Malicious URLs

Free feed of phishing, scam and malware-delivery URLs from Twitter/X researchers


Malicious URLs

Phishing, scam and malware-delivery URLs from Twitter/X

URLs by window

Today

-

malicious URLs

Week

-

malicious URLs

Month

-

malicious URLs

Year

-

malicious URLs

What this list contains

  • Sourced from ~95 Twitter/X security researchers, refreshed every 15 minutes.
  • Phishing kits, scam landing pages, malware-delivery URLs and command-and-control endpoints.
  • Onion (.onion) URLs and ransomware leak sites included.
  • Excluded: legitimate domains in the allowlist (Google, Microsoft, GitHub auth pages, common shorteners).

Recent samples

Latest 10 URLs from the past 7 days. Live from api.tweetfeed.live/v1/week/url.

Loading samples

Top tags for malicious URLs

Filter the URL feed by malware family or category. Each tag has its own landing page with recent samples and context.

  • #phishing
  • #c2
  • #cobaltstrike
  • #scam
  • #malware

See all tags on the Dashboard or browse the full IOC feed.

Frequently asked questions

What is a malicious URL feed?

A malicious URL feed is a continuously updated list of links that point to phishing pages, scams, malware payloads or command-and-control endpoints. Security teams ingest these feeds into SIEMs, firewalls and EDRs to block traffic and detect compromise. TweetFeed publishes the URLs spotted by ~95 infosec researchers on Twitter/X, refreshed every 15 minutes.

How is this list updated?

Every 15 minutes. The pipeline scrapes RSS feeds from public Twitter/X researcher accounts and lists, extracts URLs from tweets, deduplicates against the past year, tags them with malware family and category, and republishes the result in CSV, JSON and RSS.

Can I integrate this feed with my SIEM, MISP or firewall?

Yes. CSV imports work with most SIEMs (Splunk, Sentinel, QRadar) and proxies. The REST API at api.tweetfeed.live/v1/{time}/url returns JSON for any HTTP client. The MISP manifest at /misp/manifest.json imports four native MISP events (today, week, month, year). The Threat Hunting page has copy-paste configuration snippets for MISP, OpenCTI, Splunk, KQL and IntelOwl.

Are these URLs verified malicious?

TweetFeed is OSINT, not a sandbox. URLs are sourced from public posts by infosec researchers, then deduplicated and tagged. False positives can occur. Treat the list as a high-recall lead source rather than a verdict; cross-reference VirusTotal, urlscan.io or your sandbox before blocking.

What is the license? Can I use this commercially?

All TweetFeed IOC data, including this URL subset, is released under CC0 1.0 Universal (Public Domain Dedication). No attribution required, no warranty. Commercial use is allowed. The TweetFeed website code and branding are not covered by CC0.

License

Malicious URL data: CC0 1.0 Public Domain. No attribution required, no warranty. Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).