{"service":"Zedmos CTI","methodology_url":"https://www.zedmos.net/v1/public/methodology","tier_definitions":{"1":{"name":"Gov / national CERT","description":"Government-backed national CERT (USOM-TR, CERT.pl, CIRCL-LU). Highest credibility."},"2":{"name":"Industry-grade commercial-free","description":"abuse.ch / Spamhaus / Proofpoint ET tier — used by major SOCs and security vendors."},"3":{"name":"Community-curated","description":"High-quality volunteer-maintained projects (OpenPhish, Phishing Army, Hagezi, DigitalSide)."},"4":{"name":"Aggregator / mirror","description":"Combines T1-T3 upstream sources (ipsum, davidonzo, firehol, c2tracker)."},"5":{"name":"Research / volatile","description":"Low-signal raw OSINT (Twitter, certstream-derived) — watch-only, manual review needed."}},"summary":{"total_feeds":49,"enabled_feeds":37,"by_tier":[{"tier":1,"tier_name":"Gov / national CERT","count":3},{"tier":2,"tier_name":"Industry-grade commercial-free","count":20},{"tier":3,"tier_name":"Community-curated","count":18},{"tier":4,"tier_name":"Aggregator / mirror","count":7},{"tier":5,"tier_name":"Research / volatile","count":1}],"by_operator":[{"operator":"Hagezi / DNS Blocklists","count":4},{"operator":"abuse.ch / Feodo Tracker","count":3},{"operator":"abuse.ch / ThreatFox","count":3},{"operator":"abuse.ch / URLhaus","count":3},{"operator":"SANS ISC / DShield","count":2},{"operator":"Spamhaus","count":2},{"operator":"DigitalSide Threat-Intel","count":2},{"operator":"Davidonzo / Threat-Intel","count":2},{"operator":"FireHOL","count":2},{"operator":"CERT.pl (NASK)","count":1},{"operator":"CIRCL (LU-CERT)","count":1},{"operator":"USOM (TR-CERT)","count":1},{"operator":"Proofpoint Emerging Threats","count":1},{"operator":"Tor Project (official)","count":1},{"operator":"abuse.ch / Hunting","count":1},{"operator":"abuse.ch / MalwareBazaar","count":1},{"operator":"abuse.ch / SSLBL","count":1},{"operator":"abuse.ch / SSLBL (DEPRECATED)","count":1},{"operator":"abuse.ch / YARAify","count":1},{"operator":"AT&T Cybersecurity / OTX","count":1},{"operator":"AssoEchap / Stalkerware Indicators","count":1},{"operator":"CINS Score (SentinelOne)","count":1},{"operator":"Cybercrime-tracker.net","count":1},{"operator":"Hagezi DNS Blocklists","count":1},{"operator":"Mitchell Krogza","count":1},{"operator":"Mitchell Krogza / Phishing.Database","count":1},{"operator":"OpenPhish","count":1},{"operator":"Phishing Army","count":1},{"operator":"Shreshta Labs / NRD","count":1},{"operator":"Stamparm / Maltrail","count":1},{"operator":"disposable-email-domains","count":1},{"operator":"GreenSnow","count":1},{"operator":"Stamparm / ipsum","count":1},{"operator":"drb-ra / C2IntelFeeds","count":1},{"operator":"TweetFeed (Twitter OSINT)","count":1}],"audit_summary":{"operational":42,"unreachable":5,"stale_critical":0,"unknown":2},"audit_methodology":"operational = HTTP 200 + content received. unreachable = HTTP error or fetch failed. stale_critical = freshness-critical feeds (e.g. CT watch) that exceeded expected cadence. Most blocklists publish only when actionable changes happen — a 60-day-old Spamhaus DROP is normal and correct, not stale.","auth_required_feeds":14,"license_restricted_feeds":0,"deprecation_warnings":[{"feed_id":"spamhaus_drop_ips","note":"eDROP merged into DROP on 2024-04-10. TXT format being deprecated; use JSON drop_v4.json / drop_v6.json / asndrop.json."},{"feed_id":"tor_exits","note":"Old `/torbulkexitlist` path deprecated 2020-04-01 in favor of `/api/bulk`. Compat alias still works but pin the new path."},{"feed_id":"feodo_recommended","note":"abuse.ch Auth-Key mandatory since 2025-06-30 (set ABUSECH_AUTH_KEY env). NOTE: Feodo Tracker has been near-empty since Operation Endgame (international LE takedown, May 2024 — FBI+Europol+NCA dismantled IcedID/SystemBC/Pikabot/Smokeloader/Bumblebee/Trickbot). A near-empty Feodo Tracker is a SUCCESS, not a failure. Re-enable after Auth-Key — feed is operational."},{"feed_id":"feodotracker_aggressive_ips","note":"abuse.ch Auth-Key mandatory since 2025-06-30 (set ABUSECH_AUTH_KEY env). NOTE: Feodo Tracker has been near-empty since Operation Endgame (international LE takedown, May 2024 — FBI+Europol+NCA dismantled IcedID/SystemBC/Pikabot/Smokeloader/Bumblebee/Trickbot). A near-empty Feodo Tracker is a SUCCESS, not a failure. Re-enable after Auth-Key — feed is operational."},{"feed_id":"feodotracker_ips","note":"abuse.ch Auth-Key mandatory since 2025-06-30 (set ABUSECH_AUTH_KEY env). NOTE: Feodo Tracker has been near-empty since Operation Endgame (international LE takedown, May 2024 — FBI+Europol+NCA dismantled IcedID/SystemBC/Pikabot/Smokeloader/Bumblebee/Trickbot). A near-empty Feodo Tracker is a SUCCESS, not a failure. Re-enable after Auth-Key — feed is operational."},{"feed_id":"abusech_hunting_reference","note":"Login-only — no programmatic bulk feed. Document for awareness."},{"feed_id":"malwarebazaar_recent","note":"abuse.ch Community First policy 2025-06-30: Auth-Key mandatory. Set ABUSECH_AUTH_KEY env and add `auth: { type: 'api_key', header: 'Auth-Key', value: <key> }` to feed config. Free at https://auth.abuse.ch/."},{"feed_id":"sslbl_ip_blocklist","note":"abuse.ch Community First policy 2025-06-30: Auth-Key mandatory. Set ABUSECH_AUTH_KEY env and add `auth: { type: 'api_key', header: 'Auth-Key', value: <key> }` to feed config. Free at https://auth.abuse.ch/."},{"feed_id":"abusech_ja3","note":"abuse.ch Community First policy 2025-06-30: Auth-Key mandatory. Set ABUSECH_AUTH_KEY env and add `auth: { type: 'api_key', header: 'Auth-Key', value: <key> }` to feed config. Free at https://auth.abuse.ch/."},{"feed_id":"threatfox_domains","note":"abuse.ch Community First policy 2025-06-30: Auth-Key mandatory. Set ABUSECH_AUTH_KEY env and add `auth: { type: 'api_key', header: 'Auth-Key', value: <key> }` to feed config. Free at https://auth.abuse.ch/."},{"feed_id":"threatfox_ips","note":"abuse.ch Community First policy 2025-06-30: Auth-Key mandatory. Set ABUSECH_AUTH_KEY env and add `auth: { type: 'api_key', header: 'Auth-Key', value: <key> }` to feed config. Free at https://auth.abuse.ch/."},{"feed_id":"threatfox_url_list","note":"abuse.ch Community First policy 2025-06-30: Auth-Key mandatory. Set ABUSECH_AUTH_KEY env and add `auth: { type: 'api_key', header: 'Auth-Key', value: <key> }` to feed config. Free at https://auth.abuse.ch/."},{"feed_id":"urlhaus_domains","note":"abuse.ch Community First policy 2025-06-30: Auth-Key mandatory. Set ABUSECH_AUTH_KEY env and add `auth: { type: 'api_key', header: 'Auth-Key', value: <key> }` to feed config. Free at https://auth.abuse.ch/."},{"feed_id":"urlhaus_hostfile","note":"abuse.ch Community First policy 2025-06-30: Auth-Key mandatory. Set ABUSECH_AUTH_KEY env and add `auth: { type: 'api_key', header: 'Auth-Key', value: <key> }` to feed config. Free at https://auth.abuse.ch/."},{"feed_id":"urlhaus_text","note":"abuse.ch Community First policy 2025-06-30: Auth-Key mandatory. Set ABUSECH_AUTH_KEY env and add `auth: { type: 'api_key', header: 'Auth-Key', value: <key> }` to feed config. Free at https://auth.abuse.ch/."},{"feed_id":"abusech_yaraify_rules","note":"abuse.ch Auth-Key mandatory since 2025-06-30. Set ABUSECH_AUTH_KEY env. Free at https://auth.abuse.ch/. YARA rules — needs Phase 2C YARA parser; placeholder for now."},{"feed_id":"abuse_phishing_db","note":"Repo migrated from `mitchellkrogza/` to `Phishing-Database/` org. Old links redirect; pin new."}]},"feeds":[{"feed_id":"certpl_domains","categories":["malware_virus","phishing"],"enabled":true,"interval_sec":3600,"ioc_type":"domain","kind":"ti","label":"CERT.pl Malware Domains","last_error":"","last_fetch_at":"2026-04-29T21:36:30.302Z","last_fetch_count":134359,"last_fetch_ok":true,"method":"http","notes":"","url":"https://hole.cert.pl/domains/v2/domains.txt","audit_at":"2026-04-29T20:01:13.495Z","audit_days_since":0,"audit_last_modified":"2026-04-29T20:00:07.000Z","audit_status":"operational","license":"CC-BY-4.0","operator":"CERT.pl (NASK)","tier":1},{"feed_id":"circl_osint_misp","categories":["malware_virus"],"enabled":false,"interval_sec":21600,"ioc_type":"both","kind":"ti","label":"CIRCL OSINT (MISP feed format)","last_error":"","last_fetch_at":null,"last_fetch_count":0,"last_fetch_ok":null,"method":"http","notes":"MISP feed manifest+JSON-per-event. Enable after Phase 2 MISP-feed parser.","url":"https://www.circl.lu/doc/misp/feed-osint/","audit_at":"2026-04-29T20:01:13.500Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"operational","license":"CC0/Open Data","operator":"CIRCL (LU-CERT)","tier":1},{"feed_id":"turkish_usom","categories":["turkish_usom"],"enabled":true,"interval_sec":3600,"ioc_type":"domain","kind":"security","label":"USOM URL List (TR)","last_error":"","last_fetch_at":"2026-04-29T21:37:31.588Z","last_fetch_count":467869,"last_fetch_ok":true,"method":"http","notes":"","url":"https://www.usom.gov.tr/url-list.txt","audit_at":"2026-04-29T20:01:13.480Z","audit_days_since":0,"audit_last_modified":"2026-04-29T19:45:03.000Z","audit_status":"operational","license":"Türk gov, public","operator":"USOM (TR-CERT)","tier":1},{"feed_id":"et_compromised_ips","categories":["compromised"],"enabled":true,"interval_sec":3600,"ioc_type":"ip","kind":"ti","label":"Emerging Threats Compromised IPs","last_error":"","last_fetch_at":"2026-04-29T21:28:48.238Z","last_fetch_count":360,"last_fetch_ok":true,"method":"http","notes":"","url":"https://rules.emergingthreats.net/blockrules/compromised-ips.txt","audit_at":"2026-04-29T20:01:13.516Z","audit_days_since":1,"audit_last_modified":"2026-04-28T19:28:04.000Z","audit_status":"operational","license":"BSD","operator":"Proofpoint Emerging Threats","tier":2},{"feed_id":"dshield_block","audit_at":"2026-04-29T20:01:13.513Z","audit_days_since":0,"audit_last_modified":"2026-04-29T19:44:44.000Z","audit_status":"operational","categories":["malware_virus"],"enabled":true,"interval_sec":3600,"ioc_type":"cidr","kind":"ti","label":"SANS Internet Storm Center / DShield — block list","last_error":"","last_fetch_at":"2026-04-29T21:30:17.952Z","last_fetch_count":40,"last_fetch_ok":true,"license":"Free public","method":"http","notes":"/24 CIDR blocks of consistent attackers. Conservative.","operator":"SANS ISC / DShield","tier":2,"url":"https://www.dshield.org/block.txt"},{"feed_id":"dshield_topips","audit_at":"2026-04-29T20:01:13.514Z","audit_days_since":0,"audit_last_modified":"2026-04-29T19:46:22.000Z","audit_status":"operational","categories":["malware_virus"],"enabled":true,"interval_sec":3600,"ioc_type":"ip","kind":"ti","label":"SANS Internet Storm Center / DShield — top attacking IPs","last_error":"","last_fetch_at":"2026-04-29T21:30:18.151Z","last_fetch_count":32,"last_fetch_ok":true,"license":"Free public","method":"http","notes":"DShield community-honeypot top attackers. Long-running (since 2000).","operator":"SANS ISC / DShield","tier":2,"url":"https://www.dshield.org/feeds/topips.txt"},{"feed_id":"spamhaus_asndrop","audit_at":"2026-04-29T20:01:13.533Z","audit_days_since":0,"audit_last_modified":"2026-04-29T19:14:02.000Z","audit_status":"operational","categories":["malware_virus"],"enabled":false,"interval_sec":86400,"ioc_type":"ip","kind":"ti","label":"Spamhaus ASN-DROP — hijacked ASNs","last_error":"","last_fetch_at":null,"last_fetch_count":0,"last_fetch_ok":null,"license":"Free non-commercial","method":"http","notes":"JSON list of hijacked-ASN announcements. Need ASN→IP expansion at FW level (Phase 2B).","operator":"Spamhaus","tier":2,"url":"https://www.spamhaus.org/drop/asndrop.json"},{"feed_id":"spamhaus_drop_ips","categories":["malware_virus"],"enabled":true,"interval_sec":86400,"ioc_type":"ip","kind":"ti","label":"Spamhaus DROP Hijacked Netblocks","last_error":"","last_fetch_at":"2026-04-29T10:25:42.305Z","last_fetch_count":1466,"last_fetch_ok":true,"method":"http","notes":"","url":"https://www.spamhaus.org/drop/drop_v4.json","audit_at":"2026-04-29T20:01:13.535Z","audit_days_since":0,"audit_last_modified":"2026-04-29T11:32:01.000Z","audit_status":"operational","license":"Free non-commercial","operator":"Spamhaus","tier":2,"deprecation_note":"eDROP merged into DROP on 2024-04-10. TXT format being deprecated; use JSON drop_v4.json / drop_v6.json / asndrop.json."},{"feed_id":"tor_exits","audit_at":"2026-04-29T20:01:13.550Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"operational","categories":["dynamic_dns"],"enabled":false,"interval_sec":1800,"ioc_type":"ip","kind":"ti","label":"Tor Project — bulk exit list (canonical)","last_error":"","last_fetch_at":null,"last_fetch_count":0,"last_fetch_ok":null,"license":"Public","method":"http","notes":"Canonical Tor exit list. Default-disabled because Tor != malicious; flip on when policy demands tor blocking.","operator":"Tor Project (official)","tier":2,"url":"https://check.torproject.org/api/bulk","deprecation_note":"Old `/torbulkexitlist` path deprecated 2020-04-01 in favor of `/api/bulk`. Compat alias still works but pin the new path."},{"feed_id":"feodo_recommended","audit_at":"2026-04-29T20:01:13.517Z","audit_days_since":48,"audit_last_modified":"2026-03-12T07:15:03.000Z","audit_status":"operational","categories":["botnet_cc"],"enabled":true,"interval_sec":3600,"ioc_type":"ip","kind":"ti","label":"abuse.ch Feodo Tracker — low-FP recommended IPs","last_error":"","last_fetch_at":"2026-04-29T21:30:16.283Z","last_fetch_count":1,"last_fetch_ok":true,"license":"CC0","method":"http","notes":"Recommended low-FP set vs. ipblocklist_aggressive. Cadence is event-driven.","operator":"abuse.ch / Feodo Tracker","tier":2,"url":"https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt","auth_required":true,"deprecation_note":"abuse.ch Auth-Key mandatory since 2025-06-30 (set ABUSECH_AUTH_KEY env). NOTE: Feodo Tracker has been near-empty since Operation Endgame (international LE takedown, May 2024 — FBI+Europol+NCA dismantled IcedID/SystemBC/Pikabot/Smokeloader/Bumblebee/Trickbot). A near-empty Feodo Tracker is a SUCCESS, not a failure. Re-enable after Auth-Key — feed is operational."},{"feed_id":"feodotracker_aggressive_ips","categories":["botnet_cc"],"enabled":true,"interval_sec":3600,"ioc_type":"ip","kind":"ti","label":"Feodo Tracker Aggressive Blocklist","last_error":"","last_fetch_at":"2026-04-29T21:28:46.874Z","last_fetch_count":7607,"last_fetch_ok":true,"method":"http","notes":"","url":"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.txt","audit_at":"2026-04-29T20:01:13.518Z","audit_days_since":48,"audit_last_modified":"2026-03-12T07:15:06.000Z","audit_status":"operational","license":"CC0","operator":"abuse.ch / Feodo Tracker","tier":2,"auth_required":true,"deprecation_note":"abuse.ch Auth-Key mandatory since 2025-06-30 (set ABUSECH_AUTH_KEY env). NOTE: Feodo Tracker has been near-empty since Operation Endgame (international LE takedown, May 2024 — FBI+Europol+NCA dismantled IcedID/SystemBC/Pikabot/Smokeloader/Bumblebee/Trickbot). A near-empty Feodo Tracker is a SUCCESS, not a failure. Re-enable after Auth-Key — feed is operational."},{"feed_id":"feodotracker_ips","categories":["botnet_cc"],"enabled":true,"interval_sec":3600,"ioc_type":"ip","kind":"ti","label":"Feodo Tracker IP Blocklist","last_error":"","last_fetch_at":"2026-04-29T21:28:46.122Z","last_fetch_count":5,"last_fetch_ok":true,"method":"http","notes":"","url":"https://feodotracker.abuse.ch/downloads/ipblocklist.txt","audit_at":"2026-04-29T20:01:13.519Z","audit_days_since":48,"audit_last_modified":"2026-03-12T07:15:03.000Z","audit_status":"operational","license":"CC0","operator":"abuse.ch / Feodo Tracker","tier":2,"auth_required":true,"deprecation_note":"abuse.ch Auth-Key mandatory since 2025-06-30 (set ABUSECH_AUTH_KEY env). NOTE: Feodo Tracker has been near-empty since Operation Endgame (international LE takedown, May 2024 — FBI+Europol+NCA dismantled IcedID/SystemBC/Pikabot/Smokeloader/Bumblebee/Trickbot). A near-empty Feodo Tracker is a SUCCESS, not a failure. Re-enable after Auth-Key — feed is operational."},{"feed_id":"abusech_hunting_reference","audit_at":null,"audit_days_since":null,"audit_last_modified":null,"audit_status":"unknown","auth_required":true,"categories":["malware_virus"],"deprecation_note":"Login-only — no programmatic bulk feed. Document for awareness.","enabled":false,"interval_sec":86400,"ioc_type":"domain","kind":"ti","label":"abuse.ch Hunting — unified search UI (reference only, no bulk feed)","last_error":"","last_fetch_at":null,"last_fetch_count":0,"last_fetch_ok":null,"license":"abuse.ch ToS","license_caveat":"","method":"manual","notes":"Launched March 2025. Login-only unified search across MalwareBazaar / URLhaus / ThreatFox / SSLBL / Feodo / YARAify. No public bulk-feed endpoint — reference for operators who want to pivot manually.","operator":"abuse.ch / Hunting","tier":2,"url":"https://hunting.abuse.ch/"},{"feed_id":"malwarebazaar_recent","categories":["malware_virus"],"enabled":true,"interval_sec":3600,"ioc_type":"domain","kind":"ti","label":"MalwareBazaar — recent SHA256 (last 100k)","last_error":"","last_fetch_at":"2026-04-29T21:30:03.344Z","last_fetch_count":0,"last_fetch_ok":true,"method":"http","notes":"abuse.ch MalwareBazaar — column 1 is SHA256. Not directly usable for FW IP/domain blocking; kept for STIX export.","url":"https://bazaar.abuse.ch/export/csv/recent/","audit_at":"2026-04-29T20:01:13.532Z","audit_days_since":0,"audit_last_modified":"2026-04-29T19:35:02.000Z","audit_status":"operational","license":"CC0","operator":"abuse.ch / MalwareBazaar","tier":2,"auth_required":true,"deprecation_note":"abuse.ch Community First policy 2025-06-30: Auth-Key mandatory. Set ABUSECH_AUTH_KEY env and add `auth: { type: 'api_key', header: 'Auth-Key', value: <key> }` to feed config. Free at https://auth.abuse.ch/."},{"feed_id":"sslbl_ip_blocklist","audit_at":"2026-04-29T20:01:13.536Z","audit_days_since":481,"audit_last_modified":"2025-01-03T11:40:41.000Z","audit_status":"operational","categories":["botnet_cc","malware_virus"],"enabled":true,"interval_sec":3600,"ioc_type":"ip","kind":"ti","label":"abuse.ch SSLBL — TLS C2 IPs","last_error":"","last_fetch_at":"2026-04-29T21:30:16.269Z","last_fetch_count":0,"last_fetch_ok":true,"license":"CC0","method":"http","notes":"TLS C2 server IPs (separate from deprecated JA3 list). Updated continuously.","operator":"abuse.ch / SSLBL","tier":2,"url":"https://sslbl.abuse.ch/blacklist/sslipblacklist.txt","auth_required":true,"deprecation_note":"abuse.ch Community First policy 2025-06-30: Auth-Key mandatory. Set ABUSECH_AUTH_KEY env and add `auth: { type: 'api_key', header: 'Auth-Key', value: <key> }` to feed config. Free at https://auth.abuse.ch/."},{"feed_id":"abusech_ja3","categories":["malware_virus"],"enabled":false,"interval_sec":3600,"ioc_type":"ja3","kind":"ti","label":"abuse.ch JA3 fingerprints (DEPRECATED 2021-08, do not enable)","last_error":"","last_fetch_at":null,"last_fetch_count":0,"last_fetch_ok":null,"method":"http","notes":"Deprecated 2021-08; do not enable for FW. Kept for archival STIX export.","url":"https://sslbl.abuse.ch/blacklist/ja3_fingerprints.csv","audit_at":"2026-04-29T20:01:13.487Z","audit_days_since":0,"audit_last_modified":"2026-04-29T20:00:14.000Z","audit_status":"operational","license":"CC0","operator":"abuse.ch / SSLBL (DEPRECATED)","tier":2,"auth_required":true,"deprecation_note":"abuse.ch Community First policy 2025-06-30: Auth-Key mandatory. Set ABUSECH_AUTH_KEY env and add `auth: { type: 'api_key', header: 'Auth-Key', value: <key> }` to feed config. Free at https://auth.abuse.ch/."},{"feed_id":"threatfox_domains","categories":["malware_virus"],"enabled":true,"interval_sec":3600,"ioc_type":"domain","kind":"ti","label":"ThreatFox Recent Domains","last_error":"","last_fetch_at":"2026-04-29T21:28:48.110Z","last_fetch_count":575,"last_fetch_ok":true,"method":"http","notes":"","url":"https://threatfox.abuse.ch/export/csv/domains/recent/","audit_at":"2026-04-29T20:01:13.539Z","audit_days_since":0,"audit_last_modified":"2026-04-29T19:55:10.000Z","audit_status":"operational","license":"CC0","operator":"abuse.ch / ThreatFox","tier":2,"auth_required":true,"deprecation_note":"abuse.ch Community First policy 2025-06-30: Auth-Key mandatory. Set ABUSECH_AUTH_KEY env and add `auth: { type: 'api_key', header: 'Auth-Key', value: <key> }` to feed config. Free at https://auth.abuse.ch/."},{"feed_id":"threatfox_ips","categories":["malware_virus"],"enabled":true,"interval_sec":3600,"ioc_type":"ip","kind":"ti","label":"ThreatFox Recent IPs","last_error":"","last_fetch_at":"2026-04-29T21:28:46.844Z","last_fetch_count":120,"last_fetch_ok":true,"method":"http","notes":"","url":"https://threatfox.abuse.ch/export/csv/ip-port/recent/","audit_at":"2026-04-29T20:01:13.546Z","audit_days_since":0,"audit_last_modified":"2026-04-29T20:00:18.000Z","audit_status":"operational","license":"CC0","operator":"abuse.ch / ThreatFox","tier":2,"auth_required":true,"deprecation_note":"abuse.ch Community First policy 2025-06-30: Auth-Key mandatory. Set ABUSECH_AUTH_KEY env and add `auth: { type: 'api_key', header: 'Auth-Key', value: <key> }` to feed config. Free at https://auth.abuse.ch/."},{"feed_id":"threatfox_url_list","audit_at":"2026-04-29T20:01:13.549Z","audit_days_since":0,"audit_last_modified":"2026-04-29T20:00:11.000Z","audit_status":"operational","categories":["malware_virus","botnet_cc"],"enabled":true,"interval_sec":1800,"ioc_type":"domain","kind":"ti","label":"abuse.ch ThreatFox — full URL list","last_error":"","last_fetch_at":"2026-04-29T21:30:25.598Z","last_fetch_count":206,"last_fetch_ok":true,"license":"CC0","method":"http","notes":"ThreatFox recent URL list (CSV). Operator can opt-in for the whole list dump.","operator":"abuse.ch / ThreatFox","tier":2,"url":"https://threatfox.abuse.ch/export/csv/urls/recent/","auth_required":true,"deprecation_note":"abuse.ch Community First policy 2025-06-30: Auth-Key mandatory. Set ABUSECH_AUTH_KEY env and add `auth: { type: 'api_key', header: 'Auth-Key', value: <key> }` to feed config. Free at https://auth.abuse.ch/."},{"feed_id":"urlhaus_domains","categories":["malware_virus"],"enabled":true,"interval_sec":3600,"ioc_type":"domain","kind":"ti","label":"URLhaus Recent Domains","last_error":"","last_fetch_at":"2026-04-29T21:28:49.700Z","last_fetch_count":5,"last_fetch_ok":true,"method":"http","notes":"","url":"https://urlhaus.abuse.ch/downloads/csv_recent/","audit_at":"2026-04-29T20:01:13.552Z","audit_days_since":0,"audit_last_modified":"2026-04-29T19:55:31.000Z","audit_status":"operational","license":"CC0","operator":"abuse.ch / URLhaus","tier":2,"auth_required":true,"deprecation_note":"abuse.ch Community First policy 2025-06-30: Auth-Key mandatory. Set ABUSECH_AUTH_KEY env and add `auth: { type: 'api_key', header: 'Auth-Key', value: <key> }` to feed config. Free at https://auth.abuse.ch/."},{"feed_id":"urlhaus_hostfile","categories":["malware_virus","recent_outbreaks"],"enabled":true,"interval_sec":3600,"ioc_type":"domain","kind":"security","label":"URLhaus host file","last_error":"","last_fetch_at":"2026-04-29T21:29:46.428Z","last_fetch_count":638,"last_fetch_ok":true,"method":"http","notes":"","url":"https://urlhaus.abuse.ch/downloads/hostfile/","audit_at":"2026-04-29T20:01:13.481Z","audit_days_since":0,"audit_last_modified":"2026-04-29T19:55:03.000Z","audit_status":"operational","license":"CC0","operator":"abuse.ch / URLhaus","tier":2,"auth_required":true,"deprecation_note":"abuse.ch Community First policy 2025-06-30: Auth-Key mandatory. Set ABUSECH_AUTH_KEY env and add `auth: { type: 'api_key', header: 'Auth-Key', value: <key> }` to feed config. Free at https://auth.abuse.ch/."},{"feed_id":"urlhaus_text","audit_at":"2026-04-29T20:01:13.557Z","audit_days_since":0,"audit_last_modified":"2026-04-29T19:55:25.000Z","audit_status":"operational","categories":["malware_virus"],"enabled":true,"interval_sec":1800,"ioc_type":"domain","kind":"ti","label":"abuse.ch URLhaus — full malicious URL list","last_error":"","last_fetch_at":"2026-04-29T21:30:23.617Z","last_fetch_count":77702,"last_fetch_ok":true,"license":"CC0","method":"http","notes":"Plain-text URL list — agent strips path and keeps host.","operator":"abuse.ch / URLhaus","tier":2,"url":"https://urlhaus.abuse.ch/downloads/text/","auth_required":true,"deprecation_note":"abuse.ch Community First policy 2025-06-30: Auth-Key mandatory. Set ABUSECH_AUTH_KEY env and add `auth: { type: 'api_key', header: 'Auth-Key', value: <key> }` to feed config. Free at https://auth.abuse.ch/."},{"feed_id":"abusech_yaraify_rules","audit_at":null,"audit_days_since":null,"audit_last_modified":null,"audit_status":"unknown","auth_required":true,"categories":["malware_virus"],"deprecation_note":"abuse.ch Auth-Key mandatory since 2025-06-30. Set ABUSECH_AUTH_KEY env. Free at https://auth.abuse.ch/. YARA rules — needs Phase 2C YARA parser; placeholder for now.","enabled":false,"interval_sec":3600,"ioc_type":"domain","kind":"ti","label":"abuse.ch YARAify — community YARA rule repository (bulk zip)","last_error":"","last_fetch_at":null,"last_fetch_count":0,"last_fetch_ok":null,"license":"CC0 / CC-BY-SA-4.0 (per-rule)","license_caveat":"","method":"http","notes":"Bulk zip regenerated every 5 minutes. ~thousands of community YARA rules. CC0 / CC-BY-SA-4.0 mixed depending on rule author. Needs new YARA-rule parser before going live (Phase 2C).","operator":"abuse.ch / YARAify","tier":2,"url":"https://yaraify.abuse.ch/download/yaraify-rules.zip"},{"feed_id":"alienvault_otx_subscribed","categories":["malware_virus"],"enabled":false,"interval_sec":3600,"ioc_type":"both","kind":"ti","label":"AlienVault OTX — subscribed pulses (operator must add API key)","last_error":"","last_fetch_at":null,"last_fetch_count":0,"last_fetch_ok":null,"method":"http","notes":"Requires OTX_API_KEY env","url":"https://otx.alienvault.com/api/v1/indicators/export?types=domain,IPv4&limit=10000","audit_at":"2026-04-29T20:01:13.490Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"unreachable","license":"Free w/ API key","operator":"AT&T Cybersecurity / OTX","tier":3},{"feed_id":"stalkerware_domains","categories":["spyware_adware","keyloggers"],"enabled":true,"interval_sec":86400,"ioc_type":"domain","kind":"ti","label":"Stalkerware Indicators","last_error":"","last_fetch_at":"2026-04-29T10:26:40.402Z","last_fetch_count":0,"last_fetch_ok":true,"method":"http","notes":"","url":"https://raw.githubusercontent.com/AssoEchap/stalkerware-indicators/master/generated/hosts","audit_at":"2026-04-29T20:01:13.537Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"operational","license":"GPL-3.0","operator":"AssoEchap / Stalkerware Indicators","tier":3},{"feed_id":"cins_badguys","audit_at":"2026-04-29T20:01:13.499Z","audit_days_since":0,"audit_last_modified":"2026-04-29T19:04:01.000Z","audit_status":"operational","categories":["malware_virus"],"enabled":true,"interval_sec":3600,"ioc_type":"ip","kind":"ti","label":"CINS Score (SentinelOne) — community IP score badguys","last_error":"","last_fetch_at":"2026-04-29T21:30:19.013Z","last_fetch_count":15000,"last_fetch_ok":true,"license":"Free public","method":"http","notes":"Community IP scoring — long-history aggregator with low FP claim.","operator":"CINS Score (SentinelOne)","tier":3,"url":"https://cinsscore.com/list/ci-badguys.txt"},{"feed_id":"cybercrime_tracker","categories":["botnet_cc","malware_virus"],"enabled":true,"interval_sec":3600,"ioc_type":"both","kind":"ti","label":"Cybercrime-tracker — banking trojan C2 URLs/IPs","last_error":"","last_fetch_at":"2026-04-29T21:30:16.479Z","last_fetch_count":19145,"last_fetch_ok":true,"method":"http","notes":"URLs include path; parser will strip to host. Banking-sector heavy.","url":"https://cybercrime-tracker.net/all.php","audit_at":"2026-04-29T20:01:13.503Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"operational","license":"Free public","operator":"Cybercrime-tracker.net","tier":3},{"feed_id":"digitalside_domains","categories":["malware_virus"],"enabled":true,"interval_sec":7200,"ioc_type":"domain","kind":"ti","label":"DigitalSide OSINT — latest malicious domains","last_error":"fetch failed after 3 attempts: fetch failed","last_fetch_at":"2026-04-29T20:14:04.412Z","last_fetch_count":0,"last_fetch_ok":false,"method":"http","notes":"MISP feed compatible.","url":"https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt","audit_at":"2026-04-29T20:01:13.511Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"unreachable","license":"CC-BY-4.0","operator":"DigitalSide Threat-Intel","tier":3},{"feed_id":"digitalside_ips","categories":["malware_virus"],"enabled":true,"interval_sec":7200,"ioc_type":"ip","kind":"ti","label":"DigitalSide OSINT — latest malicious IPs","last_error":"fetch failed after 3 attempts: fetch failed","last_fetch_at":"2026-04-29T20:14:53.495Z","last_fetch_count":0,"last_fetch_ok":false,"method":"http","notes":"","url":"https://osint.digitalside.it/Threat-Intel/lists/latestips.txt","audit_at":"2026-04-29T20:01:13.512Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"unreachable","license":"CC-BY-4.0","operator":"DigitalSide Threat-Intel","tier":3},{"feed_id":"hagezi_doh","audit_at":"2026-04-29T20:01:13.461Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"operational","auth_required":false,"categories":["dynamic_dns"],"deprecation_note":"","enabled":false,"interval_sec":86400,"ioc_type":"domain","kind":"security","label":"Hagezi — DNS-over-HTTPS resolver hostnames","last_error":"","last_fetch_at":null,"last_fetch_count":0,"last_fetch_ok":null,"license":"GPL-3.0","license_caveat":"","method":"http","notes":"DoH resolver hostnames. Default-off — policy-dependent.","operator":"Hagezi / DNS Blocklists","tier":3,"url":"https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/doh.txt"},{"feed_id":"hagezi_nrd","audit_at":"2026-04-29T20:01:13.467Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"unreachable","auth_required":false,"categories":["newly_registered"],"deprecation_note":"","enabled":false,"interval_sec":86400,"ioc_type":"domain","kind":"security","label":"Hagezi — Newly Registered Domains (NRD)","last_error":"","last_fetch_at":null,"last_fetch_count":0,"last_fetch_ok":null,"license":"GPL-3.0","license_caveat":"","method":"http","notes":"Newly registered domains <30d. High FP — operator opt-in.","operator":"Hagezi / DNS Blocklists","tier":3,"url":"https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/nrd.txt"},{"feed_id":"hagezi_threatintel","audit_at":"2026-04-29T20:01:13.524Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"operational","categories":["malware_virus","phishing"],"enabled":true,"interval_sec":21600,"ioc_type":"domain","kind":"ti","label":"Hagezi Threat Intelligence (multi-source aggregated)","last_error":"","last_fetch_at":"2026-04-29T21:38:20.723Z","last_fetch_count":1026464,"last_fetch_ok":true,"license":"MIT","method":"http","notes":"Hagezi's curated TIF aggregator across 30+ upstream lists.","operator":"Hagezi / DNS Blocklists","tier":3,"url":"https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/tif.txt"},{"feed_id":"hagezi_tif","audit_at":"2026-04-29T20:01:13.525Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"operational","auth_required":false,"categories":["malware_virus","phishing"],"deprecation_note":"","enabled":true,"interval_sec":21600,"ioc_type":"domain","kind":"ti","label":"Hagezi — Threat Intelligence Feed (multi-source)","last_error":"","last_fetch_at":"2026-04-29T21:40:44.351Z","last_fetch_count":1026464,"last_fetch_ok":true,"license":"GPL-3.0","license_caveat":"","method":"http","notes":"High-signal narrowed aggregation across 30+ upstream TI lists.","operator":"Hagezi / DNS Blocklists","tier":3,"url":"https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/tif.txt"},{"feed_id":"hagezi_dyndns","categories":["dynamic_dns"],"enabled":true,"interval_sec":86400,"ioc_type":"domain","kind":"security","label":"Hagezi Dynamic DNS wildcard list","last_error":"","last_fetch_at":"2026-04-29T10:31:07.103Z","last_fetch_count":1480,"last_fetch_ok":true,"method":"http","notes":"","url":"https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/dyndns.txt","audit_at":"2026-04-29T20:01:13.465Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"operational","license":"MIT","operator":"Hagezi DNS Blocklists","tier":3},{"feed_id":"hacked_websites","categories":["hacking","compromised"],"enabled":true,"interval_sec":86400,"ioc_type":"domain","kind":"security","label":"Big List of Hacked Domains","last_error":"","last_fetch_at":"2026-04-29T10:31:04.376Z","last_fetch_count":9,"last_fetch_ok":true,"method":"http","notes":"","url":"https://raw.githubusercontent.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web-Sites/master/hacked-domains.list","audit_at":"2026-04-29T20:01:13.459Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"operational","license":"MIT","operator":"Mitchell Krogza","tier":3},{"feed_id":"abuse_phishing_db","audit_at":"2026-04-29T20:01:13.486Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"operational","categories":["phishing"],"enabled":true,"interval_sec":86400,"ioc_type":"domain","kind":"ti","label":"Mitchell Krogza — Phishing Database (active)","last_error":"","last_fetch_at":"2026-04-29T21:37:33.492Z","last_fetch_count":391248,"last_fetch_ok":true,"license":"MIT","method":"http","notes":"Active-only phishing domains. Verified daily.","operator":"Mitchell Krogza / Phishing.Database","tier":3,"url":"https://raw.githubusercontent.com/Phishing-Database/Phishing.Database/master/phishing-domains-ACTIVE.txt","deprecation_note":"Repo migrated from `mitchellkrogza/` to `Phishing-Database/` org. Old links redirect; pin new."},{"feed_id":"openphish","categories":["phishing"],"enabled":true,"interval_sec":3600,"ioc_type":"domain","kind":"security","label":"OpenPhish public feed","last_error":"","last_fetch_at":"2026-04-29T21:29:46.306Z","last_fetch_count":300,"last_fetch_ok":true,"method":"http","notes":"","url":"https://raw.githubusercontent.com/openphish/public_feed/refs/heads/main/feed.txt","audit_at":"2026-04-29T20:01:13.472Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"operational","license":"Free non-commercial","operator":"OpenPhish","tier":3},{"feed_id":"phishing_army","categories":["phishing"],"enabled":true,"interval_sec":3600,"ioc_type":"domain","kind":"security","label":"Phishing Army blocklist","last_error":"","last_fetch_at":"2026-04-29T21:36:30.721Z","last_fetch_count":143706,"last_fetch_ok":true,"method":"http","notes":"","url":"https://phishing.army/download/phishing_army_blocklist.txt","audit_at":"2026-04-29T20:01:13.473Z","audit_days_since":0,"audit_last_modified":"2026-04-29T16:00:24.000Z","audit_status":"operational","license":"MIT","operator":"Phishing Army","tier":3},{"feed_id":"shreshta_nrd_1w","categories":["newly_registered"],"enabled":false,"interval_sec":86400,"ioc_type":"domain","kind":"security","label":"Shreshta NRD 1-week","last_error":"","last_fetch_at":null,"last_fetch_count":0,"last_fetch_ok":null,"method":"http","notes":"Newly Registered Domains — high FP, default disabled.","url":"https://raw.githubusercontent.com/shreshta-labs/newly-registered-domains/main/nrd-1w.csv","audit_at":"2026-04-29T20:01:13.478Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"operational","license":"MIT","operator":"Shreshta Labs / NRD","tier":3},{"feed_id":"maltrail_mass_scanner","audit_at":"2026-04-29T20:01:13.528Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"operational","categories":["malware_virus"],"enabled":true,"interval_sec":86400,"ioc_type":"ip","kind":"ti","label":"Maltrail — mass scanner trails","last_error":"","last_fetch_at":"2026-04-29T20:01:18.342Z","last_fetch_count":19215,"last_fetch_ok":true,"license":"MIT","method":"http","notes":"Mass-scanner IPs from Maltrail static trails. High-cadence opportunistic scanners.","operator":"Stamparm / Maltrail","tier":3,"url":"https://raw.githubusercontent.com/stamparm/maltrail/master/trails/static/mass_scanner.txt"},{"feed_id":"disposable_email","categories":["spam"],"enabled":true,"interval_sec":86400,"ioc_type":"domain","kind":"security","label":"Disposable email domains","last_error":"","last_fetch_at":"2026-04-29T10:31:04.447Z","last_fetch_count":5413,"last_fetch_ok":true,"method":"http","notes":"","url":"https://raw.githubusercontent.com/disposable-email-domains/disposable-email-domains/master/disposable_email_blocklist.conf","audit_at":"2026-04-29T20:01:13.442Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"operational","license":"MIT","operator":"disposable-email-domains","tier":3},{"feed_id":"davidonzo_domains","categories":["malware_virus"],"enabled":true,"interval_sec":86400,"ioc_type":"domain","kind":"ti","label":"Davidonzo Threat-Intel Domains","last_error":"","last_fetch_at":"2026-04-29T10:25:44.199Z","last_fetch_count":133,"last_fetch_ok":true,"method":"http","notes":"","url":"https://raw.githubusercontent.com/davidonzo/Threat-Intel/master/lists/latestdomains.txt","audit_at":"2026-04-29T20:01:13.508Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"operational","license":"MIT","operator":"Davidonzo / Threat-Intel","tier":4},{"feed_id":"davidonzo_ips","categories":["malware_virus"],"enabled":false,"interval_sec":86400,"ioc_type":"ip","kind":"ti","label":"Davidonzo Threat-Intel IPs","last_error":"","last_fetch_at":"2026-04-29T10:24:44.968Z","last_fetch_count":21669,"last_fetch_ok":true,"method":"http","notes":"STALE (558d at audit 2026-04-29). Disabled by tier-classify.","url":"https://raw.githubusercontent.com/davidonzo/Threat-Intel/master/lists/latestips.txt","audit_at":"2026-04-29T20:01:13.509Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"operational","license":"MIT","operator":"Davidonzo / Threat-Intel","tier":4},{"feed_id":"firehol_level1","audit_at":"2026-04-29T20:01:13.520Z","audit_days_since":0,"audit_last_modified":"2026-04-29T07:43:41.000Z","audit_status":"operational","categories":["malware_virus"],"enabled":true,"interval_sec":86400,"ioc_type":"cidr","kind":"ti","label":"FireHOL Level 1 — most aggressive aggregated IP block list","last_error":"","last_fetch_at":"2026-04-29T19:58:29.080Z","last_fetch_count":4444,"last_fetch_ok":true,"license":"GPL-3.0","method":"http","notes":"Aggregated lvl1 (Spamhaus DROP + EDROP + dshield + bambenek + others).","operator":"FireHOL","tier":4,"url":"https://iplists.firehol.org/files/firehol_level1.netset"},{"feed_id":"firehol_level2","audit_at":"2026-04-29T20:01:13.521Z","audit_days_since":0,"audit_last_modified":"2026-04-29T16:53:33.000Z","audit_status":"operational","categories":["malware_virus"],"enabled":false,"interval_sec":86400,"ioc_type":"cidr","kind":"ti","label":"FireHOL Level 2 — broader aggregated IP block list","last_error":"","last_fetch_at":null,"last_fetch_count":0,"last_fetch_ok":null,"license":"GPL-3.0","method":"http","notes":"Wider aggregated list. Higher FP — operator can opt-in.","operator":"FireHOL","tier":4,"url":"https://iplists.firehol.org/files/firehol_level2.netset"},{"feed_id":"greensnow_ips","categories":["malware_virus"],"enabled":true,"interval_sec":3600,"ioc_type":"ip","kind":"ti","label":"GreenSnow Aggressive IPs","last_error":"","last_fetch_at":"2026-04-29T21:28:46.430Z","last_fetch_count":3818,"last_fetch_ok":true,"method":"http","notes":"","url":"https://blocklist.greensnow.co/greensnow.txt","audit_at":"2026-04-29T20:01:13.523Z","audit_days_since":0,"audit_last_modified":"2026-04-29T20:01:10.000Z","audit_status":"operational","license":"Free public","operator":"GreenSnow","tier":4},{"feed_id":"ipsum_ips","categories":["malware_virus"],"enabled":true,"interval_sec":86400,"ioc_type":"ip","kind":"ti","label":"ipsum Multi-Source Score (>=4)","last_error":"","last_fetch_at":"2026-04-29T10:24:54.014Z","last_fetch_count":111846,"last_fetch_ok":true,"method":"http","notes":"Multi-source weighted aggregator.","url":"https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt","audit_at":"2026-04-29T20:01:13.526Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"operational","license":"MIT","operator":"Stamparm / ipsum","tier":4},{"feed_id":"c2tracker_ips","categories":["botnet_cc"],"enabled":true,"interval_sec":3600,"ioc_type":"ip","kind":"ti","label":"C2 Intel Feeds — 30-day C2 IPs","last_error":"","last_fetch_at":"2026-04-29T21:28:47.878Z","last_fetch_count":268,"last_fetch_ok":true,"method":"http","notes":"","url":"https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/IPC2s-30day.csv","audit_at":"2026-04-29T20:01:13.494Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"operational","license":"MIT","operator":"drb-ra / C2IntelFeeds","tier":4},{"feed_id":"tweetfeed_today","categories":[],"enabled":true,"interval_sec":3600,"ioc_type":"both","kind":"ti","label":"TweetFeed — today's IOCs (Twitter OSINT)","last_error":"fetch failed after 3 attempts: Failed to parse URL from ","last_fetch_at":"2026-04-29T21:31:24.843Z","last_fetch_count":0,"last_fetch_ok":false,"method":"http","notes":"Volatile — Twitter OSINT, high FP, watch-only.","url":"","audit_at":"2026-04-29T20:01:13.551Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"unreachable","license":"Free","operator":"TweetFeed (Twitter OSINT)","tier":5}]}