Malicious Domains

Free feed of phishing, scam and malware-delivery domains from Twitter/X researchers


Malicious Domains

Phishing, scam and malware-delivery domains from Twitter/X


Related Threat Intelligence feeds: URLs · IPs · SHA-256 · MD5 · All IOC types

Domains by window

Today

-

malicious domains

Week

-

malicious domains

Month

-

malicious domains

Year

-

malicious domains

What this list contains

  • Sourced from ~95 Twitter/X security researchers, refreshed every 15 minutes.
  • Phishing domains, scam landing pages, malware-delivery hosts and C2 endpoints.
  • Newly-registered domains often included (typo-squats of bank, tech and government brands).
  • Excluded: legitimate domains in the allowlist (Google, Microsoft, GitHub auth pages, common shorteners).

Recent samples

Latest 10 Domains from the past 7 days. Live from api.tweetfeed.live/v1/week/domain.

Loading samples

Top tags for malicious domains

Filter the Domain feed by malware family or category. Each tag has its own landing page with recent samples and context.

See all tags on the Dashboard or browse the full IOC feed.

Formats and how to use

Every TweetFeed feed is free and public domain (CC0 1.0) with no API key or sign-up. The malicious domains are available in four formats:

FormatWhereBest for
JSON APIapi.tweetfeed.live/v1/<window>/domainSOAR / SIEM enrichment, scripts
CSVtoday / week / month / year .csvbulk import, spreadsheets, blocklists
RSSrss.xmlwatch new IOCs in a reader
MCPmcp.tweetfeed.livelive lookups from AI agents / Claude

Import the domain list into your DNS firewall, secure web gateway or Pi-hole as a blocklist, or query the JSON API from your SOAR/SIEM to enrich alerts. Validate against VirusTotal or your own sandbox before blocking outright, since OSINT feeds can carry false positives.

Frequently asked questions

What is a malicious domain feed?

A malicious domain feed is a continuously updated list of fully-qualified domain names that point to phishing pages, scams, malware payloads or command-and-control endpoints. Security teams ingest these into DNS firewalls, secure web gateways and EDRs to block traffic before resolution. TweetFeed publishes the domains spotted by ~95 infosec researchers on Twitter/X, refreshed every 15 minutes.

Where can I download a bad domains list?

Right here. This page is a live bad domains list: every entry was reported as phishing, scam, malware or C2 infrastructure by the infosec community on Twitter/X. Grab the CSV for your blocklist, query the JSON API from scripts, or subscribe to the RSS feed. It refreshes every 15 minutes and is CC0, so no key or sign-up is needed.

How is this list updated?

Every 15 minutes. The pipeline scrapes RSS feeds from public Twitter/X researcher accounts and lists, extracts domains from tweets, deduplicates against the past year, tags them with malware family and category, and republishes the result in CSV, JSON and RSS.

How do malicious domains differ from malicious URLs?

A URL is a full link including path and query string (https://example.com/login.php?u=1). A domain is just the host portion (example.com). Domain blocks catch the entire domain regardless of path; URL blocks are more precise but miss other paths on the same host. Most SOCs block at the domain level for known-bad infrastructure and at the URL level for one-off phishing kits.

Are these domains verified malicious?

TweetFeed is OSINT, not a sandbox. Domains are sourced from public posts by infosec researchers, then deduplicated and tagged. False positives can occur, especially for compromised legitimate domains hosting phishing kits temporarily. Cross-reference VirusTotal, urlscan.io or your sandbox before blocking outright.

Is the malicious domains list free?

Yes. Every TweetFeed feed is free and released into the public domain under CC0 1.0, with no API key, sign-up or rate card. You can use it in commercial or personal projects; a link back is appreciated but not required.

How do I use these domains to block threats?

Import the domain list into your DNS firewall, secure web gateway or Pi-hole as a blocklist, or query the JSON API from your SOAR/SIEM to enrich alerts. Validate against VirusTotal or your own sandbox before blocking outright, since OSINT feeds can carry false positives.

License

Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).