{"service":"Zedmos CTI","generated_at":"2026-06-18T16:53:40.732Z","ship_tiers":{"what_this_is":"Three-tier classification of every IOC. Default firewall feed at /v1/feeds/<k>/<c>/{domains,ips}.txt = verified ∪ trusted only. Community is opt-in.","verified":174749,"trusted":693536,"community":11405949,"default_ship_total":868285,"catalog_total":12299571,"verified_pct":1.42,"trusted_pct":5.64,"community_pct":92.73,"default_ship_pct":7.06,"criteria":{"verified":"≥2 distinct upstream sources, OR active enrichment (GreyNoise/AbuseIPDB/VirusTotal) classified as malicious, OR honeypot-confirmed, OR operator manually approved","trusted":"single-source from a strict T1 feed: USOM (TR-CERT), CERT.pl, Spamhaus DROP, abuse.ch Feodo Tracker (low-FP recommended variant)","community":"single-source from a T2-T5 feed — operationally useful as wide net but NOT independently corroborated; opt-in only at /v1/feeds/<k>/<c>/community-{domains,ips}.txt"},"by_category":[{"category":"adult_nsfw","verified":21347,"trusted":25305,"community":2448748},{"category":"anonymizer","verified":1167,"trusted":26399,"community":9015},{"category":"banking_trojan","verified":2172,"trusted":7773,"community":782},{"category":"botnet_cc","verified":7930,"trusted":34927,"community":33898},{"category":"bulletproof_hosting","verified":689,"trusted":607,"community":11238},{"category":"compromised","verified":2016,"trusted":197,"community":449},{"category":"cryptominer","verified":1767,"trusted":13770,"community":132},{"category":"ddos_amplifier","verified":2390,"trusted":249,"community":6763},{"category":"dead","verified":0,"trusted":0,"community":4255792},{"category":"dynamic_dns","verified":5529,"trusted":355,"community":24892},{"category":"exploit_kit","verified":40,"trusted":19,"community":87},{"category":"file_sha256_malware","verified":8008,"trusted":0,"community":13106},{"category":"first_seen","verified":9206,"trusted":0,"community":10108},{"category":"gambling","verified":59588,"trusted":14771,"community":319583},{"category":"hacking","verified":30513,"trusted":363639,"community":432646},{"category":"info_stealer","verified":1480,"trusted":1193,"community":2454},{"category":"iot_botnet","verified":1823,"trusted":23,"community":4969},{"category":"ja3","verified":0,"trusted":97,"community":0},{"category":"keyloggers","verified":1799,"trusted":496,"community":1706},{"category":"malware_virus","verified":75785,"trusted":505143,"community":589687},{"category":"newly_registered","verified":96277,"trusted":14186,"community":7807294},{"category":"parked","verified":0,"trusted":0,"community":8},{"category":"phishing","verified":50949,"trusted":591842,"community":266491},{"category":"piracy","verified":1590,"trusted":157,"community":29722},{"category":"potentially_dangerous","verified":2103,"trusted":126545,"community":96323},{"category":"ransomware","verified":6867,"trusted":3611,"community":7304},{"category":"recent_outbreaks","verified":9553,"trusted":16515,"community":7388},{"category":"scanner","verified":21448,"trusted":304,"community":467326},{"category":"spam","verified":17,"trusted":0,"community":11},{"category":"spyware_adware","verified":321,"trusted":470,"community":10},{"category":"turkish_usom","verified":4059,"trusted":347758,"community":1135}]},"summary":{"fps_caught_total":21756887,"fps_caught_last_24h":412170,"fps_caught_last_7d":2840457,"operator_rejected_as_fp":0,"operator_confirmed_block":481355},"breakdown_by_reason_total":[{"reason":"root_domain_protected","count":18365611,"what_it_means":"Indicator is a 2-label or PSL-effective registrable root (e.g. example.com itself, not a subdomain). Held back to prevent over-block."},{"reason":"allowlist_match","count":2272319,"what_it_means":"Indicator matched a manually-curated allowlist entry (Tranco top domains, Umbrella top domains, or seed list)."},{"reason":"cloud_provider_asn","count":176719,"what_it_means":"(no description)"},{"reason":"feed_pending_audit_no_bypass","count":174345,"what_it_means":"(no description)"},{"reason":"allowlist_match_strong_cat_historic","count":103770,"what_it_means":"(no description)"},{"reason":"cloud_provider_range","count":87128,"what_it_means":"IP/CIDR sits inside a published AWS/GCP/Cloudflare/GitHub range — blocking would break shared cloud infra for every customer."},{"reason":"warninglist_strong_cat_review_needed","count":56512,"what_it_means":"(no description)"},{"reason":"tripwire_popular_root","count":6355,"what_it_means":"(no description)"},{"reason":"bogon_address","count":4774,"what_it_means":"(no description)"},{"reason":"tripwire_popular_domain","count":467,"what_it_means":"(no description)"},{"reason":"auto_benign_single_provider","count":363,"what_it_means":"(no description)"},{"reason":"warninglist:tld-gov","count":62,"what_it_means":"(no description)"},{"reason":"warninglist:tld-edu","count":22,"what_it_means":"(no description)"},{"reason":"tripwire_popular_ip","count":6,"what_it_means":"(no description)"},{"reason":"warninglist:apple-services-cidr","count":6,"what_it_means":"(no description)"},{"reason":"warninglist:public-dns-resolvers","count":2,"what_it_means":"(no description)"},{"reason":"public_infra","count":2,"what_it_means":"(no description)"},{"reason":"warninglist:vendor-os-update","count":1,"what_it_means":"(no description)"},{"reason":"warninglist:canonical-ubuntu","count":1,"what_it_means":"(no description)"}],"breakdown_by_reason_last_24h":[{"reason":"feed_pending_audit_no_bypass","count":1236},{"reason":"cloud_provider_asn","count":2430},{"reason":"cloud_provider_range","count":1049},{"reason":"bogon_address","count":82},{"reason":"tripwire_popular_domain","count":38},{"reason":"tripwire_popular_root","count":447},{"reason":"root_domain_protected","count":406007},{"reason":"warninglist_strong_cat_review_needed","count":562},{"reason":"allowlist_match","count":319}],"breakdown_by_reason_last_7d":[{"reason":"tripwire_popular_domain","count":114},{"reason":"feed_pending_audit_no_bypass","count":7053},{"reason":"bogon_address","count":558},{"reason":"allowlist_match","count":2970},{"reason":"tripwire_popular_ip","count":3},{"reason":"warninglist_strong_cat_review_needed","count":5347},{"reason":"root_domain_protected","count":2792278},{"reason":"tripwire_popular_root","count":3386},{"reason":"cloud_provider_range","count":11047},{"reason":"cloud_provider_asn","count":17701}],"allowlist_anchors":{"cloud_provider_cidrs":14115,"tranco_top_domains":93203,"umbrella_top_domains":17639,"seed_curated":12},"cloud_range_index":{"intervals_in_memory":14115,"last_rebuilt_age_ms":35183,"last_rebuilt_at":"2026-06-18T16:54:03.813Z","rebuild_ttl_minutes":5,"refresh_schedule":"daily via tihub-maint queue (cloud-ranges-refresh)","providers":["aws","gcp","cloudflare","github"]},"cross_validation":{"what_this_is":"Random sample of shipped IOCs proving each meets its tier criteria. Verified IOCs must show ≥2 distinct sources OR enrichment-confirmation OR honeypot-confirmation. Trusted IOCs must show single-source from a strict T1 feed (USOM, CERT.pl, Spamhaus DROP, abuse.ch Feodo low-FP).","cadence":"daily via tihub-maint queue (xvalidate)","last_run":{"ran_at":"2026-05-26T23:57:19.060Z","total_sampled":700,"total_pass":580,"total_fail":120,"pass_rate_pct":82.86,"per_tier":{"verified":{"sampled":400,"pass":400,"fail":0},"trusted":{"sampled":300,"pass":180,"fail":120}},"fail_examples":[{"tier":"trusted","type":"domain","value":"2008click.com","reason":"not_t1_single_source","sources":["utc_redirector"]},{"tier":"trusted","type":"domain","value":"jvyojlfz.lol","reason":"not_t1_single_source","sources":["hagezi_nrd"]},{"tier":"trusted","type":"domain","value":"spancerone.co.cc","reason":"not_t1_single_source","sources":["utc_redirector"]},{"tier":"trusted","type":"domain","value":"b52clubmov.mov","reason":"not_t1_single_source","sources":["hagezi_nrd"]},{"tier":"trusted","type":"domain","value":"0.0.0.0bithumb.com","reason":"not_t1_single_source","sources":["utc_cryptojacking"]},{"tier":"trusted","type":"domain","value":"proxygiven.co.cc","reason":"not_t1_single_source","sources":["utc_redirector"]},{"tier":"trusted","type":"domain","value":"proxywhere.com","reason":"not_t1_single_source","sources":["utc_redirector"]},{"tier":"trusted","type":"domain","value":"kursun.gen.tr","reason":"not_t1_single_source","sources":["utc_redirector"]},{"tier":"trusted","type":"domain","value":"forex-broker4-comparison.tk","reason":"not_t1_single_source","sources":["utc_redirector"]},{"tier":"trusted","type":"domain","value":"itsfabulous.info","reason":"not_t1_single_source","sources":["utc_redirector"]},{"tier":"trusted","type":"domain","value":"hcyxksgsxnzb.com","reason":"not_t1_single_source","sources":["utc_cryptojacking"]},{"tier":"trusted","type":"domain","value":"proxy.tirohosting.com","reason":"not_t1_single_source","sources":["utc_redirector"]},{"tier":"trusted","type":"domain","value":"0.0.0.0aeonpool.net","reason":"not_t1_single_source","sources":["utc_cryptojacking"]},{"tier":"trusted","type":"domain","value":"aibuddy.lol","reason":"not_t1_single_source","sources":["hagezi_nrd"]},{"tier":"trusted","type":"domain","value":"yepyepforexhidex.tk","reason":"not_t1_single_source","sources":["utc_redirector"]},{"tier":"trusted","type":"domain","value":"browse19.brb.name","reason":"not_t1_single_source","sources":["utc_redirector"]},{"tier":"trusted","type":"domain","value":"proxyforeurope.eu","reason":"not_t1_single_source","sources":["utc_redirector"]},{"tier":"trusted","type":"domain","value":"blackiphone.co.cc","reason":"not_t1_single_source","sources":["utc_redirector"]},{"tier":"trusted","type":"domain","value":"coinbasehelpdesks.online","reason":"not_t1_single_source","sources":["hagezi_nrd"]},{"tier":"trusted","type":"ip","value":"as133488","reason":"not_t1_single_source","sources":["spamhaus_asndrop"]},{"tier":"trusted","type":"ip","value":"93.125.114.193","reason":"not_t1_single_source","sources":["alienvault_otx_subscribed"]},{"tier":"trusted","type":"cidr","value":"103.107.232.0/22","reason":"not_t1_single_source","sources":["firehol_level1"]},{"tier":"trusted","type":"cidr","value":"203.33.148.0/24","reason":"not_t1_single_source","sources":["firehol_level1"]},{"tier":"trusted","type":"cidr","value":"103.229.108.0/22","reason":"not_t1_single_source","sources":["firehol_level1"]},{"tier":"trusted","type":"cidr","value":"103.191.210.0/23","reason":"not_t1_single_source","sources":["firehol_level1"]}],"duration_ms":19512}},"known_good_smoke_test":{"size":54,"cadence":"every 6h via tihub-maint queue (known-good-smoke)","what_it_does":"Asserts that none of a hand-curated list of must-never-block indicators (hyperscaler consoles, OS update channels, banks, e-gov, payment, CDN, package registries) ever leaks into a shipped IOC snapshot.","last_run":{"ran_at":"2026-05-27T08:17:32.774Z","total_checked":54,"leaked":0,"duration_ms":1311,"leaks":[]}},"audit_trail":{"every_decision_recorded":true,"review_collection":"ReviewQueue","retention":"indefinite — no automatic deletion","anyone_can_query":"operator console at /admin (Bearer-protected)"},"notable_fp_corpora":{"2026-04-29_cloud_provider_sweep":{"finding":"8,663 IPs in our IP catalog (4.27% of 202,787) sat inside published AWS/GCP/Cloudflare/GitHub CIDR ranges.","action":"Moved to ReviewQueue with fp_reason=cloud_provider_range. Snapshot rebuild dropped them from /v1/feeds/* downloads.","reason":"Cloud IPs are mostly transient attacker VMs; permanent block of underlying range would break legitimate services.","providers_affected":{"aws":2619,"gcp":3137,"github":2904,"cloudflare":3}}}}