#malware

Malware-hosting infrastructure (URLs, domains, IPs serving payloads) extracted from public security researchers


#malware

Malware-hosting URLs, domains and IPs

IOCs by window

Today

1

IOCs tagged #malware

Week

42

IOCs tagged #malware

Month

155

IOCs tagged #malware

Year

4,503

IOCs tagged #malware

Counts as of 2026-04-29. Regenerated daily.

About #malware

  • Definition: umbrella tag for any IOC associated with a malware payload, regardless of family. URLs serving binaries, IPs hosting C2, hashes of binaries, and domains used for distribution all qualify. For family-specific filtering see the dedicated tags below.
  • Common families in the corpus: Cobalt Strike, Remcos, AsyncRAT, NetSupport RAT, Lumma stealer, NjRAT, Sliver, Mythic, Havoc, Deimos. Each has its own per-tag landing page.
  • Detection: YARA rules on hashes, sandboxing on samples, network-IDS rules for known C2 patterns, and feed-driven blocklists for URLs / domains / IPs. The TweetFeed CSV / JSON feeds are designed for this last use case.
  • References: MITRE ATT&CK Software · Malpedia · malicious-urls feed.

Recent IOCs tagged #malware

Latest 10 IOCs from the past 30 days. Live JSON: api.tweetfeed.live/v1/month/malware.

Date Type Value Source
Apr 29, 00:09 ip 38.146.25.206 @eKg_sec
Apr 28, 12:55 sha256 163cf00168d6fd28366db6c88a1216f95b10b8bb71359d161b542a67c40b... @Sandguard_malwR
Apr 28, 01:01 domain macclrupspace.gitlab.io @masaomi346
Apr 28, 01:01 url http://macclrupspace.gitlab.io @masaomi346
Apr 28, 01:01 domain termopasta.com @masaomi346
Apr 28, 01:01 url http://termopasta.com @masaomi346
Apr 27, 12:37 domain mac-cleantool.gitlab.io @masaomi346
Apr 27, 12:37 url http://mac-cleantool.gitlab.io @masaomi346
Apr 27, 12:37 domain dpsmuz.com @masaomi346
Apr 27, 12:37 url http://dpsmuz.com @masaomi346

Related tags

Tags that frequently co-occur with #malware.

See all tags on the Dashboard or browse the full IOC feed.

Frequently asked questions

What is the difference between #malware and per-family tags like #CobaltStrike?

The #malware tag is broad and matches any IOC researchers flag as malware-related, regardless of family. Per-family tags like #CobaltStrike, #Remcos or #AsyncRAT are subsets that identify the specific malware. An IOC can carry both tags if researchers attribute it to a specific family, but many entries are tagged only with #malware when the family attribution is uncertain.

Which IOC types are most common in the malware feed?

URLs and IPs dominate (payload-hosting servers, C2 endpoints), with domains close behind. Hashes (MD5 and SHA-256) appear when researchers share specific binary samples. For pure-hash filtering, see the dedicated /malicious-hashes-md5.html and /malicious-hashes-sha256.html landing pages.

How is this list updated?

Every 15 minutes. The TweetFeed pipeline scrapes RSS feeds from public Twitter/X security researcher accounts and lists, extracts IOCs, tags them with the relevant malware family or threat actor, and republishes the result in CSV, JSON and RSS. Malware-tagged IOCs are surfaced on this page within the next 15-minute tick. The page itself is regenerated daily by a GitHub Action.

What is the license? Can I use this commercially?

All TweetFeed IOC data, including this Malware subset, is released under CC0 1.0 Universal (Public Domain Dedication). No attribution required, no warranty. Commercial use is allowed. The TweetFeed website code and branding are not covered by CC0.

License

Malware IOC data: CC0 1.0 Public Domain. No attribution required, no warranty. Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).