Malicious URLs

Free feed of phishing, scam and malware-delivery URLs from Twitter/X researchers


Malicious URLs

Phishing, scam and malware-delivery URLs from Twitter/X


Related Threat Intelligence feeds: Domains · IPs · SHA-256 · MD5 · All IOC types

URLs by window

Today

-

malicious URLs

Week

-

malicious URLs

Month

-

malicious URLs

Year

-

malicious URLs

What this list contains

  • Sourced from ~95 Twitter/X security researchers, refreshed every 15 minutes.
  • Phishing kits, scam landing pages, malware-delivery URLs and command-and-control endpoints.
  • Onion (.onion) URLs and ransomware leak sites included.
  • Excluded: legitimate domains in the allowlist (Google, Microsoft, GitHub auth pages, common shorteners).

Recent samples

Latest 10 URLs from the past 7 days. Live from api.tweetfeed.live/v1/week/url.

Loading samples

Top tags for malicious URLs

Filter the URL feed by malware family or category. Each tag has its own landing page with recent samples and context.

See all tags on the Dashboard or browse the full IOC feed.

Formats and how to use

Every TweetFeed feed is free and public domain (CC0 1.0) with no API key or sign-up. The malicious URLs are available in four formats:

FormatWhereBest for
JSON APIapi.tweetfeed.live/v1/<window>/urlSOAR / SIEM enrichment, scripts
CSVtoday / week / month / year .csvbulk import, spreadsheets, blocklists
RSSrss.xmlwatch new IOCs in a reader
MCPmcp.tweetfeed.livelive lookups from AI agents / Claude

Import the URL list into your secure web gateway or email-security filter as a blocklist, or query the JSON API from your SOAR to enrich alerts. Validate against VirusTotal or your own sandbox before blocking outright, since OSINT feeds can carry false positives.

Frequently asked questions

What is a malicious URL feed?

A malicious URL feed is a continuously updated list of links that point to phishing pages, scams, malware payloads or command-and-control endpoints. Security teams ingest these feeds into SIEMs, firewalls and EDRs to block traffic and detect compromise. TweetFeed publishes the URLs spotted by ~95 infosec researchers on Twitter/X, refreshed every 15 minutes.

How is this list updated?

Every 15 minutes. The pipeline scrapes RSS feeds from public Twitter/X researcher accounts and lists, extracts URLs from tweets, deduplicates against the past year, tags them with malware family and category, and republishes the result in CSV, JSON and RSS.

Can I integrate this feed with my SIEM, MISP or firewall?

Yes. CSV imports work with most SIEMs (Splunk, Sentinel, QRadar) and proxies. The REST API at api.tweetfeed.live/v1/{time}/url returns JSON for any HTTP client. The MISP manifest at /misp/manifest.json imports four native MISP events (today, week, month, year). The Threat Hunting page has copy-paste configuration snippets for MISP, OpenCTI, Splunk, KQL and IntelOwl.

Are these URLs verified malicious?

TweetFeed is OSINT, not a sandbox. URLs are sourced from public posts by infosec researchers, then deduplicated and tagged. False positives can occur. Treat the list as a high-recall lead source rather than a verdict; cross-reference VirusTotal, urlscan.io or your sandbox before blocking.

Is the malicious URLs list free?

Yes. Every TweetFeed feed is free and released into the public domain under CC0 1.0, with no API key, sign-up or rate card. You can use it in commercial or personal projects; a link back is appreciated but not required.

How do I use these URLs to block threats?

Import the URL list into your secure web gateway or email-security filter as a blocklist, or query the JSON API from your SOAR to enrich alerts. Validate against VirusTotal or your own sandbox before blocking outright, since OSINT feeds can carry false positives.

License

Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).