Spydi's ThreatIntel Feed is a comprehensive threat intelligence platform that aggregates, curates, and maintains high-quality blocklists for malicious IPs and domains. The system combines data from multiple OSINT sources, honeypot networks, and threat intelligence feeds to provide actionable security data.
- Automated Updates: Daily refresh of IP and domain blocklists
- Multi-Source Intelligence: Aggregates data from 12+ trusted OSINT feeds
- Smart Filtering: Implements whitelisting to minimize false positives
- Threat Coverage: Tracks 50+ threat actors and their infrastructure
- CDN-Aware: Special handling for CDN networks to prevent service disruption
- Reference Analysis: Cross-references removed IPs with OSINT feeds for validation
- Network security monitoring
- Firewall rule generation
- Threat intelligence integration
- Security research and analysis
- Malware infrastructure tracking
- π₯IP Blocklists
- πDomain Blocklists
- πWhitelist Files
- π΅οΈTracked Threats & Source list
- πAcknowledgements
- π€Community Contributions
- π‘Contact me
Each OSINT feed incorporated in this blocklist is governed by its own terms, conditions, and licensing agreements. By utilizing this compilation, you acknowledge these individual terms and agree to comply with them. Users are responsible for reviewing the original source repositories or documentation for specific licensing details and restrictions.
| Blocklist Name | Description | False Positive Risk | Blocklist URL |
|---|---|---|---|
| Master IP Blocklist | Raw IPs from 12+ OSINT feeds (unfiltered) | High | π₯ Link |
| Main IP Blocklist | Curated IPs with whitelisting applied for minimal false positives | Low | π₯ Link |
| Permanent Malicious IPs | Append-only: all IPs ever seen in the Main IP Blocklist (unless whitelisted) | Medium | π₯ Link |
| C2 Server IPs Blocklist | Command-and-Control infrastructure from tracked threat actors | Low | π₯ Link |
| Name | Description | Blocklist URL |
|---|---|---|
| Spam/Scam Domains | Phishing, scam, and spam domains | π₯ Link |
| Malware Domains | Active malware distribution, C2, and exploit kit domains | π₯ Link |
| Ads & Tracking Domains | Aggressive ads, trackers, and analytics domains | π₯ Link |
| Permanent Malicious Domains | Append-only: all domains ever seen in the Malware Domains blocklist | π₯ Link |
Reduce false positives using these curated lists:
| Name | Purpose | Raw URL |
|---|---|---|
| Removed IPs | Legitimate IPs removed from the various IP blocklist | π₯ Raw |
| Whitelisted IPs | Critical infrastructure IPs (Cloudflare, Akamai, Fastly, and more) | π₯ Raw |
- Actively monitored infrastructure across 50+ threat actors:
π Expand Threat Catalog
| C2s | Malware | Botnets |
|---|---|---|
| Cobalt Strike | AcidRain Stealer | 7777 |
| Metasploit Framework | Misha Stealer (AKA Grand Misha) | BlackNET |
| Covenant | Patriot Stealer | Doxerina |
| Mythic | RAXNET Bitcoin Stealer | Scarab |
| Brute Ratel C4 | Titan Stealer | 63256 |
| Posh | Collector Stealer | Kaiji |
| Sliver | Mystic Stealer | MooBot |
| Deimos | Gotham Stealer | Mozi |
| PANDA | Meduza Stealer | |
| NimPlant C2 | Quasar RAT | |
| Havoc C2 | ShadowPad | |
| Caldera | AsyncRAT | |
| Empire | DcRat | |
| Ares | BitRAT | |
| Hak5 Cloud C2 | DarkComet Trojan | |
| Pantegana | XtremeRAT Trojan | |
| Supershell | NanoCore RAT Trojan | |
| Poseidon C2 | Gh0st RAT Trojan | |
| Viper C2 | DarkTrack RAT Trojan | |
| Vshell | njRAT Trojan | |
| Villain | Remcos Pro RAT Trojan | |
| Nimplant C2 | Poison Ivy Trojan | |
| RedGuard C2 | Orcus RAT Trojan | |
| Oyster C2 | ZeroAccess Trojan | |
| byob C2 | HOOKBOT Trojan | |
| RisePro Stealer | ||
| NetBus Trojan | ||
| Bandit Stealer | ||
| Mint Stealer | ||
| Mekotio Trojan | ||
| Gozi Trojan | ||
| Atlandida Stealer | ||
| VenomRAT | ||
| Orcus RAT | ||
| BlackDolphin | ||
| Artemis RAT | ||
| Godzilla Loader | ||
| Jinx Loader | ||
| Netpune Loader | ||
| SpyAgent | ||
| SpiceRAT | ||
| Dust RAT | ||
| Pupy RAT | ||
| Atomic Stealer | ||
| Lumma Stealer | ||
| Serpent Stealer | ||
| Axile Stealer | ||
| Vector Stealer | ||
| Z3us Stealer | ||
| Rastro Stealer | ||
| Darkeye Stealer | ||
| AgniStealer | ||
| Epsilon Stealer | ||
| Bahamut Stealer | ||
| Unam Web Panel / SilentCryptoMiner | ||
| Vidar Stealer | ||
| Kraken RAT | ||
| Bumblebee Loader | ||
| Viper RAT | ||
| Spectre Stealer |
- Sources: 12+ curated feeds including C2 servers, honeypot data, Mass-scanners, and OSINT feeds.
π View Full Source List
| Sources | Source URL |
|---|---|
| C2 IP Feed | C2_iplist.txt |
| Honeypot Master list | honeypot_iplist.txt |
| maltrail_scanners | maltrail_ips.txt |
| botvrij_eu | botvrij_eu |
| feodotracker | feodotracker |
| feodotracker_recommended | feodotracker_recommended |
| Blocklist_de_all | Blocklist_de_all |
| ThreatView_High_Confidence | ThreatView_High_Confidence |
| IPsumLevel_7 | IPsumLevel7 |
| CINS_Score | CINS_Score |
| DigitalSide | DigitalSide |
| duggytuxy | duggytuxy |
| etnetera.cz | etnetera.cz |
| emergingthreats-compromised | ET_Comp |
| greensnow.co | greensnow.co |
| Threatfox | Threatfox |
| More coming Soon! | Future Updates |
- Whitelist Coverage Matrix:
View Whitelist Sources π‘οΈ
| Provider | Type | Coverage | Source Link |
|---|---|---|---|
| Cloudflare | CDN IPv4/IPv6 | Global CDN | Cloudflare IPs |
| Akamai | CDN IPv4/IPv6 | Global CDN & Shield IPs | Akamai IPs |
| Fastly | CDN IPv4/IPv6 | Global CDN | Fastly IPs |
| Tailscale | DERP & Control Panel | Relay servers and control plane | Tailscale DERP |
| Uptime Robot | IPv4 | UptimeRobot Monitoring | UptimeRobot IPs |
Gratitude to our OSINT partners
This project stands on the shoulders of these valuable resources:
- Abuse.ch - Feodo Tracker
- Botvrij.eu - Threat Intelligence
- Blocklist.de - Attack Data
- CINS Army - Threat Scoring
- DigitalSide - Italian CERT
- ...and 10+ other community maintainers
Special Thanks to MontySecurity for their C2 Tracker framework and elliotwutingfeng for Inversion DNSBL Blocklists.
Build a cleaner, more actionable feed
We welcome contributions to enhance this resource for:
- Individuals: Simplify personal network security
- SMBs: Deploy cost-effective threat blocking
- Enterprises: Integrate scalable threat intelligence
Key Focus Areas:
πΉ Deduplication: Help eliminate redundant entries across feeds
πΉ Reduce False Positive: Help eliminate false positive IOCs from the feeds.
πΉ Validation: Flag false positives or outdated indicators
πΉ Context: Add threat actor/geo-tags for better filtering
πΉ Automation: Suggest workflow improvements for data curation
How to Help:
- Submit verified IOCs via Pull Request
- Report duplicate entries in Issues
- Report false positive in Issues
- Share feedback on enterprise/SMB integration patterns
- Improve documentation for non-technical users
All contributors are acknowledged in our Credits.
- E-Mail: [email protected] (PGP: Key)
