IOC Feeds

Free IOC Feeds (CSV, JSON, TXT, RSS) - phishing, malware, scam

IOC Feeds

Full feeds from today, last week, last month and last year

CSV Feeds

Today

Week

Month

Year

RSS Feed

RSS Feed (.xml)

MISP Feed

Native MISP feed format (4 Events refreshed every 15 minutes, deterministic UUIDs so consumers dedupe across pulls). Add the manifest URL to your MISP instance under Sync Actions → Feeds → Add to import all 4 events automatically. Tags applied: TweetFeed · type:OSINT · tlp:clear.

Today

Week

Month

Year

STIX 2.1 Bundles

Industry-standard STIX 2.1 indicator bundles for SIEM/Threat Intelligence platforms (TLP:CLEAR, deterministic UUIDs for cross-pull dedupe). Point your consumer at the manifest URL and pull the windows you care about.

Manifest

Today

Week

Month

Year window omitted on purpose: the STIX schema is ~2.6x more verbose per IOC than MISP, putting year.json >80 MB and too close to GitHub's 100 MB push limit. For year-scale STIX consumption use the diff endpoint below.

Diff endpoint (incremental sync)

Fetch only IOCs added after a given timestamp. Replace <ISO8601> with the last sync time (use the Z form for unambiguous UTC). Same /<filter1>/<filter2> syntax as the firehose API. Returns 410 Gone if the timestamp is >365 days old.

GET https://api.tweetfeed.live/v1/since/<ISO8601>

Per-tag RSS feeds

One RSS feed per active tag (a tag is "active" once it has >=1 hit in the last 7 days). Subscribe to a single threat type without polling the firehose. Browse all available feeds from the Tag index; each per-tag landing page also exposes the feed via <link rel="alternate">.

https://tweetfeed.live/rss/tag/<slug>.xml

Please consider making your own analysis before taking any action related to the IOCs. The confidence of the shared IOCs is not always 100% so it is strongly recommended NOT adding them to a blocklist directly. These could potentially be used for Threat Hunting and could be added to a Watchlist.

Frequently asked questions

What is an IOC feed?

An indicator of compromise (IOC) feed is a continuously updated list of malicious URLs, domains, IPs and file hashes used by security teams to detect threats. TweetFeed collects IOCs shared publicly by researchers on Twitter/X and republishes them every 15 minutes in CSV, JSON, TXT and RSS.

Is TweetFeed free?

Yes. All TweetFeed IOC feeds and the REST API are free. No registration or API key required.

How often are the IOC feeds updated?

Every 15 minutes. The pipeline scrapes around 95 Twitter/X RSS feeds, extracts new IOCs, deduplicates, and publishes refreshed CSV, JSON, TXT and RSS files to tweetfeed.live.

Which feed format should I choose?

CSV for spreadsheets and SIEM import, JSON for programmatic use, TXT for plain lists (one IOC per line), and RSS for subscribing in a feed reader. The data is identical across all four formats.

How do I import TweetFeed into MISP, OpenCTI or Splunk?

For MISP, point your instance at the manifest URL https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/misp/manifest.json under Sync Actions → Feeds → Add. It imports the 4 native MISP events (today/week/month/year) automatically with deterministic UUIDs for dedup across pulls. For OpenCTI and Splunk, point at the CSV URL and schedule periodic refresh. The Threat Hunting page lists ready-to-copy configuration snippets for MISP, OpenCTI, Splunk, KQL and IntelOwl.