Malicious IPs

A malicious IP feed is a continuously updated list of IPv4 addresses observed in adversary infrastructure. Common categories include C2 servers, malware-delivery hosts, port scanners and brute-force sources. Security teams ingest these into firewalls, IDS/IPS and SIEM correlation rules. TweetFeed publishes the IPs spotted by ~95 infosec researchers on Twitter/X, refreshed every 15 minutes.

Every 15 minutes. The pipeline scrapes RSS feeds from public Twitter/X researcher accounts and lists, extracts IPv4 addresses from tweets, deduplicates against the past year, tags them with malware family and category, and republishes the result in CSV, JSON and RSS.

Block with caution. Shared hosting providers, CDNs and cloud platforms reuse IPs across legitimate and malicious tenants, so blanket blocking creates collateral damage. Use IP feeds as one signal among several: alert on connections, correlate with other indicators, and block only on high-confidence matches or in combination with active malicious activity from the same host.

TweetFeed is OSINT, not a sandbox. IPs are sourced from public posts by infosec researchers, then deduplicated and tagged. False positives are higher for IPs than for URLs or hashes, especially when researchers post infrastructure observed for a single campaign that has since rotated. Cross-reference Shodan, AbuseIPDB or your sandbox before blocking.

All TweetFeed IOC data, including this IP subset, is released under CC0 1.0 Universal (Public Domain Dedication). No attribution required, no warranty. Commercial use is allowed. The TweetFeed website code and branding are not covered by CC0.