+1.813.321.0987

ENTERPRISE THREAT DATA

For All Your Cyber Security Needs

Get Only The Data You Need

To help companies of all sizes and markets fill their threat intelligence gaps and better focus scarce IT resources, we offer a series of historically rich and reliable data feeds. They are offered individually or in packages, depending on your needs.

  1. Anti-Mining – FREE to Enterprise customers
  2. Bitcoin Blockchain Strings – FREE to Enterprise customers
  3. Bitcoin Transactions
  4. Command & Control (C2) URLs
  5. DDoS Attacks (Real-Time)
  6. Domain Names Generated via DGAs
  7. DNS RPZ Firewall
  8. Malicious IP Addresses
  9. Malware URLs (includes ransomware)
  10. Malware Hashes or Binaries
  11. Newly Registered Domains
  12. Phishing
  13. Sinkhole IP Addresses

End of Year Sale

Enterprise feeds are 20% off until December 31st!

Comparing Data Offers

Selecting the best threat data sources for your organization is a tremendously important decision. Approach it with as much knowledge as possible, taking the time to consider your options. Be mindful of the varied offers in the market that can’t always be directly compared in terms of contents and volume.

Feeds littered with false positives and inactive IOCs consume your limited resources. That is why we are so serious about keeping our data as fresh and dependable as it can possibly be. Our systems continuously review the URLs, IPs, domains, and hashes in our feeds to ensure they only contain vetted data on active threats.

Ease of implementation, a dedicated account manager, and technical support combine to enable straightforward integration with your existing infrastructure. Data feeds are available in several formats and can have their contents and format customized to your needs.

Enterprise
Data Packages

We’ve put together packages of the most requested combinations of feeds. You can also purchase the specific feeds you need, whether it’s one, several, or all of them. Feed bundles and multi-year subscriptions offer significant discounts.

Learn more about each feed type below, request a FREE evaluation or contact us.

Features

Free data evaluation & technical consultation
Unlimited use commercial license
Hourly updates
Unlimited downloads
Annual and multi-year subscriptions
Free feed customization
Access to the CyberChef tool set

Support

Dedicated account manager
Priority tech support
Up to 4 hours of implementation assistance

Secure-IT

The Enterprise Secure threat data package was designed for security companies that require a wide range of IOCs – in customizable formats – to integrate into their threat intelligence feeds and security products. Includes:

  • Anti-Mining
  • Bitcoin Strings
  • C2s
  • DGAs
  • Malware URLs (Sanitized)

Research-IT

The Enterprise Research threat data package was designed for security companies that conduct threat research or analysis. Includes:

  • Anti-Mining
  • Bitcoin Strings
  • C2s
  • DGAs
  • Malicious IPs
  • Malware URLs (Unsanitized, with malware file name and extension)

"Big Data"

This package provides access to all of our threat data feeds.

Build Your Own

Select only the data feed(s) you need.

Data Feed Descriptions

Anti-Mining Data Feed

cryptocurrency miningCryptocurrency mining is a website monetization service in which a JavaScript code utilizes the visitor’s CPU to mine. It is advertised as an alternative to online ads, however, it is frequently being employed without users’ consent.

Our Anti-Mining Data Feed features sites that use Coinhive, ProjectPoi, and JSE Coin scripts. This data feed is available for free to our Enterprise customers. Updated twice per day.

Bitcoin

Bitcoin became the most popular cryptocurrency in the world and, apart from its legitimate uses, is commonly utilized to receive ransom payments among other criminal activities. Bitcoin transaction and/or blockchain strings data can be especially interesting to threat researchers and to companies monitoring data sources for potential brand infringement.

The Bitcoin Transactions Feed includes easy-to-parse information on all blocks and transactions since the genesis block on January 3, 2009. An average of 50,000 transactions happen every day. Malware Patrol produces a simple JSON file for each transaction, as soon information is available.

The Bitcoin Blockchain Strings Data Feed contains all the text from the Bitcoin blockchain since its inception. This includes information that ranges from miner names, poems, and tributes to URLs that point to obscure and illegal web sites, encoded files and malicious source code. This data feed is available for free to our Enterprise customers. Updated every 6 hours.

Command & Control URLs

network securityMost malware and ransomware families implement some sort of communication with a C2 system that is responsible for relaying stolen financial information, personal data and anything the malware captures. It is also used to instruct the malicious software which institutions to target.

Knowing these malicious URLs, companies can block access, create alerts on IDS/IPS systems or investigate communications between samples and C2s. Updated every hour.

DDoS Attacks (Real-Time)

DDOS keysDDoS attacks are a major threat to companies of all sizes. Apart from implementing DDoS mitigation strategies, access to threat data on the latest attacks is vital to understanding the current landscape and its trends. Many systems and protocols widely available on the Internet are abused by attackers to generate abnormal amounts of traffic, including: NTP, DNS, CharGEN, SSDP, among others. These are the services that our honeypots mimic to capture real time information about attacks, without taking part in them.

Malware Patrol maintains a data feed containing live records of amplification and reflection DDoS attacks that have happened in the last 24 hours. It is produced with data collected by sensors deployed all over the Internet. Updated every 20 minutes.

Domain Names Generated via DGAs

Malware Patrol acquires and monitors domain generation algorithms (DGAs) used by multiple malware and ransomware families. Most ransomware won’t be able to encrypt files if they can’t reach a C2 server to retrieve cryptographic keys. Blocking access to domains generated via DGA is an effective way to prevent data loss and extortion. Monitoring DNS queries and network traffic to such domains is a way to determine computers in the internal network that may be infected. Updated every hour.

DNS RPZ Firewall

RPZ RPZ (Response Policy Zone) DNS was developed by the ISC as an open and vendor-neutral component of the BIND Domain Name Server. RPZ functions as a DNS firewall in which rules are expressed in specially constructed zone files. This segmented structure provides an effective – and granular – method of leveraging threat data for the detection and prevention of malware and ransomware activities at the DNS level.

Using this tool, administrators can override the global DNS and create rules that initiate specified responses and actions, such as providing alternate replies to queries. For example, when a workstation, server or other network resource tries to connect to a malicious location, it is unable to resolve DNS and is redirected to a specially crafted web page that explains why access was blocked.

Our customers can choose to use a combination or all five RPZ zone files, including domains hosting (1) C2s, (2) DGAs (used by over 40 malware and ransomware families), (3) Malware, (4) Cryptominers, and (5) Phishing sites. Configuration instructions are available here. Updated every hour.

Malware & Ransomware URLs

Malware Patrol has been collecting malware data since since 2005. This feed includes addresses from our entire collection time span that are still actively hosting malicious binaries. It is the un-aged version of our malware & ransomware URL data. The feed is typically used to block access to such URLs as a method to prevent the infection of network devices. Also, companies that want to download and/or track malware history for research purposes will find this feed very useful.

We offer the feed with URLs in two formats: (1) sanitized, which includes protocol, hostname, domain name and directories, but not the binary file name; and (2) unsanitized, which includes protocol, hostname, domain name, directories and also the file name and extension of the malware. Sanitized feeds are useful when there is no need to download the binary or to block it granularly. When downloading and/or monitoring the malware is important, the unsanitized feed is a better choice. Updated every hour.

Malware Hashes or Binaries

binarySamples are collected around the internet and analyzed by our internal systems and multiple anti-virus products. If no malware is detected, our automated engines make an analysis of the binary to determine its potential to be a new (unclassified) sample as well as packer detection and binary and PE header characteristics. Once a binary is classified as malware, the sample and its hashes are immediately made available to customers.

Malware Hashes Feed contains MD5 and SHA-1 hashes of malware and ransomware samples currently available on the internet. Updated every hour.

Malware Binaries (Samples) Feed contains malicious binaries currently available on the internet, shared immediately after categorization. Updated every hour.

Malicious IP Addresses

This feed contains IP addresses known to actively host malicious files and C2 systems for malware and ransomware. Monitoring traffic destined to such addresses, as well as potentially blocking access to the ones that host C2s, for example, is an effective network protection measure and provides valuable information for research purposes. Updated every hour.

Newly Registered Domains

On average, 175,000 new domains are registered every day. Most of these names are created for legitimate purposes, but there is a significant portion that only exist for malicious purposes. These include look-a-likes, type squatting and brand-abusive domains.

Malware Patrol not only collects information about all new names, but also correlates this information with indicators of compromise (IOCs) from our other data feeds. Updated every hour.

Phishing

Phishing remains one of the top cyber menaces, now accounting for 90% of data breaches. Methods used by attackers continue to improve and evolve; protection against this threat is a basic requirement for businesses of all sizes. It is also a must-have offering for cyber security enterprises and service providers.

Malware Patrol collects phishing URL data from various sources – crawlers, emails, spam pots and more – to ensure coverage of the most current campaigns. Our data is then reviewed by humans to increase its accuracy as many sites now use techniques that can evade machine detection. In addition, we capture and offer a database of phishing website screen shots in JPEG format along with perceptual hashing data on the screenshots as add-ons for machine learning/AI and educational purposes. Feed updated every hour.

Sinkhole IP Addresses

This data feed contains IPv4 addresses known and confirmed to be operated by legitimate whitehat researchers and companies as sinkholes. Sinkholes are commonly used to capture traffic sent by infected machines to C2 servers or hosts responding to domains generated via DGAs. They can be established after a malicious domain name is registered by the sinkhole operator in anticipation to the criminal, or a registrar agrees to redirect DNS records of a malicious domain to whoever operates the sinkhole. A sinkhole can collect IP addresses of hosts connecting to it that are presumably infected by malware. The resulting data is typically used for research purposes and to notify infected users. Feed updated every 12 hours.

Malware & Ransomware URLs

This feed contains addresses that are actively hosting malicious binaries. It can be used to block access to such URLs and avoid the infection of computers and connected devices or by companies that want to download badness for research purposes.

The feed is offered with URLs in two formats: (1) sanitized, which includes protocol, hostname, domain name and directories, but not the binary file name; and (2) unsanitized, which includes protocol, hostname, domain name, directories and also the file name and extension of the malware. Sanitized feeds are useful when there is no need to download the binary or to block it granularly. When downloading and/or monitoring the malware is important, the unsanitized feed is a better choice. Updated every hour.

Real-Time DDoS Attacks

DDoS attacks are a major threat to companies of all sizes. Apart from implementing DDoS mitigation strategies, access to threat data on the latest attacks is vital to understanding the current landscape and its trends. Many systems and protocols widely available on the internet are abused by attackers to generate abnormal amounts of traffic, including: NTP, DNS, CharGEN, SSDP, among others. These are the services that our honeypots mimic to capture real time information about attacks, without taking part in them.

Malware Patrol maintains a data feed containing live records of amplification and reflection DDoS attacks that happened in the last 24 hours. It is produced with data collected by sensors deployed all over the internet. Updated every 20 minutes.

Malware Hashes or Binaries

Samples are collected around the internet and analyzed by our internal systems and multiple anti-virus products. If no malware is detected, our automated engines make an analysis of the binary to figure out its potential to be a new (unclassified) sample. This analysis includes packer detection and binary and PE header characteristics. Once a binary is classified as malware, the sample and its hashes are made available to customers immediately.

Malware Hashes Feed contains MD5 and SHA-1 hashes of malware and ransomware samples currently available on the internet. Updated every hour.

Malware Samples Feed contains malicious binaries currently available on the internet, shared immediately after categorization. Updated every hour.

RPZ DNS Firewall

RPZ (Response Policy Zone) DNS was developed by the ISC as a an open and vendor-neutral component of the BIND Domain Name Server. RPZ functions as a DNS firewall in which rules are expressed in specially constructed zone files. This segmented structure provides an effective – and granular – method of leveraging threat data for the detection and prevention of malware and ransomware activities at the DNS level.

Using this tool, administrators can override the global DNS and create rules that initiate specified responses and actions, such as providing alternate replies to queries. For example, when a workstation, server or other network resource tries to connect to a malicious location, it is unable to resolve DNS and is redirected to a specially crafted web page that explains why access was blocked.

Our customers can choose to use a combination or all four RPZ zone files: (1) C&C URLs, (2) DGA domains used by over 40 malware and ransomware families, (3) Malware URLs, and (4) Anti-mining – sites using visitor’s CPU to mine crypto currencies. Configuration instructions are available here. Updated every hour.

Anti-Mining Data Feed

Cryptocurrency mining is a website monetization service in which a JavaScript code utilizes the visitor’s CPU to mine. It is advertised as an alternative to online ads, however, it is frequently being employed without user’s consent.

Our Anti-Mining Data Feed features sites that use Coinhive, ProjectPoi, and JSE Coin scripts. This data feed is available for free to our Enterprise customers. Updated twice per day.

Newly Registered Domains

On average, 175,000 new domains are registered every day. Most of these names are created for legitimate purposes, but there is a significant portion that only exist for malicious purposes. These include look-a-likes, type squatting and brand abusive domains.

Malware Patrol not only collects information about all new names, but also correlates this information with indicators of compromise (IOCs) from our other data feeds. Updated every hour.

Malicious IP Addresses

This feed contains IP addresses known to actively host malicious files and command and control systems for malware and ransomware. Monitoring traffic destined to such addresses, as well as potentially blocking access to the ones that host C2s, for example, is an effective network protection measure and provides valuable information for research purposes. Updated every hour.

Domain Names Generated via DGAs

Malware Patrol acquires and monitors domain generation algorithms (DGAs) used by multiple malware and ransomware families. Most ransomware won’t be able to encrypt files if they can’t reach a C&C (command and control) server to retrieve cryptographic keys. Blocking access to domains generated via DGA is an effective way to prevent data loss and extortion. Monitoring DNS queries and network traffic to such domains is a way to determine computers in the internal network that may be infected. Updated every hour.

Command & Control URLs

Most malware and ransomware families implement some sort of communication with a command and control (C&C) system that is responsible for relaying stolen financial information, personal data and anything the malware captures. It is also used to instruct the malicious software which institutions to target.

Knowing these malicious URLs, companies can block access, create alerts on IDS/IPS systems or investigate communications between samples and C2s. Updated every hour.

Bitcoin

Bitcoin became the most popular crypto currency in the world and, apart from its legitimate uses, is commonly utilized to receive ransom payments among other criminal activities. Bitcoin transaction and/or blockchain strings data can be especially interesting to threat researchers and to companies monitoring data sources for potential brand infringement.

The Bitcoin Transactions Feed includes easy to parse information on all blocks and transactions since the genesis block on January 3, 2009. An average of 50,000 transactions happen every day. Malware Patrol produces a simple JSON file for each transaction, as soon information is available.

The Bitcoin Blockchain Strings Data Feed contains all the text from the Bitcoin blockchain since its inception. This includes information that ranges from miner names, poems and tributes, to URLs that point to obscure and illegal web sites, encoded files and malicious source code. This data feed is available for free to our SMB and Enterprise customers.Updated every 6 hours.

Sinkhole IP Addresses

This data feed contains IPv4 addresses known and confirmed to be operated by legitimate whitehat researchers and companies as sinkholes. Sinkholes are commonly used to capture traffic sent by infected machines to command and control servers or hosts responding to domains generated via DGAs. They can be established after a malicious domain name is registered by the sinkhole operator in anticipation to the criminal; or a registrar agrees to redirect DNS records of a malicious domain to whoever operates the Sinkhole. A sinkhole can collect IP addresses of hosts connecting to it that are presumably infected by malware. The resulting data is typically used for research purposes and to notify infected users. Feed updated every 12 hours.