Skip to content

TweetFeed collects Indicators of Compromise (IOCs) shared by the infosec community at Twitter. Here you will find malicious URLs, domains, IPs, and SHA256/MD5 hashes.

Notifications You must be signed in to change notification settings

0xDanielLopez/TweetFeed

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

63 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

TweetFeed

Feeds of IOCs posted by the community at Twitter

TweetFeed.live   |    Source code   |    Feedback

Want to integrate with OpenCTI? Now you can!

TweetFeed.live


☰ Content

❤️ Support the project

If you like the project, please consider:

  • Giving it a star ⭐
  • Invite to a coffee

📄 Data collected

Feeds

2025-05-27 20:23:07 (UTC)
Today Last 7 days Last 30 days Last 365 days
📋 Today (raw) 📋 Week (raw) 📋 Month (raw) 📋 Year (raw)

Output example

Date (UTC) SourceUser Type Value Tags Tweet
2021-08-14 02:26:32 phishunt_io url https://netflix.us2.cards/ #phishing #scam https://twitter.com/phishunt_io/status/1426369619422502917
2021-08-17 12:15:00 TheDFIRReport ip 185.56.76.94 #Trickbot https://twitter.com/TheDFIRReport/status/1427604874053578756

📊 Some statistics

Types

Type Today Week Month Year
🔗 URLs 195 1303 6135 51769
🌐 Domains 76 547 2936 36669
🚩 IPs 99 674 2905 14194
🔢 SHA256 8 55 258 1449
🔢 MD5 24 136 608 1834

Tags

Tag Today Week Month Year
#phishing 88 525 3032 66141
#scam 10 75 288 8032
#opendir 8 27 147 699
#malware 17 92 376 18815
#maldoc 0 0 0 4
#ransomware 3 6 46 311
#banker 0 0 0 0
#AgentTesla 0 0 17 158
#Alienbot 0 0 0 0
#AsyncRAT 16 87 392 1897
#Batloader 0 0 0 0
#BazarLoader 0 0 0 0
#CobaltStrike 47 388 1434 6597
#Dcrat 8 18 76 232
#Emotet 0 0 0 0
#Formbook 2 10 90 108
#GootLoader 0 0 0 0
#GuLoader 0 0 8 28
#IcedID 0 0 0 0
#Lazarus 0 6 21 68
#Lokibot 0 12 12 90
#log4j 0 0 0 9
#Log4shell 0 0 0 0
#Njrat 4 64 66 791
#Qakbot 4 43 142 561
#Raccoon 0 0 0 0
#RedLine 0 7 24 98
#Remcos 7 92 491 1919
#RaspberryRobin 0 0 0 0
#Spring4Shell 0 0 0 0
#SocGolish 0 0 0 7
#Ursnif 0 0 0 0

Top Reporters (today)

Number User IOCs
#1 drb_ra 182
#2 skocherhan 101
#3 harugasumi 24
#4 malwrhunterteam 15
#5 ThreatBookLabs 13
#6 @Phish_Destroy 6
#7 @CarlyGriggs13 4
#8 @urldna_bot 2
#9 D3LabIT 7
#10 ShadowChasing1 5

❓ How it works?

Search tweets that contain certain tags or that are posted by certain infosec people.

Tags being searched

(not case sensitive)
- #phishing
- #scam
- #opendir
- #malware
- #maldoc
- #ransomware
- #banker
- #AgentTesla
- #Alienbot
- #AsyncRAT
- #BazarLoader
- #Batloader
- #CobaltStrike
- #Dcrat
- #Emotet
- #Formbook
- #GootLoader
- #GuLoader
- #IcedID
- #Lazarus
- #Lokibot
- #log4j
- #Log4shell
- #Njrat
- #Qakbot
- #Raccoon
- #RedLine
- #Remcos
- #RaspberryRobin
- #Spring4Shell
- #SocGholish
- #Ursnif

Also search Tweets posted by

(these are trusted folks that sometimes don't use tags)

TweetFeed list

🔍 Hunting IOCs via Microsoft Defender

1. Search SHA256 hashes with yearly tweets feed

let MaxAge = ago(30d);
let SHA256_whitelist = pack_array(
'XXX' // Some SHA256 hash you want to whitelist.
);
let TweetFeed = materialize (
    (externaldata(report:string)
    [@"https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/year.csv"]
    with (format = "txt"))
    | extend report = parse_csv(report)
    | extend Type = tostring(report[2])
    | where Type == 'sha256'
    | extend SHA256 = tostring(report[3])
    | where SHA256 !in(SHA256_whitelist)
    | extend Tag = tostring(report[4])
    | extend Tweet = tostring(report[5])
    | project SHA256, Tag, Tweet 
);
union (
    TweetFeed
    | join (
        DeviceProcessEvents
        | where Timestamp > MaxAge
    ) on SHA256
), (
    TweetFeed
    | join (
        DeviceFileEvents
        | where Timestamp > MaxAge
    ) on SHA256
), ( 
    TweetFeed
    | join (
        DeviceImageLoadEvents
        | where Timestamp > MaxAge
    ) on SHA256
) | project Timestamp, DeviceName, FileName, FolderPath, SHA256, Tag, Tweet

2. Search IP addresses with monthly tweets feed

let MaxAge = ago(30d);
let IPaddress_whitelist = pack_array(
'XXX' // Some IP address you want to whitelist.
);
let TweetFeed = materialize (
    (externaldata(report:string)
    [@"https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/month.csv"]
    with (format = "txt"))
    | extend report = parse_csv(report)
    | extend Type = tostring(report[2])
    | where Type == 'ip'
    | extend RemoteIP = tostring(report[3])
    | where RemoteIP !in(IPaddress_whitelist)
    | where not(ipv4_is_private(RemoteIP))
    | extend Tag = tostring(report[4])
    | extend Tweet = tostring(report[5])
    | project RemoteIP, Tag, Tweet 
);
union (
TweetFeed
    | join (
        DeviceNetworkEvents
    | where Timestamp > MaxAge
    ) on RemoteIP
) | project Timestamp, DeviceName, RemoteIP, Tag, Tweet

3. Search urls and domains with weekly tweets feed

let MaxAge = ago(30d);
let domain_whitelist = pack_array(
'XXX' // Some URL/Domain you want to whitelist.
);
let TweetFeed = materialize (
    (externaldata(report:string)
    [@"https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/week.csv"]
    with (format = "txt"))
    | extend report = parse_csv(report)
    | extend Type = tostring(report[2])
    | where Type in('url','domain')
    | extend RemoteUrl = tostring(report[3])
    | where RemoteUrl !in(domain_whitelist)
    | extend Tag = tostring(report[4])
    | extend Tweet = tostring(report[5])
    | project RemoteUrl, Tag, Tweet 
);
union (
TweetFeed
    | join (
        DeviceNetworkEvents
    | where Timestamp > MaxAge
    ) on RemoteUrl
) | project Timestamp, DeviceName, RemoteUrl, Tag, Tweet

👤 Author

📌 Disclaimer

Please note that all the data is collected from Twitter and sorted/served here as it is on best effort.

I have tried to tune as much as possible the searches trying to collect only valuable info. However please consider making your own analysis before taking any action related to these IOCs.

Anyway feel free to reach me out or to provide any kind of feedback regarding any contribution or suggestion.


By the community, for the community.

About

TweetFeed collects Indicators of Compromise (IOCs) shared by the infosec community at Twitter. Here you will find malicious URLs, domains, IPs, and SHA256/MD5 hashes.

Topics

Resources

Stars

Watchers

Forks

Contributors 2

  •  
  •