Malicious URLs
Free feed of phishing, scam and malware-delivery URLs from Twitter/X researchers
Malicious URLs
Phishing, scam and malware-delivery URLs from Twitter/X
Related Threat Intelligence feeds: Domains · IPs · SHA-256 · MD5 · All IOC types
URLs by window
-
malicious URLs
-
malicious URLs
-
malicious URLs
-
malicious URLs
What this list contains
- Sourced from ~95 Twitter/X security researchers, refreshed every 15 minutes.
- Phishing kits, scam landing pages, malware-delivery URLs and command-and-control endpoints.
- Onion (.onion) URLs and ransomware leak sites included.
- Excluded: legitimate domains in the allowlist (Google, Microsoft, GitHub auth pages, common shorteners).
Recent samples
Latest 10 URLs from the past 7 days. Live from api.tweetfeed.live/v1/week/url.
Top tags for malicious URLs
Formats and how to use
Every TweetFeed feed is free and public domain (CC0 1.0) with no API key or sign-up. The malicious URLs are available in four formats:
| Format | Where | Best for |
|---|---|---|
| JSON API | api.tweetfeed.live/v1/<window>/url | SOAR / SIEM enrichment, scripts |
| CSV | today / week / month / year .csv | bulk import, spreadsheets, blocklists |
| RSS | rss.xml | watch new IOCs in a reader |
| MCP | mcp.tweetfeed.live | live lookups from AI agents / Claude |
Import the URL list into your secure web gateway or email-security filter as a blocklist, or query the JSON API from your SOAR to enrich alerts. Validate against VirusTotal or your own sandbox before blocking outright, since OSINT feeds can carry false positives.
Frequently asked questions
What is a malicious URL feed?
A malicious URL feed is a continuously updated list of links that point to phishing pages, scams, malware payloads or command-and-control endpoints. Security teams ingest these feeds into SIEMs, firewalls and EDRs to block traffic and detect compromise. TweetFeed publishes the URLs spotted by ~95 infosec researchers on Twitter/X, refreshed every 15 minutes.
How is this list updated?
Every 15 minutes. The pipeline scrapes RSS feeds from public Twitter/X researcher accounts and lists, extracts URLs from tweets, deduplicates against the past year, tags them with malware family and category, and republishes the result in CSV, JSON and RSS.
Can I integrate this feed with my SIEM, MISP or firewall?
Yes. CSV imports work with most SIEMs (Splunk, Sentinel, QRadar) and proxies. The REST API at api.tweetfeed.live/v1/{time}/url returns JSON for any HTTP client. The MISP manifest at /misp/manifest.json imports four native MISP events (today, week, month, year). The Threat Hunting page has copy-paste configuration snippets for MISP, OpenCTI, Splunk, KQL and IntelOwl.
Are these URLs verified malicious?
TweetFeed is OSINT, not a sandbox. URLs are sourced from public posts by infosec researchers, then deduplicated and tagged. False positives can occur. Treat the list as a high-recall lead source rather than a verdict; cross-reference VirusTotal, urlscan.io or your sandbox before blocking.
Is the malicious URLs list free?
Yes. Every TweetFeed feed is free and released into the public domain under CC0 1.0, with no API key, sign-up or rate card. You can use it in commercial or personal projects; a link back is appreciated but not required.
How do I use these URLs to block threats?
Import the URL list into your secure web gateway or email-security filter as a blocklist, or query the JSON API from your SOAR to enrich alerts. Validate against VirusTotal or your own sandbox before blocking outright, since OSINT feeds can carry false positives.
License
Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).