#opendir

Open directories - publicly listable web roots hosting attacker payloads, kits and tools


#opendir

Open directories hosting attacker payloads

IOCs by window

Today

0

IOCs tagged #opendir

Week

2

IOCs tagged #opendir

Month

69

IOCs tagged #opendir

Year

773

IOCs tagged #opendir

Counts as of 2026-04-29. Regenerated daily.

About #opendir

  • Definition: an HTTP server (often nginx / Apache / IIS) configured with directory autoindex enabled, exposing the contents of a folder. When the folder belongs to an attacker (staging server, kit drop, panel root) the listing reveals payloads, scripts and operator artefacts.
  • Why researchers track them: open directories are a high-yield source of fresh IOCs. A single opendir often hosts multiple loaders, second-stage payloads, exfiltrated-data archives and YARA-friendly scripts; researchers download, hash and tag each artefact in bulk.
  • Detection: for defenders, periodic scans of organisation egress for `Index of /` patterns; for hunters, services like ODIN by The DFIR Report, URLscan tag filters, and certificate-transparency-driven sweeps.
  • References: MITRE ATT&CK T1190 · The DFIR Report.

Recent IOCs tagged #opendir

Latest 10 IOCs from the past 30 days. Live JSON: api.tweetfeed.live/v1/month/opendir.

Date Type Value Source
Apr 24, 20:11 domain discretion-barrel-formed-vault.trycloudflare.com @smica83
Apr 24, 20:11 url https://discretion-barrel-formed-vault.trycloudflare.com @smica83
Apr 22, 15:25 url http://23.94.252.145/share/ @smica83
Apr 22, 15:25 ip 23.94.252.145 @smica83
Apr 22, 14:48 ip 20.198.18.136 @sicehice
Apr 22, 07:37 sha256 dad7c1bf9f1c81526c82638a23f09ce8ef9c3c7515150875e318d5851e7d... @BlinkzSec
Apr 22, 07:16 url https://urlhaus.abuse.ch/host/83.142.209.13/ @BlinkzSec
Apr 22, 07:16 ip 83.142.209.13 @BlinkzSec
Apr 22, 07:16 sha256 35204d0ba3485eb4f0f8104a218e71526d152679f97e65ac878ffb2552f4... @BlinkzSec
Apr 22, 07:16 sha256 b0e328a131e4d679e9b268552db99ca2d46051b9205a67f9b7f7c1628983... @BlinkzSec

Related tags

Tags that frequently co-occur with #opendir.

See all tags on the Dashboard or browse the full IOC feed.

Frequently asked questions

What is an opendir?

An opendir (open directory) is a web folder where directory autoindexing is enabled, exposing all files inside as a clickable listing. When attackers misconfigure their staging servers this way - which happens often - researchers can browse the listing, download every artefact and reverse-engineer the kit or payload set.

How do opendirs end up in this feed?

Public researchers post URLs to attacker opendirs they discover, tagged #opendir. The TweetFeed pipeline picks up these URLs (and the IPs/domains hosting them) and republishes them in CSV, JSON and RSS within 15 minutes. Many opendirs are short-lived: the operator notices the leak and locks down the directory or rotates infrastructure.

How is this list updated?

Every 15 minutes. The TweetFeed pipeline scrapes RSS feeds from public Twitter/X security researcher accounts and lists, extracts IOCs, tags them with the relevant malware family or threat actor, and republishes the result in CSV, JSON and RSS. Opendir-tagged IOCs are surfaced on this page within the next 15-minute tick. The page itself is regenerated daily by a GitHub Action.

What is the license? Can I use this commercially?

All TweetFeed IOC data, including this Opendir subset, is released under CC0 1.0 Universal (Public Domain Dedication). No attribution required, no warranty. Commercial use is allowed. The TweetFeed website code and branding are not covered by CC0.

License

Opendir IOC data: CC0 1.0 Public Domain. No attribution required, no warranty. Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).