer, engineering, enterprises, epost, epson, equipment, er, ericsson, erni, esq, estate, esurance, et, etisalat, eu, eurovision, eus, events, everbank, exchange, expert, exposed, express, extraspace, fage, fail, fairwinds, faith, family, fan, fans, farm, farmers, fashion, fast, fedex, feedback, ferrari, ferrero, fi, fiat, fidelity, fido, film, final, finance, financial, fire, firestone, firmdale, fish, fishing, fit, fitness, fj, fk, flickr, flights, flir, florist, flowers, flsmidth, fly, fm, fo, foo, food, foodnetwork, football, ford, forex, forsale, forum, foundation, fox, fr, free, fresenius, frl, frogans, frontdoor, frontier, ftr, fujitsu, fujixerox, fun, fund, furniture, futbol, fyi, ga, gal, gallery, gallo, gallup, game, games, gap, garden, gay, gb, gbiz, gd, gdn, ge, gea, gent, genting, george, gf, gg, ggee, gh, gi, gift, gifts, gives, giving, gl, glade, glass, gle, global, globo, gm, gmail, gmbh, gmo, gmx, gn, godaddy, gold, goldpoint, golf, goo, goodhands, goodyear, goog, google, gop, got, gov, gp, gq, gr, grainger, graphics, gratis, green, gripe, grocery, group, gs, gt, gu, guardian, gucci, guge, guide, guitars, guru, gw, gy, hair, hamburg, hangout, haus, hbo, hdfc, hdfcbank, health, healthcare, help, helsinki, here, hermes, hgtv, hiphop, hisamitsu, hitachi, hiv, hk, hkt, hm, hn, hockey, holdings, holiday, homedepot, homegoods, homes, homesense, honda, honeywell, horse, hospital, host, hosting, hot, hoteles, hotels, hotmail, house, how, hr, hsbc, ht, htc, hu, hughes, hyatt, hyundai, ibm, icbc, ice, icu, id, ie, ieee, ifm, iinet, ikano, il, im, imamat, imdb, immo, immobilien, in, inc, industries, infiniti, info, ing, ink, institute, insurance, insure, int, intel, international, intuit, investments, io, ipiranga, iq, ir, irish, is, iselect, ismaili, ist, istanbul, it, itau, itv, iveco, iwc, jaguar, java, jcb, jcp, je, jeep, jetzt, jewelry, jio, jlc, jll, jm, jmp, jnj, jo, jobs, joburg, jot, joy, jp, jpmorgan, jprs, juegos, juniper, kaufen, kddi, ke, kerryhotels, kerrylogistics, kerryproperties, kfh, kg, kh, ki, kia, kim, kinder, kindle, kitchen, kiwi, km, kn, koeln, komatsu, kosher, kp, kpmg, kpn, kr, krd, kred, kuokgroup, kw, ky, kyoto, kz, la, lacaixa, ladbrokes, lamborghini, lamer, lancaster, lancia, lancome, land, landrover, lanxess, lasalle, lat, latino, latrobe, law, lawyer, lb, lc, lds, lease, leclerc, lefrak, legal, lego, lexus, lgbt, li, liaison, lidl, life, lifeinsurance, lifestyle, lighting, like, lilly, limited, limo, lincoln, linde, link, lipsy, live, living, lixil, lk, llc, llp, loan, loans, locker, locus, loft, lol, london, lotte, lotto, love, lpl, lplfinancial, lr, ls, lt, ltd, ltda, lu, lundbeck, lupin, luxe, luxury, lv, ly, ma, macys, madrid, maif, maison, makeup, man, management, mango, map, market, marketing, markets, marriott, marshalls, maserati, mattel, mba, mc, mcd, mcdonalds, mckinsey, md, me, med, media, meet, melbourne, meme, memorial, men, menu, meo, merckmsd, metlife, mf, mg, mh, miami, microsoft, mil, mini, mint, mit, mitsubishi, mk, ml, mlb, mls, mm, mma, mn, mo, mobi, mobile, mobily, moda, moe, moi, mom, monash, money, monster, montblanc, mopar, mormon, mortgage, moscow, moto, motorcycles, mov, movie, movistar, mp, mq, mr, ms, msd, mt, mtn, mtpc, mtr, mu, museum, mutual, mutuelle, mv, mw, mx, my, mz, na, nab, nadex, nagoya, name, nationwide, natura, navy, nba, nc, ne, nec, net, netbank, netflix, network, neustar, new, newholland, news, next, nextdirect, nexus, nf, nfl, ng, ngo, nhk, ni, nico, nike, nikon, ninja, nissan, nissay, nl, no, nokia, northwesternmutual, norton, now, nowruz, nowtv, np, nr, nra, nrw, ntt, nu, nyc, obi, observer, off, office, okinawa, olayan, olayangroup, oldnavy, ollo, om, omega, one, ong, onl, online, onyourside, ooo, open, oracle, orange, org, organic, orientexpress, origins, osaka, otsuka, ott, ovh, pa, page, pamperedchef, panasonic, panerai, paris, pars, partners, parts, party, passagens, pay, pccw, pe, pet, pf, pfizer, pg, ph, pharmacy, phd, philips, phone, photo, photography, photos, physio, piaget, pics, pictet, pictures, pid, pin, ping, pink, pioneer, pizza, pk, pl, place, play, playstation, plumbing, plus, pm, pn, pnc, pohl, poker, politie, porn, post, pr, pramerica, praxi, press, prime, pro, prod, productions, prof, progressive, promo, properties, property, protection, pru, prudential, ps, pt, pub, pw, pwc, py, qa, qpon, quebec, quest, qvc, racing, radio, raid, re, read, realestate, realtor, realty, recipes, red, redstone, redumbrella, rehab, reise, reisen, reit, reliance, ren, rent, rentals, repair, report, republican, rest, restaurant, review, reviews, rexroth, rich, richardli, ricoh, rightathome, ril, rio, rip, rmit, ro, rocher, rocks, rodeo, rogers, room, rs, rsvp, ru, rugby, ruhr, run, rw, rwe, ryukyu, sa, saarland, safe, safety, sakura, sale, salon, samsclub, samsung, sandvik, sandvikcoromant, sanofi, sap, sapo, sarl, sas, save, saxo, sb, sbi, sbs, sc, sca, scb, schaeffler, schmidt, scholarships, school, schule, schwarz, science, scjohnson, scor, scot, sd, se, search, seat, secure, security, seek, select, sener, services, ses, seven, sew, sex, sexy, sfr, sg, sh, shangrila, sharp, shaw, shell, shia, shiksha, shoes, shop, shopping, shouji, show, showtime, shriram, si, silk, sina, singles, site, sj, sk, ski, skin, sky, skype, sl, sling, sm, smart, smile, sn, sncf, so, soccer, social, softbank, software, sohu, solar, solutions, song, sony, soy, spa, space, spiegel, sport, spot, spreadbetting, sr, srl, srt, ss, st, stada, staples, star, starhub, statebank, statefarm, statoil, stc, stcgroup, stockholm, storage, store, stream, studio, study, style, su, sucks, supplies, supply, support, surf, surgery, suzuki, sv, swatch, swiftcover, swiss, sx, sy, sydney, symantec, systems, sz, tab, taipei, talk, taobao, target, tatamotors, tatar, tattoo, tax, taxi, tc, tci, td, tdk, team, tech, technology, tel, telecity, telefonica, temasek, tennis, teva, tf, tg, th, thd, theater, theatre, tiaa, tickets, tienda, tiffany, tips, tires, tirol, tj, tjmaxx, tjx, tk, tkmaxx, tl, tm, tmall, tn, to, today, tokyo, tools, top, toray, toshiba, total, tours, town, toyota, toys, tp, tr, trade, trading, training, travel, travelchannel, travelers, travelersinsurance, trust, trv, tt, tube, tui, tunes, tushu, tv, tvs, tw, tz, ua, ubank, ubs, uconnect, ug, uk, um, unicom, university, uno, uol, ups, us, uy, uz, va, vacations, vana, vanguard, vc, ve, vegas, ventures, verisign, versicherung, vet, vg, vi, viajes, video, vig, viking, villas, vin, vip, virgin, visa, vision, vista, vistaprint, viva, vivo, vlaanderen, vn, vodka, volkswagen, volvo, vote, voting, voto, voyage, vu, vuelos, wales, walmart, walter, wang, wanggou, warman, watch, watches, weather, weatherchannel, webcam, weber, website, wed, wedding, weibo, weir, wf, whoswho, wien, wiki, williamhill, win, windows, wine, winners, wme, wolterskluwer, woodside, work, works, world, wow, ws, wtc, wtf, xbox, xerox, xfinity, xihuan, xin, xn--11b4c3d, xn--1ck2e1b, xn--1qqw23a, xn--2scrj9c, xn--30rr7y, xn--3bst00m, xn--3ds443g, xn--3e0b707e, xn--3hcrj9c, xn--3oq18vl8pn36a, xn--3pxu8k, xn--42c2d9a, xn--45br5cyl, xn--45brj9c, xn--45q11c, xn--4dbrk0ce, xn--4gbrim, xn--54b7fta0cc, xn--55qw42g, xn--55qx5d, xn--5su34j936bgsg, xn--5tzm5g, xn--6frz82g, xn--6qq986b3xl, xn--80adxhks, xn--80ao21a, xn--80aqecdr1a, xn--80asehdb, xn--80aswg, xn--8y0a063a, xn--90a3ac, xn--90ae, xn--90ais, xn--9dbq2a, xn--9et52u, xn--9krt00a, xn--b4w605ferd, xn--bck1b9a5dre4c, xn--c1avg, xn--c2br7g, xn--cck2b3b, xn--cckwcxetd, xn--cg4bki, xn--clchc0ea0b2g2a9gcd, xn--czr694b, xn--czrs0t, xn--czru2d, xn--d1acj3b, xn--d1alf, xn--e1a4c, xn--eckvdtc9d, xn--efvy88h, xn--estv75g, xn--fct429k, xn--fhbei, xn--fiq228c5hs, xn--fiq64b, xn--fiqs8s, xn--fiqz9s, xn--fjq720a, xn--flw351e, xn--fpcrj9c3d, xn--fzc2c9e2c, xn--fzys8d69uvgm, xn--g2xx48c, xn--gckr3f0f, xn--gecrj9c, xn--gk3at1e, xn--h2breg3eve, xn--h2brj9c, xn--h2brj9c8c, xn--hxt814e, xn--i1b6b1a6a2e, xn--imr513n, xn--io0a7i, xn--j1aef, xn--j1amh, xn--j6w193g, xn--jlq480n2rg, xn--jlq61u9w7b, xn--jvr189m, xn--kcrx77d1x4a, xn--kprw13d, xn--kpry57d, xn--kpu716f, xn--kput3i, xn--l1acc, xn--lgbbat1ad8j, xn--mgb9awbf, xn--mgba3a3ejt, xn--mgba3a4f16a, xn--mgba7c0bbn0a, xn--mgbaakc7dvf, xn--mgbaam7a8h, xn--mgbab2bd, xn--mgbah1a3hjkrd, xn--mgbai9azgqp6j, xn--mgbayh7gpa, xn--mgbb9fbpob, xn--mgbbh1a, xn--mgbbh1a71e, xn--mgbc0a9azcg, xn--mgbca7dzdo, xn--mgbcpq6gpa1a, xn--mgberp4a5d4ar, xn--mgbgu82a, xn--mgbi4ecexp, xn--mgbpl2fh, xn--mgbt3dhd, xn--mgbtx2b, xn--mgbx4cd0ab, xn--mix891f, xn--mk1bu44c, xn--mxtq1m, xn--ngbc5azd, xn--ngbe9e0a, xn--ngbrx, xn--node, xn--nqv7f, xn--nqv7fs00ema, xn--nyqy26a, xn--o3cw4h, xn--ogbpf8fl, xn--otu796d, xn--p1acf, xn--p1ai, xn--pbt977c, xn--pgbs0dh, xn--pssy2u, xn--q7ce6a, xn--q9jyb4c, xn--qcka1pmc, xn--qxa6a, xn--qxam, xn--rhqv96g, xn--rovu88b, xn--rvc1e0am3e, xn--s9brj9c, xn--ses554g, xn--t60b56a, xn--tckwe, xn--tiq49xqyj, xn--unup4y, xn--vermgensberater-ctb, xn--vermgensberatung-pwb, xn--vhquv, xn--vuq861b, xn--w4r85el8fhu5dnra, xn--w4rs40l, xn--wgbh1c, xn--wgbl6a, xn--xhq521b, xn--xkc2al3hye2a, xn--xkc2dl3a5ee0h, xn--y9a3aq, xn--yfro4i67o, xn--ygbi2ammx, xn--zfr164b, xperia, xxx, xyz, yachts, yahoo, yamaxun, yandex, ye, yodobashi, yoga, yokohama, you, youtube, yt, yun, za, zappos, zara, zero, zip, zippo, zm, zone, zuerich, zw

ccTLDs Monitored

ac, ad, ae, af, ag, ai, al, am, ao, aq, ar, as, at, au, aw, ax, az, ba, bb, bd, be, bf, bg, bh, bi, bj, bm, bo, br, bs, bt, bv, bw, by, bz, ca, cc, cd, cf, cg, ch, ci, ck, cl, cm, cn, co, cr, cu, cv, cx, cy, cz, de, dj, dk, dm, do, dz, ec, ee, eg, er, es, et, eu, fi, fk, fm, fo, fr, ga, gb, gd, ge, gf, gg, gh, gi, gl, gm, gn, gp, gq, gr, gs, gt, gu, gw, gy, hk, hm, hn, hr, ht, hu, id, ie, il, im, in, io, iq, ir, is, it, je, jo, jp, ke, kg, kh, ki, km, kn, kp, kr, kw, ky, kz, la, lb, lc, li, lk, lr, ls, lt, lu, lv, ly, ma, mc, md, me, mg, mh, mk, ml, mn, mo, mp, mq, mr, ms, mt, mu, mv, mw, mx, my, mz, na, nc, ne, nf, ng, ni, nl, no, np, nu, nz, om, pa, pe, pf, pg, ph, pk, pl, pm, pn, pr, ps, pt, pw, py, qa, re, ro, rs, ru, rw, sa, sb, sc, sd, se, sg, sh, si, sj, sk, sl, sm, sn, so, sr, ss, st, su, sv, sx, sy, sz, tc, td, tf, tg, th, tj, tk, tl, tm, tn, to, tr, tt, tv, tw, tz, ua, ug, uk, us, uy, uz, vc, ve, vg, vi, vn, vu, wf, ws, ye, yt, za, zm, zw


Phishing remains one of the top cyber menaces, now accounting for 90% of data breaches. Methods used by attackers continue to improve and evolve; protection against this threat is a basic requirement for businesses of all sizes. It is also a must-have offering for cyber security enterprises and service providers.

Malware Patrol collects phishing URL data from various sources – crawlers, emails, spam pots, and more – to ensure coverage of the most current campaigns. Our data is then reviewed by humans to increase its accuracy as many sites now use techniques that can evade machine detection. In addition, we offer two add-on options for the phishing feed: 1) screenshots of the phishing websites in JPEG format, accompanied by perceptual hashing data and 2) raw HTML content of phishing websites, compressed and accessible via an AWS S3 bucket. Feed updated every hour.

Learn more here.

Formats: Malicious IPs

Malicious IPS

Risk Indicators / OSINT Feeds – FREE

High Risk IPs

Addresses involved in a range of malicious activities, such as spam, break-in attempts, malware distribution, botnets, and command-and-control communications. Data is collected from Malware Patrol’s network of honeypots and trusted third-party sources.

Risk Indicators

A variety of threat-related IoCs, including: MD5, SHA1, and SHA256 hashes, email addresses, cryptocurrency addresses, and CVEs.

Tor Exit Nodes

Addresses of active Tor exit nodes as reported by the Tor Project. Frequently involved in malicious activities, it is advisable to monitor, if not block, traffic from these IPs.

Formats:  Malicious IPs                Register for free access here.

FREE DATA: Coronavirus-Related Newly Registered Domains

Since the beginning of March, tens of thousands of new domain names have been registered using the terms “corona”, ‘covid’, ‘epidemic’, ‘pandemic’ and ‘wuhan’. Some of them are legitimate, some still point to parking pages, and it is safe to assume that many are to be used for malicious purposes.

Our team compiled a list of these domain names from our Newly Registered Domains feed that can be used to protect your family, employees and customers. The list is based solely on the domains’ names and registration timeframe, no other assumptions are made. The information is provided as-is, with no warranties and free of charge for any use. If you redistribute the data, please make sure to cite Malware Patrol as the source. For more information, check out our blog post on this topic.

Malicious IPs