Malicious Domains

A malicious domain feed is a continuously updated list of fully-qualified domain names that point to phishing pages, scams, malware payloads or command-and-control endpoints. Security teams ingest these into DNS firewalls, secure web gateways and EDRs to block traffic before resolution. TweetFeed publishes the domains spotted by ~95 infosec researchers on Twitter/X, refreshed every 15 minutes.

Every 15 minutes. The pipeline scrapes RSS feeds from public Twitter/X researcher accounts and lists, extracts domains from tweets, deduplicates against the past year, tags them with malware family and category, and republishes the result in CSV, JSON and RSS.

A URL is a full link including path and query string (https://example.com/login.php?u=1). A domain is just the host portion (example.com). Domain blocks catch the entire domain regardless of path; URL blocks are more precise but miss other paths on the same host. Most SOCs block at the domain level for known-bad infrastructure and at the URL level for one-off phishing kits.

TweetFeed is OSINT, not a sandbox. Domains are sourced from public posts by infosec researchers, then deduplicated and tagged. False positives can occur, especially for compromised legitimate domains hosting phishing kits temporarily. Cross-reference VirusTotal, urlscan.io or your sandbox before blocking outright.

All TweetFeed IOC data, including this domain subset, is released under CC0 1.0 Universal (Public Domain Dedication). No attribution required, no warranty. Commercial use is allowed. The TweetFeed website code and branding are not covered by CC0.