{"service":"Zedmos CTI","methodology_url":"https://www.zedmos.net/v1/public/methodology","tier_definitions":{"1":{"name":"Gov / national CERT","description":"Government-backed national CERT (USOM-TR, CERT.pl, CIRCL-LU). Highest credibility."},"2":{"name":"Industry-grade commercial-free","description":"abuse.ch / Spamhaus / Proofpoint ET tier — used by major SOCs and security vendors."},"3":{"name":"Community-curated","description":"High-quality volunteer-maintained projects (OpenPhish, Phishing Army, Hagezi, DigitalSide)."},"4":{"name":"Aggregator / mirror","description":"Combines T1-T3 upstream sources (ipsum, davidonzo, firehol, c2tracker)."},"5":{"name":"Research / volatile","description":"Low-signal raw OSINT (Twitter, certstream-derived) — watch-only, manual review needed."}},"summary":{"total_feeds":89,"enabled_feeds":77,"by_tier":[{"tier":1,"tier_name":"Gov / national CERT","count":11},{"tier":2,"tier_name":"Industry-grade commercial-free","count":31},{"tier":3,"tier_name":"Community-curated","count":32},{"tier":4,"tier_name":"Aggregator / mirror","count":13},{"tier":5,"tier_name":"Research / volatile","count":2}],"by_operator":[{"operator":"","count":23},{"operator":"Hagezi / DNS Blocklists","count":7},{"operator":"TiHub Internal / Placeholder","count":4},{"operator":"Spamhaus","count":3},{"operator":"abuse.ch / Feodo Tracker","count":3},{"operator":"abuse.ch / ThreatFox","count":3},{"operator":"abuse.ch / URLhaus","count":3},{"operator":"SANS ISC / DShield","count":2},{"operator":"DigitalSide Threat-Intel","count":2},{"operator":"Davidonzo / Threat-Intel","count":2},{"operator":"FireHOL","count":2},{"operator":"TiHub Internal / Decay-Watch","count":2},{"operator":"raw.githubusercontent.com","count":2},{"operator":"CERT.pl (NASK)","count":1},{"operator":"USOM (TR-CERT)","count":1},{"operator":"CIRCL (LU-CERT)","count":1},{"operator":"GreenSnow","count":1},{"operator":"OpenPhish","count":1},{"operator":"Phishing Army","count":1},{"operator":"Proofpoint Emerging Threats","count":1},{"operator":"Tor Project (official)","count":1},{"operator":"abuse.ch / Hunting","count":1},{"operator":"abuse.ch / MalwareBazaar","count":1},{"operator":"abuse.ch / SSLBL","count":1},{"operator":"abuse.ch / SSLBL (DEPRECATED)","count":1},{"operator":"abuse.ch / YARAify","count":1},{"operator":"drb-ra / C2IntelFeeds","count":1},{"operator":"list.rtbh.network","count":1},{"operator":"list.threat.live","count":1},{"operator":"AT&T Cybersecurity / OTX","count":1},{"operator":"AdGuard","count":1},{"operator":"AssoEchap / Stalkerware Indicators","count":1},{"operator":"CINS Score (SentinelOne)","count":1},{"operator":"Cybercrime-tracker.net","count":1},{"operator":"Hagezi DNS Blocklists","count":1},{"operator":"Jarelllama","count":1},{"operator":"Mitchell Krogza","count":1},{"operator":"Mitchell Krogza / Phishing.Database","count":1},{"operator":"Phishing.Database","count":1},{"operator":"Stamparm / Maltrail","count":1},{"operator":"disposable-email-domains","count":1},{"operator":"Shreshta Labs / NRD","count":1},{"operator":"Stamparm / ipsum","count":1},{"operator":"TweetFeed (Twitter OSINT)","count":1}],"audit_summary":{"operational":42,"unreachable":5,"stale_critical":0,"unknown":42},"audit_methodology":"operational = HTTP 200 + content received. unreachable = HTTP error or fetch failed. stale_critical = freshness-critical feeds (e.g. CT watch) that exceeded expected cadence. Most blocklists publish only when actionable changes happen — a 60-day-old Spamhaus DROP is normal and correct, not stale.","auth_required_feeds":14,"license_restricted_feeds":1,"deprecation_warnings":[{"feed_id":"spamhaus_drop_ips","note":"eDROP merged into DROP on 2024-04-10. TXT format being deprecated; use JSON drop_v4.json / drop_v6.json / asndrop.json."},{"feed_id":"feodo_recommended","note":"abuse.ch Auth-Key mandatory since 2025-06-30 (set ABUSECH_AUTH_KEY env). NOTE: Feodo Tracker has been near-empty since Operation Endgame (international LE takedown, May 2024 — FBI+Europol+NCA dismantled IcedID/SystemBC/Pikabot/Smokeloader/Bumblebee/Trickbot). A near-empty Feodo Tracker is a SUCCESS, not a failure. Re-enable after Auth-Key — feed is operational."},{"feed_id":"feodotracker_aggressive_ips","note":"abuse.ch Auth-Key mandatory since 2025-06-30 (set ABUSECH_AUTH_KEY env). NOTE: Feodo Tracker has been near-empty since Operation Endgame (international LE takedown, May 2024 — FBI+Europol+NCA dismantled IcedID/SystemBC/Pikabot/Smokeloader/Bumblebee/Trickbot). A near-empty Feodo Tracker is a SUCCESS, not a failure. Re-enable after Auth-Key — feed is operational."},{"feed_id":"feodotracker_ips","note":"abuse.ch Auth-Key mandatory since 2025-06-30 (set ABUSECH_AUTH_KEY env). NOTE: Feodo Tracker has been near-empty since Operation Endgame (international LE takedown, May 2024 — FBI+Europol+NCA dismantled IcedID/SystemBC/Pikabot/Smokeloader/Bumblebee/Trickbot). A near-empty Feodo Tracker is a SUCCESS, not a failure. Re-enable after Auth-Key — feed is operational."},{"feed_id":"threatfox_domains","note":"abuse.ch Community First policy 2025-06-30: Auth-Key mandatory. Set ABUSECH_AUTH_KEY env and add `auth: { type: 'api_key', header: 'Auth-Key', value: <key> }` to feed config. Free at https://auth.abuse.ch/."},{"feed_id":"threatfox_ips","note":"abuse.ch Community First policy 2025-06-30: Auth-Key mandatory. Set ABUSECH_AUTH_KEY env and add `auth: { type: 'api_key', header: 'Auth-Key', value: <key> }` to feed config. Free at https://auth.abuse.ch/."},{"feed_id":"urlhaus_domains","note":"abuse.ch Community First policy 2025-06-30: Auth-Key mandatory. Set ABUSECH_AUTH_KEY env and add `auth: { type: 'api_key', header: 'Auth-Key', value: <key> }` to feed config. Free at https://auth.abuse.ch/."},{"feed_id":"urlhaus_hostfile","note":"abuse.ch Community First policy 2025-06-30: Auth-Key mandatory. Set ABUSECH_AUTH_KEY env and add `auth: { type: 'api_key', header: 'Auth-Key', value: <key> }` to feed config. Free at https://auth.abuse.ch/."},{"feed_id":"urlhaus_text","note":"abuse.ch Community First policy 2025-06-30: Auth-Key mandatory. Set ABUSECH_AUTH_KEY env and add `auth: { type: 'api_key', header: 'Auth-Key', value: <key> }` to feed config. Free at https://auth.abuse.ch/."},{"feed_id":"tor_exits","note":"Old `/torbulkexitlist` path deprecated 2020-04-01 in favor of `/api/bulk`. Compat alias still works but pin the new path."},{"feed_id":"abusech_hunting_reference","note":"Login-only — no programmatic bulk feed. Document for awareness."},{"feed_id":"malwarebazaar_recent","note":"abuse.ch Community First policy 2025-06-30: Auth-Key mandatory. Set ABUSECH_AUTH_KEY env and add `auth: { type: 'api_key', header: 'Auth-Key', value: <key> }` to feed config. Free at https://auth.abuse.ch/."},{"feed_id":"sslbl_ip_blocklist","note":"abuse.ch Community First policy 2025-06-30: Auth-Key mandatory. Set ABUSECH_AUTH_KEY env and add `auth: { type: 'api_key', header: 'Auth-Key', value: <key> }` to feed config. Free at https://auth.abuse.ch/."},{"feed_id":"abusech_ja3","note":"abuse.ch Community First policy 2025-06-30: Auth-Key mandatory. Set ABUSECH_AUTH_KEY env and add `auth: { type: 'api_key', header: 'Auth-Key', value: <key> }` to feed config. Free at https://auth.abuse.ch/."},{"feed_id":"threatfox_url_list","note":"abuse.ch Community First policy 2025-06-30: Auth-Key mandatory. Set ABUSECH_AUTH_KEY env and add `auth: { type: 'api_key', header: 'Auth-Key', value: <key> }` to feed config. Free at https://auth.abuse.ch/."},{"feed_id":"abusech_yaraify_rules","note":"abuse.ch Auth-Key mandatory since 2025-06-30. Set ABUSECH_AUTH_KEY env. Free at https://auth.abuse.ch/. YARA rules — needs Phase 2C YARA parser; placeholder for now."},{"feed_id":"abuse_phishing_db","note":"Repo migrated from `mitchellkrogza/` to `Phishing-Database/` org. Old links redirect; pin new."}]},"feeds":[{"feed_id":"certpl_domains","categories":["malware_virus","phishing"],"enabled":true,"interval_sec":3600,"ioc_type":"domain","kind":"ti","label":"CERT.pl Malware Domains","last_error":"","last_fetch_at":"2026-05-16T07:49:16.759Z","last_fetch_count":132593,"last_fetch_ok":true,"method":"http","notes":"","url":"https://hole.cert.pl/domains/v2/domains.txt","audit_at":"2026-04-29T20:01:13.495Z","audit_days_since":0,"audit_last_modified":"2026-04-29T20:00:07.000Z","audit_status":"operational","license":"CC-BY-4.0","operator":"CERT.pl (NASK)","tier":1},{"feed_id":"spamhaus_drop_ips","categories":["malware_virus","hacking"],"enabled":true,"interval_sec":3600,"ioc_type":"ip","kind":"ti","label":"Spamhaus DROP Hijacked Netblocks","last_error":"","last_fetch_at":"2026-05-16T07:49:13.338Z","last_fetch_count":1466,"last_fetch_ok":true,"method":"http","notes":"","url":"https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/spamhaus_drop.netset","audit_at":"2026-04-29T20:01:13.535Z","audit_days_since":0,"audit_last_modified":"2026-04-29T11:32:01.000Z","audit_status":"operational","license":"Free non-commercial","operator":"Spamhaus","tier":1,"deprecation_note":"eDROP merged into DROP on 2024-04-10. TXT format being deprecated; use JSON drop_v4.json / drop_v6.json / asndrop.json."},{"feed_id":"turkish_usom","categories":["turkish_usom","malware_virus","phishing","hacking"],"enabled":true,"interval_sec":3600,"ioc_type":"domain","kind":"security","label":"USOM (TR-CERT) API","last_error":"","last_fetch_at":"2026-05-16T01:05:03.251Z","last_fetch_count":222226,"last_fetch_ok":true,"method":"manual","notes":"T.C. Siber Güvenlik Başkanlığı API — paginated structured feed; replaces url-list.txt (deprecated). Daily incremental sync.","url":"https://siberguvenlik.gov.tr/api/address/index?source=US","audit_at":"2026-04-29T20:01:13.480Z","audit_days_since":0,"audit_last_modified":"2026-04-29T19:45:03.000Z","audit_status":"operational","license":"Türk gov, public","operator":"USOM (TR-CERT)","tier":1},{"feed_id":"feodo_recommended","audit_at":"2026-04-29T20:01:13.517Z","audit_days_since":48,"audit_last_modified":"2026-03-12T07:15:03.000Z","audit_status":"operational","categories":["banking_trojan","botnet_cc"],"enabled":true,"interval_sec":3600,"ioc_type":"ip","kind":"ti","label":"abuse.ch Feodo Tracker — low-FP recommended IPs","last_error":"","last_fetch_at":"2026-05-16T07:50:44.628Z","last_fetch_count":5,"last_fetch_ok":true,"license":"CC0","method":"http","notes":"","operator":"abuse.ch / Feodo Tracker","tier":1,"url":"https://feodotracker.abuse.ch/downloads/ipblocklist.txt","auth_required":true,"deprecation_note":"abuse.ch Auth-Key mandatory since 2025-06-30 (set ABUSECH_AUTH_KEY env). NOTE: Feodo Tracker has been near-empty since Operation Endgame (international LE takedown, May 2024 — FBI+Europol+NCA dismantled IcedID/SystemBC/Pikabot/Smokeloader/Bumblebee/Trickbot). A near-empty Feodo Tracker is a SUCCESS, not a failure. Re-enable after Auth-Key — feed is operational."},{"feed_id":"feodotracker_aggressive_ips","categories":["banking_trojan","botnet_cc"],"enabled":true,"interval_sec":3600,"ioc_type":"ip","kind":"ti","label":"Feodo Tracker Aggressive Blocklist","last_error":"","last_fetch_at":"2026-05-16T07:48:58.543Z","last_fetch_count":7607,"last_fetch_ok":true,"method":"http","notes":"","url":"https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.txt","audit_at":"2026-04-29T20:01:13.518Z","audit_days_since":48,"audit_last_modified":"2026-03-12T07:15:06.000Z","audit_status":"operational","license":"CC0","operator":"abuse.ch / Feodo Tracker","tier":1,"auth_required":true,"deprecation_note":"abuse.ch Auth-Key mandatory since 2025-06-30 (set ABUSECH_AUTH_KEY env). NOTE: Feodo Tracker has been near-empty since Operation Endgame (international LE takedown, May 2024 — FBI+Europol+NCA dismantled IcedID/SystemBC/Pikabot/Smokeloader/Bumblebee/Trickbot). A near-empty Feodo Tracker is a SUCCESS, not a failure. Re-enable after Auth-Key — feed is operational."},{"feed_id":"feodotracker_ips","categories":["banking_trojan","botnet_cc"],"enabled":true,"interval_sec":3600,"ioc_type":"ip","kind":"ti","label":"Feodo Tracker IP Blocklist","last_error":"","last_fetch_at":"2026-05-16T07:49:01.899Z","last_fetch_count":5,"last_fetch_ok":true,"method":"http","notes":"","url":"https://feodotracker.abuse.ch/downloads/ipblocklist.txt","audit_at":"2026-04-29T20:01:13.519Z","audit_days_since":48,"audit_last_modified":"2026-03-12T07:15:03.000Z","audit_status":"operational","license":"CC0","operator":"abuse.ch / Feodo Tracker","tier":1,"auth_required":true,"deprecation_note":"abuse.ch Auth-Key mandatory since 2025-06-30 (set ABUSECH_AUTH_KEY env). NOTE: Feodo Tracker has been near-empty since Operation Endgame (international LE takedown, May 2024 — FBI+Europol+NCA dismantled IcedID/SystemBC/Pikabot/Smokeloader/Bumblebee/Trickbot). A near-empty Feodo Tracker is a SUCCESS, not a failure. Re-enable after Auth-Key — feed is operational."},{"feed_id":"threatfox_domains","categories":["malware_virus","ransomware"],"enabled":true,"interval_sec":3600,"ioc_type":"domain","kind":"ti","label":"ThreatFox Recent Domains","last_error":"","last_fetch_at":"2026-05-16T07:49:14.137Z","last_fetch_count":312,"last_fetch_ok":true,"method":"http","notes":"","url":"https://threatfox.abuse.ch/export/csv/domains/recent/","audit_at":"2026-04-29T20:01:13.539Z","audit_days_since":0,"audit_last_modified":"2026-04-29T19:55:10.000Z","audit_status":"operational","license":"CC0","operator":"abuse.ch / ThreatFox","tier":1,"auth_required":true,"deprecation_note":"abuse.ch Community First policy 2025-06-30: Auth-Key mandatory. Set ABUSECH_AUTH_KEY env and add `auth: { type: 'api_key', header: 'Auth-Key', value: <key> }` to feed config. Free at https://auth.abuse.ch/."},{"feed_id":"threatfox_ips","categories":["malware_virus","ransomware"],"enabled":true,"interval_sec":3600,"ioc_type":"ip","kind":"ti","label":"ThreatFox Recent IPs","last_error":"","last_fetch_at":"2026-05-16T07:48:59.092Z","last_fetch_count":440,"last_fetch_ok":true,"method":"http","notes":"","url":"https://threatfox.abuse.ch/export/csv/ip-port/recent/","audit_at":"2026-04-29T20:01:13.546Z","audit_days_since":0,"audit_last_modified":"2026-04-29T20:00:18.000Z","audit_status":"operational","license":"CC0","operator":"abuse.ch / ThreatFox","tier":1,"auth_required":true,"deprecation_note":"abuse.ch Community First policy 2025-06-30: Auth-Key mandatory. Set ABUSECH_AUTH_KEY env and add `auth: { type: 'api_key', header: 'Auth-Key', value: <key> }` to feed config. Free at https://auth.abuse.ch/."},{"feed_id":"urlhaus_domains","categories":["malware_virus","recent_outbreaks"],"enabled":true,"interval_sec":3600,"ioc_type":"domain","kind":"ti","label":"URLhaus Recent Domains","last_error":"","last_fetch_at":"2026-05-16T08:12:59.499Z","last_fetch_count":2,"last_fetch_ok":true,"method":"http","notes":"","url":"https://urlhaus.abuse.ch/downloads/csv_recent/","audit_at":"2026-04-29T20:01:13.552Z","audit_days_since":0,"audit_last_modified":"2026-04-29T19:55:31.000Z","audit_status":"operational","license":"CC0","operator":"abuse.ch / URLhaus","tier":1,"auth_required":true,"deprecation_note":"abuse.ch Community First policy 2025-06-30: Auth-Key mandatory. Set ABUSECH_AUTH_KEY env and add `auth: { type: 'api_key', header: 'Auth-Key', value: <key> }` to feed config. Free at https://auth.abuse.ch/."},{"feed_id":"urlhaus_hostfile","categories":["malware_virus","recent_outbreaks"],"enabled":true,"interval_sec":3600,"ioc_type":"domain","kind":"security","label":"URLhaus host file","last_error":"","last_fetch_at":"2026-05-16T07:49:18.664Z","last_fetch_count":1063,"last_fetch_ok":true,"method":"http","notes":"","url":"https://urlhaus.abuse.ch/downloads/hostfile/","audit_at":"2026-04-29T20:01:13.481Z","audit_days_since":0,"audit_last_modified":"2026-04-29T19:55:03.000Z","audit_status":"operational","license":"CC0","operator":"abuse.ch / URLhaus","tier":1,"auth_required":true,"deprecation_note":"abuse.ch Community First policy 2025-06-30: Auth-Key mandatory. Set ABUSECH_AUTH_KEY env and add `auth: { type: 'api_key', header: 'Auth-Key', value: <key> }` to feed config. Free at https://auth.abuse.ch/."},{"feed_id":"urlhaus_text","audit_at":"2026-04-29T20:01:13.557Z","audit_days_since":0,"audit_last_modified":"2026-04-29T19:55:25.000Z","audit_status":"operational","categories":["malware_virus","recent_outbreaks"],"enabled":true,"interval_sec":3600,"ioc_type":"domain","kind":"ti","label":"abuse.ch URLhaus — full malicious URL list","last_error":"","last_fetch_at":"2026-05-16T07:50:12.042Z","last_fetch_count":77903,"last_fetch_ok":true,"license":"CC0","method":"http","notes":"","operator":"abuse.ch / URLhaus","tier":1,"url":"https://urlhaus.abuse.ch/downloads/text/","auth_required":true,"deprecation_note":"abuse.ch Community First policy 2025-06-30: Auth-Key mandatory. Set ABUSECH_AUTH_KEY env and add `auth: { type: 'api_key', header: 'Auth-Key', value: <key> }` to feed config. Free at https://auth.abuse.ch/."},{"feed_id":"utc_bitcoin_mining","audit_at":null,"audit_days_since":null,"audit_last_modified":null,"audit_status":"unknown","auth_required":false,"categories":["cryptominer"],"deprecation_note":"","enabled":true,"interval_sec":86400,"ioc_type":"domain","kind":"ti","label":"UT-Capitole bitcoin mining","last_error":"connect ECONNREFUSED 193.49.48.249:443","last_fetch_at":"2026-05-16T00:05:00.474Z","last_fetch_count":1394,"last_fetch_ok":false,"license":"","license_caveat":"","method":"http","notes":"UT-Capitole (Université Toulouse Capitole) — academic blacklist, CC license, twice-weekly refresh","operator":"","tier":2,"url":""},{"feed_id":"utc_cryptojacking","audit_at":null,"audit_days_since":null,"audit_last_modified":null,"audit_status":"unknown","auth_required":false,"categories":["cryptominer"],"deprecation_note":"","enabled":true,"interval_sec":86400,"ioc_type":"domain","kind":"ti","label":"UT-Capitole cryptojacking","last_error":"","last_fetch_at":"2026-05-16T00:04:55.822Z","last_fetch_count":16288,"last_fetch_ok":true,"license":"","license_caveat":"","method":"http","notes":"UT-Capitole (Université Toulouse Capitole) — academic blacklist, CC license, twice-weekly refresh","operator":"","tier":2,"url":""},{"feed_id":"utc_ddos","audit_at":null,"audit_days_since":null,"audit_last_modified":null,"audit_status":"unknown","auth_required":false,"categories":["ddos_amplifier"],"deprecation_note":"","enabled":true,"interval_sec":86400,"ioc_type":"domain","kind":"ti","label":"UT-Capitole DDoS","last_error":"","last_fetch_at":"2026-05-16T00:04:58.803Z","last_fetch_count":421,"last_fetch_ok":true,"license":"","license_caveat":"","method":"http","notes":"UT-Capitole (Université Toulouse Capitole) — academic blacklist, CC license, twice-weekly refresh","operator":"","tier":2,"url":""},{"feed_id":"utc_doh","audit_at":null,"audit_days_since":null,"audit_last_modified":null,"audit_status":"unknown","auth_required":false,"categories":["potentially_dangerous"],"deprecation_note":"","enabled":true,"interval_sec":86400,"ioc_type":"domain","kind":"ti","label":"UT-Capitole DoH endpoints","last_error":"connect ECONNREFUSED 193.49.48.249:443","last_fetch_at":"2026-05-16T00:05:00.046Z","last_fetch_count":2994,"last_fetch_ok":false,"license":"","license_caveat":"","method":"http","notes":"UT-Capitole (Université Toulouse Capitole) — academic blacklist, CC license, twice-weekly refresh","operator":"","tier":2,"url":""},{"feed_id":"utc_dynamic_dns","audit_at":null,"audit_days_since":null,"audit_last_modified":null,"audit_status":"unknown","auth_required":false,"categories":["dynamic_dns"],"deprecation_note":"","enabled":true,"interval_sec":86400,"ioc_type":"domain","kind":"ti","label":"UT-Capitole dynamic DNS","last_error":"connect ECONNREFUSED 193.49.48.249:443","last_fetch_at":"2026-05-16T00:05:00.323Z","last_fetch_count":2074,"last_fetch_ok":false,"license":"","license_caveat":"","method":"http","notes":"UT-Capitole (Université Toulouse Capitole) — academic blacklist, CC license, twice-weekly refresh","operator":"","tier":2,"url":""},{"feed_id":"utc_hacking","audit_at":null,"audit_days_since":null,"audit_last_modified":null,"audit_status":"unknown","auth_required":false,"categories":["hacking"],"deprecation_note":"","enabled":true,"interval_sec":86400,"ioc_type":"domain","kind":"ti","label":"UT-Capitole hacking","last_error":"connect ECONNREFUSED 193.49.48.249:443","last_fetch_at":"2026-05-16T00:04:58.947Z","last_fetch_count":197,"last_fetch_ok":false,"license":"","license_caveat":"","method":"http","notes":"UT-Capitole (Université Toulouse Capitole) — academic blacklist, CC license, twice-weekly refresh","operator":"","tier":2,"url":""},{"feed_id":"utc_malware","audit_at":null,"audit_days_since":null,"audit_last_modified":null,"audit_status":"unknown","auth_required":false,"categories":["malware_virus"],"deprecation_note":"","enabled":false,"interval_sec":86400,"ioc_type":"domain","kind":"ti","label":"UT-Capitole malware","last_error":"fetch failed after 3 attempts: Failed to parse URL from ","last_fetch_at":"2026-05-15T11:58:17.717Z","last_fetch_count":0,"last_fetch_ok":false,"license":"","license_caveat":"","method":"http","notes":"UT-Capitole (Université Toulouse Capitole) — academic blacklist, CC license, twice-weekly refresh","operator":"","tier":2,"url":""},{"feed_id":"utc_phishing","audit_at":null,"audit_days_since":null,"audit_last_modified":null,"audit_status":"unknown","auth_required":false,"categories":["phishing","malware_virus"],"deprecation_note":"","enabled":true,"interval_sec":86400,"ioc_type":"domain","kind":"ti","label":"UT-Capitole phishing+malware","last_error":"","last_fetch_at":"2026-05-16T00:04:46.411Z","last_fetch_count":671883,"last_fetch_ok":true,"license":"","license_caveat":"","method":"http","notes":"UT-Capitole (Université Toulouse Capitole) — academic blacklist, CC license, twice-weekly refresh","operator":"","tier":2,"url":""},{"feed_id":"utc_redirector","audit_at":null,"audit_days_since":null,"audit_last_modified":null,"audit_status":"unknown","auth_required":false,"categories":["phishing"],"deprecation_note":"","enabled":true,"interval_sec":86400,"ioc_type":"domain","kind":"ti","label":"UT-Capitole redirectors","last_error":"connect ECONNREFUSED 193.49.48.249:443","last_fetch_at":"2026-05-16T00:04:59.457Z","last_fetch_count":109790,"last_fetch_ok":false,"license":"","license_caveat":"","method":"http","notes":"UT-Capitole (Université Toulouse Capitole) — academic blacklist, CC license, twice-weekly refresh","operator":"","tier":2,"url":""},{"feed_id":"utc_residential_proxies","audit_at":null,"audit_days_since":null,"audit_last_modified":null,"audit_status":"unknown","auth_required":false,"categories":["anonymizer"],"deprecation_note":"","enabled":true,"interval_sec":86400,"ioc_type":"domain","kind":"ti","label":"UT-Capitole residential proxies","last_error":"connect ECONNREFUSED 193.49.48.249:443","last_fetch_at":"2026-05-16T00:05:00.974Z","last_fetch_count":120,"last_fetch_ok":false,"license":"","license_caveat":"","method":"http","notes":"UT-Capitole (Université Toulouse Capitole) — academic blacklist, CC license, twice-weekly refresh","operator":"","tier":2,"url":""},{"feed_id":"utc_shortener","audit_at":null,"audit_days_since":null,"audit_last_modified":null,"audit_status":"unknown","auth_required":false,"categories":["potentially_dangerous"],"deprecation_note":"","enabled":true,"interval_sec":86400,"ioc_type":"domain","kind":"ti","label":"UT-Capitole URL shorteners","last_error":"connect ECONNREFUSED 193.49.48.249:443","last_fetch_at":"2026-05-16T00:04:59.761Z","last_fetch_count":4549,"last_fetch_ok":false,"license":"","license_caveat":"","method":"http","notes":"UT-Capitole (Université Toulouse Capitole) — academic blacklist, CC license, twice-weekly refresh","operator":"","tier":2,"url":""},{"feed_id":"utc_stalkerware","audit_at":null,"audit_days_since":null,"audit_last_modified":null,"audit_status":"unknown","auth_required":false,"categories":["spyware_adware"],"deprecation_note":"","enabled":true,"interval_sec":86400,"ioc_type":"domain","kind":"ti","label":"UT-Capitole stalkerware","last_error":"connect ECONNREFUSED 193.49.48.249:443","last_fetch_at":"2026-05-16T00:04:59.249Z","last_fetch_count":525,"last_fetch_ok":false,"license":"","license_caveat":"","method":"http","notes":"UT-Capitole (Université Toulouse Capitole) — academic blacklist, CC license, twice-weekly refresh","operator":"","tier":2,"url":""},{"feed_id":"circl_osint_misp","categories":["malware_virus"],"enabled":true,"interval_sec":3600,"ioc_type":"both","kind":"ti","label":"CIRCL OSINT (MISP feed format)","last_error":"","last_fetch_at":"2026-05-16T08:12:54.815Z","last_fetch_count":0,"last_fetch_ok":true,"method":"http","notes":"","url":"https://www.circl.lu/doc/misp/feed-osint/","audit_at":"2026-04-29T20:01:13.500Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"operational","license":"CC0/Open Data","operator":"CIRCL (LU-CERT)","tier":2},{"feed_id":"greensnow_ips","categories":["hacking","scanner"],"enabled":true,"interval_sec":3600,"ioc_type":"ip","kind":"ti","label":"GreenSnow Aggressive IPs","last_error":"","last_fetch_at":"2026-05-16T07:49:05.603Z","last_fetch_count":5141,"last_fetch_ok":true,"method":"http","notes":"","url":"https://blocklist.greensnow.co/greensnow.txt","audit_at":"2026-04-29T20:01:13.523Z","audit_days_since":0,"audit_last_modified":"2026-04-29T20:01:10.000Z","audit_status":"operational","license":"Free public","operator":"GreenSnow","tier":2},{"feed_id":"openphish","categories":["phishing"],"enabled":true,"interval_sec":3600,"ioc_type":"domain","kind":"security","label":"OpenPhish public feed","last_error":"","last_fetch_at":"2026-05-16T07:49:20.284Z","last_fetch_count":300,"last_fetch_ok":true,"method":"http","notes":"","url":"https://raw.githubusercontent.com/openphish/public_feed/refs/heads/main/feed.txt","audit_at":"2026-04-29T20:01:13.472Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"operational","license":"Free non-commercial","operator":"OpenPhish","tier":2},{"feed_id":"phishing_army","categories":["phishing"],"enabled":true,"interval_sec":3600,"ioc_type":"domain","kind":"security","label":"Phishing Army blocklist","last_error":"","last_fetch_at":"2026-05-16T07:49:22.124Z","last_fetch_count":143566,"last_fetch_ok":true,"method":"http","notes":"","url":"https://phishing.army/download/phishing_army_blocklist.txt","audit_at":"2026-04-29T20:01:13.473Z","audit_days_since":0,"audit_last_modified":"2026-04-29T16:00:24.000Z","audit_status":"operational","license":"MIT","operator":"Phishing Army","tier":2},{"feed_id":"et_compromised_ips","categories":["compromised","malware_virus"],"enabled":true,"interval_sec":3600,"ioc_type":"ip","kind":"ti","label":"Emerging Threats Compromised IPs","last_error":"","last_fetch_at":"2026-05-16T07:49:12.081Z","last_fetch_count":436,"last_fetch_ok":true,"method":"http","notes":"","url":"https://rules.emergingthreats.net/blockrules/compromised-ips.txt","audit_at":"2026-04-29T20:01:13.516Z","audit_days_since":1,"audit_last_modified":"2026-04-28T19:28:04.000Z","audit_status":"operational","license":"BSD","operator":"Proofpoint Emerging Threats","tier":2},{"feed_id":"dshield_block","audit_at":"2026-04-29T20:01:13.513Z","audit_days_since":0,"audit_last_modified":"2026-04-29T19:44:44.000Z","audit_status":"operational","categories":["ddos_amplifier","malware_virus"],"enabled":true,"interval_sec":3600,"ioc_type":"cidr","kind":"ti","label":"SANS Internet Storm Center / DShield — block list","last_error":"","last_fetch_at":"2026-05-16T07:50:57.774Z","last_fetch_count":40,"last_fetch_ok":true,"license":"Free public","method":"http","notes":"","operator":"SANS ISC / DShield","tier":2,"url":"https://www.dshield.org/block.txt"},{"feed_id":"dshield_topips","audit_at":"2026-04-29T20:01:13.514Z","audit_days_since":0,"audit_last_modified":"2026-04-29T19:46:22.000Z","audit_status":"operational","categories":["ddos_amplifier","scanner"],"enabled":true,"interval_sec":3600,"ioc_type":"ip","kind":"ti","label":"SANS Internet Storm Center / DShield — top attacking IPs","last_error":"","last_fetch_at":"2026-05-16T07:50:57.699Z","last_fetch_count":0,"last_fetch_ok":true,"license":"Free public","method":"http","notes":"","operator":"SANS ISC / DShield","tier":2,"url":"https://isc.sans.edu/api/sources/attacks/100/?json"},{"feed_id":"spamhaus_asndrop","audit_at":"2026-04-29T20:01:13.533Z","audit_days_since":0,"audit_last_modified":"2026-04-29T19:14:02.000Z","audit_status":"operational","categories":["bulletproof_hosting","malware_virus"],"enabled":true,"interval_sec":3600,"ioc_type":"ip","kind":"ti","label":"Spamhaus ASN-DROP — hijacked ASNs","last_error":"","last_fetch_at":"2026-05-16T07:51:51.890Z","last_fetch_count":410,"last_fetch_ok":true,"license":"Free non-commercial","method":"http","notes":"","operator":"Spamhaus","tier":2,"url":"https://www.spamhaus.org/drop/asndrop.json"},{"feed_id":"spamhaus_org_drop","kind":"ti","label":"Spamhaus — compromised (www.spamhaus.org)","enabled":true,"ioc_type":"cidr","categories":["compromised"],"url":"https://www.spamhaus.org/drop/drop.txt","method":"http","interval_sec":3600,"notes":"Added via preview wizard 2026-05-11T09:56:48.073Z; verdict=good score=90","tier":2,"operator":"Spamhaus","license":"","audit_status":"unknown","auth_required":false,"license_caveat":"","deprecation_note":"","audit_at":null,"audit_last_modified":null,"audit_days_since":null,"last_fetch_at":"2026-05-16T07:57:19.112Z","last_fetch_ok":true,"last_fetch_count":1645,"last_error":""},{"feed_id":"tor_exits","audit_at":"2026-04-29T20:01:13.550Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"operational","categories":["anonymizer"],"enabled":true,"interval_sec":3600,"ioc_type":"ip","kind":"ti","label":"Tor Project — bulk exit list (canonical)","last_error":"","last_fetch_at":"2026-05-16T07:50:53.580Z","last_fetch_count":1265,"last_fetch_ok":true,"license":"Public","method":"http","notes":"","operator":"Tor Project (official)","tier":2,"url":"https://check.torproject.org/torbulkexitlist","deprecation_note":"Old `/torbulkexitlist` path deprecated 2020-04-01 in favor of `/api/bulk`. Compat alias still works but pin the new path."},{"feed_id":"abusech_hunting_reference","audit_at":null,"audit_days_since":null,"audit_last_modified":null,"audit_status":"unknown","auth_required":true,"categories":[],"deprecation_note":"Login-only — no programmatic bulk feed. Document for awareness.","enabled":true,"interval_sec":3600,"ioc_type":"domain","kind":"ti","label":"abuse.ch Hunting — unified search UI (reference only, no bulk feed)","last_error":"","last_fetch_at":"2026-05-16T07:55:09.224Z","last_fetch_count":1,"last_fetch_ok":true,"license":"abuse.ch ToS","license_caveat":"","method":"http","notes":"","operator":"abuse.ch / Hunting","tier":2,"url":"https://hunting.abuse.ch/"},{"feed_id":"malwarebazaar_recent","categories":["file_sha256_malware"],"enabled":true,"interval_sec":3600,"ioc_type":"sha256","kind":"ti","label":"MalwareBazaar — recent SHA256 (last 100k)","last_error":"","last_fetch_at":"2026-05-16T07:49:40.689Z","last_fetch_count":655,"last_fetch_ok":true,"method":"http","notes":"MalwareBazaar full recent CSV. value_col=1 = sha256_hash. Header has 9 ## comment lines + 1 column header line.","url":"https://bazaar.abuse.ch/export/csv/recent/","audit_at":"2026-04-29T20:01:13.532Z","audit_days_since":0,"audit_last_modified":"2026-04-29T19:35:02.000Z","audit_status":"operational","license":"CC0","operator":"abuse.ch / MalwareBazaar","tier":2,"auth_required":true,"deprecation_note":"abuse.ch Community First policy 2025-06-30: Auth-Key mandatory. Set ABUSECH_AUTH_KEY env and add `auth: { type: 'api_key', header: 'Auth-Key', value: <key> }` to feed config. Free at https://auth.abuse.ch/.","license_caveat":"abuse.ch Auth-Key required since 2025-06-30 (Community First policy)"},{"feed_id":"sslbl_ip_blocklist","audit_at":"2026-04-29T20:01:13.536Z","audit_days_since":481,"audit_last_modified":"2025-01-03T11:40:41.000Z","audit_status":"operational","categories":["malware_virus","ja3"],"enabled":true,"interval_sec":3600,"ioc_type":"ip","kind":"ti","label":"abuse.ch SSLBL — TLS C2 IPs","last_error":"","last_fetch_at":"2026-05-16T07:50:11.060Z","last_fetch_count":0,"last_fetch_ok":true,"license":"CC0","method":"http","notes":"","operator":"abuse.ch / SSLBL","tier":2,"url":"https://sslbl.abuse.ch/blacklist/sslipblacklist.txt","auth_required":true,"deprecation_note":"abuse.ch Community First policy 2025-06-30: Auth-Key mandatory. Set ABUSECH_AUTH_KEY env and add `auth: { type: 'api_key', header: 'Auth-Key', value: <key> }` to feed config. Free at https://auth.abuse.ch/."},{"feed_id":"abusech_ja3","categories":["ja3"],"enabled":true,"interval_sec":3600,"ioc_type":"ja3","kind":"ti","label":"abuse.ch JA3 fingerprints (DEPRECATED 2021-08, do not enable)","last_error":"","last_fetch_at":"2026-05-16T07:50:10.646Z","last_fetch_count":98,"last_fetch_ok":true,"method":"http","notes":"","url":"https://sslbl.abuse.ch/blacklist/ja3_fingerprints.csv","audit_at":"2026-04-29T20:01:13.487Z","audit_days_since":0,"audit_last_modified":"2026-04-29T20:00:14.000Z","audit_status":"operational","license":"CC0","operator":"abuse.ch / SSLBL (DEPRECATED)","tier":2,"auth_required":true,"deprecation_note":"abuse.ch Community First policy 2025-06-30: Auth-Key mandatory. Set ABUSECH_AUTH_KEY env and add `auth: { type: 'api_key', header: 'Auth-Key', value: <key> }` to feed config. Free at https://auth.abuse.ch/."},{"feed_id":"threatfox_url_list","audit_at":"2026-04-29T20:01:13.549Z","audit_days_since":0,"audit_last_modified":"2026-04-29T20:00:11.000Z","audit_status":"operational","categories":["malware_virus","ransomware"],"enabled":true,"interval_sec":3600,"ioc_type":"domain","kind":"ti","label":"abuse.ch ThreatFox — full URL list","last_error":"","last_fetch_at":"2026-05-16T07:50:51.454Z","last_fetch_count":0,"last_fetch_ok":true,"license":"CC0","method":"http","notes":"","operator":"abuse.ch / ThreatFox","tier":2,"url":"https://threatfox.abuse.ch/export/csv/full/","auth_required":true,"deprecation_note":"abuse.ch Community First policy 2025-06-30: Auth-Key mandatory. Set ABUSECH_AUTH_KEY env and add `auth: { type: 'api_key', header: 'Auth-Key', value: <key> }` to feed config. Free at https://auth.abuse.ch/."},{"feed_id":"abusech_yaraify_rules","audit_at":null,"audit_days_since":null,"audit_last_modified":null,"audit_status":"unknown","auth_required":true,"categories":["yara_rules"],"deprecation_note":"abuse.ch Auth-Key mandatory since 2025-06-30. Set ABUSECH_AUTH_KEY env. Free at https://auth.abuse.ch/. YARA rules — needs Phase 2C YARA parser; placeholder for now.","enabled":true,"interval_sec":3600,"ioc_type":"domain","kind":"ti","label":"abuse.ch YARAify — community YARA rule repository (bulk zip)","last_error":"","last_fetch_at":"2026-05-16T07:55:13.317Z","last_fetch_count":0,"last_fetch_ok":true,"license":"CC0 / CC-BY-SA-4.0 (per-rule)","license_caveat":"","method":"http","notes":"","operator":"abuse.ch / YARAify","tier":2,"url":"https://yaraify.abuse.ch/yarahub/yaraify-rules.zip"},{"feed_id":"c2tracker_ips","categories":["botnet_cc","malware_virus"],"enabled":true,"interval_sec":3600,"ioc_type":"ip","kind":"ti","label":"C2 Intel Feeds — 30-day C2 IPs","last_error":"","last_fetch_at":"2026-05-16T07:49:13.314Z","last_fetch_count":303,"last_fetch_ok":true,"method":"http","notes":"","url":"https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/IPC2s-30day.csv","audit_at":"2026-04-29T20:01:13.494Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"operational","license":"MIT","operator":"drb-ra / C2IntelFeeds","tier":2},{"feed_id":"list_rtbh_network","kind":"ti","label":"list.rtbh.network — malware_virus (list.rtbh.network)","enabled":true,"ioc_type":"ip","categories":["malware_virus","scanner"],"url":"https://list.rtbh.network/","method":"http","interval_sec":3600,"notes":"Added via preview wizard 2026-05-01T00:25:50.676Z; verdict=good score=95","tier":2,"operator":"list.rtbh.network","license":"","audit_status":"unknown","auth_required":false,"license_caveat":"","deprecation_note":"","audit_at":null,"audit_last_modified":null,"audit_days_since":null,"last_fetch_at":"2026-05-16T08:27:52.887Z","last_fetch_ok":true,"last_fetch_count":93804,"last_error":""},{"feed_id":"list_threat_live","kind":"ti","label":"list.threat.live — malware_virus (list.threat.live)","enabled":true,"ioc_type":"ip","categories":["malware_virus"],"url":"https://list.threat.live/","method":"http","interval_sec":3600,"notes":"","tier":2,"operator":"list.threat.live","license":"","audit_status":"unknown","auth_required":false,"license_caveat":"","deprecation_note":"","audit_at":null,"audit_last_modified":null,"audit_days_since":null,"last_fetch_at":"2026-05-16T07:52:17.564Z","last_fetch_ok":true,"last_fetch_count":93754,"last_error":""},{"feed_id":"utc_adult","audit_at":null,"audit_days_since":null,"audit_last_modified":null,"audit_status":"unknown","auth_required":false,"categories":["adult_nsfw"],"deprecation_note":"","enabled":false,"interval_sec":86400,"ioc_type":"domain","kind":"ti","label":"UT-Capitole adult","last_error":"connect ECONNREFUSED 193.49.48.249:443","last_fetch_at":"2026-05-16T00:05:02.473Z","last_fetch_count":4590956,"last_fetch_ok":false,"license":"","license_caveat":"","method":"http","notes":"UT-Capitole (Université Toulouse Capitole) — academic blacklist, CC license, twice-weekly refresh","operator":"","tier":3,"url":""},{"feed_id":"utc_aggressive","audit_at":null,"audit_days_since":null,"audit_last_modified":null,"audit_status":"unknown","auth_required":false,"categories":["potentially_dangerous"],"deprecation_note":"","enabled":false,"interval_sec":86400,"ioc_type":"domain","kind":"ti","label":"UT-Capitole aggressive","last_error":"connect ECONNREFUSED 193.49.48.249:443","last_fetch_at":"2026-05-16T00:05:01.454Z","last_fetch_count":266,"last_fetch_ok":false,"license":"","license_caveat":"","method":"http","notes":"UT-Capitole (Université Toulouse Capitole) — academic blacklist, CC license, twice-weekly refresh","operator":"","tier":3,"url":""},{"feed_id":"utc_dangerous_material","audit_at":null,"audit_days_since":null,"audit_last_modified":null,"audit_status":"unknown","auth_required":false,"categories":["potentially_dangerous"],"deprecation_note":"","enabled":false,"interval_sec":86400,"ioc_type":"domain","kind":"ti","label":"UT-Capitole dangerous material","last_error":"connect ECONNREFUSED 193.49.48.249:443","last_fetch_at":"2026-05-16T00:05:01.264Z","last_fetch_count":35,"last_fetch_ok":false,"license":"","license_caveat":"","method":"http","notes":"UT-Capitole (Université Toulouse Capitole) — academic blacklist, CC license, twice-weekly refresh","operator":"","tier":3,"url":""},{"feed_id":"utc_dating","audit_at":null,"audit_days_since":null,"audit_last_modified":null,"audit_status":"unknown","auth_required":false,"categories":["adult_nsfw"],"deprecation_note":"","enabled":false,"interval_sec":86400,"ioc_type":"domain","kind":"ti","label":"UT-Capitole dating","last_error":"connect ECONNREFUSED 193.49.48.249:443","last_fetch_at":"2026-05-16T00:05:02.868Z","last_fetch_count":6500,"last_fetch_ok":false,"license":"","license_caveat":"","method":"http","notes":"UT-Capitole (Université Toulouse Capitole) — academic blacklist, CC license, twice-weekly refresh","operator":"","tier":3,"url":""},{"feed_id":"utc_drogue","audit_at":null,"audit_days_since":null,"audit_last_modified":null,"audit_status":"unknown","auth_required":false,"categories":["potentially_dangerous"],"deprecation_note":"","enabled":false,"interval_sec":86400,"ioc_type":"domain","kind":"ti","label":"UT-Capitole drogue","last_error":"connect ECONNREFUSED 193.49.48.249:443","last_fetch_at":"2026-05-16T00:05:03.093Z","last_fetch_count":436,"last_fetch_ok":false,"license":"","license_caveat":"","method":"http","notes":"UT-Capitole (Université Toulouse Capitole) — academic blacklist, CC license, twice-weekly refresh","operator":"","tier":3,"url":""},{"feed_id":"utc_fakenews","audit_at":null,"audit_days_since":null,"audit_last_modified":null,"audit_status":"unknown","auth_required":false,"categories":["potentially_dangerous"],"deprecation_note":"","enabled":false,"interval_sec":86400,"ioc_type":"domain","kind":"ti","label":"UT-Capitole fakenews","last_error":"connect ECONNREFUSED 193.49.48.249:443","last_fetch_at":"2026-05-16T00:05:00.762Z","last_fetch_count":1092,"last_fetch_ok":false,"license":"","license_caveat":"","method":"http","notes":"UT-Capitole (Université Toulouse Capitole) — academic blacklist, CC license, twice-weekly refresh","operator":"","tier":3,"url":""},{"feed_id":"utc_filehosting","audit_at":null,"audit_days_since":null,"audit_last_modified":null,"audit_status":"unknown","auth_required":false,"categories":["potentially_dangerous"],"deprecation_note":"","enabled":false,"interval_sec":86400,"ioc_type":"domain","kind":"ti","label":"UT-Capitole file hosting","last_error":"connect ECONNREFUSED 193.49.48.249:443","last_fetch_at":"2026-05-16T00:05:03.796Z","last_fetch_count":939,"last_fetch_ok":false,"license":"","license_caveat":"","method":"http","notes":"UT-Capitole (Université Toulouse Capitole) — academic blacklist, CC license, twice-weekly refresh","operator":"","tier":3,"url":""},{"feed_id":"utc_gambling","audit_at":null,"audit_days_since":null,"audit_last_modified":null,"audit_status":"unknown","auth_required":false,"categories":["gambling"],"deprecation_note":"","enabled":false,"interval_sec":86400,"ioc_type":"domain","kind":"ti","label":"UT-Capitole gambling","last_error":"connect ECONNREFUSED 193.49.48.249:443","last_fetch_at":"2026-05-16T00:05:02.346Z","last_fetch_count":32228,"last_fetch_ok":false,"license":"","license_caveat":"","method":"http","notes":"UT-Capitole (Université Toulouse Capitole) — academic blacklist, CC license, twice-weekly refresh","operator":"","tier":3,"url":""},{"feed_id":"utc_sect","audit_at":null,"audit_days_since":null,"audit_last_modified":null,"audit_status":"unknown","auth_required":false,"categories":["potentially_dangerous"],"deprecation_note":"","enabled":false,"interval_sec":86400,"ioc_type":"domain","kind":"ti","label":"UT-Capitole sect","last_error":"connect ECONNREFUSED 193.49.48.249:443","last_fetch_at":"2026-05-16T00:05:03.552Z","last_fetch_count":143,"last_fetch_ok":false,"license":"","license_caveat":"","method":"http","notes":"UT-Capitole (Université Toulouse Capitole) — academic blacklist, CC license, twice-weekly refresh","operator":"","tier":3,"url":""},{"feed_id":"utc_vpn","audit_at":null,"audit_days_since":null,"audit_last_modified":null,"audit_status":"unknown","auth_required":false,"categories":["anonymizer"],"deprecation_note":"","enabled":false,"interval_sec":86400,"ioc_type":"domain","kind":"ti","label":"UT-Capitole VPN","last_error":"connect ECONNREFUSED 193.49.48.249:443","last_fetch_at":"2026-05-16T00:05:01.724Z","last_fetch_count":6039,"last_fetch_ok":false,"license":"","license_caveat":"","method":"http","notes":"UT-Capitole (Université Toulouse Capitole) — academic blacklist, CC license, twice-weekly refresh","operator":"","tier":3,"url":""},{"feed_id":"utc_warez","audit_at":null,"audit_days_since":null,"audit_last_modified":null,"audit_status":"unknown","auth_required":false,"categories":["piracy"],"deprecation_note":"","enabled":false,"interval_sec":86400,"ioc_type":"domain","kind":"ti","label":"UT-Capitole warez","last_error":"connect ECONNREFUSED 193.49.48.249:443","last_fetch_at":"2026-05-16T00:05:02.128Z","last_fetch_count":1524,"last_fetch_ok":false,"license":"","license_caveat":"","method":"http","notes":"UT-Capitole (Université Toulouse Capitole) — academic blacklist, CC license, twice-weekly refresh","operator":"","tier":3,"url":""},{"feed_id":"alienvault_otx_subscribed","categories":["malware_virus"],"enabled":true,"interval_sec":3600,"ioc_type":"both","kind":"ti","label":"AlienVault OTX — subscribed pulses (operator must add API key)","last_error":"","last_fetch_at":"2026-05-16T07:50:08.789Z","last_fetch_count":701,"last_fetch_ok":true,"method":"http","notes":"OTX API key wired 2026-05-01. Subscribed pulses → both domain + IP IOCs. Per-account key, NOT shipped in source repo.","url":"https://otx.alienvault.com/api/v1/pulses/subscribed?limit=200","audit_at":"2026-04-29T20:01:13.490Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"unreachable","license":"Free w/ API key","operator":"AT&T Cybersecurity / OTX","tier":3},{"feed_id":"coinblocker_lists","categories":["cryptominer"],"enabled":true,"interval_sec":21600,"ioc_type":"domain","kind":"security","label":"AdGuard CryptoMiner Filter — mining domains","last_fetch_ok":true,"method":"http","notes":"AdGuard's curated cryptominer filter (replaced CoinBlocker gitlab.io 403).","operator":"AdGuard","tier":3,"url":"https://filters.adtidy.org/extension/chromium/filters/242.txt","last_error":"","last_fetch_at":"2026-05-16T07:19:24.809Z","last_fetch_count":307},{"feed_id":"stalkerware_domains","categories":["spyware_adware","keyloggers"],"enabled":true,"interval_sec":3600,"ioc_type":"domain","kind":"security","label":"Stalkerware Indicators","last_error":"","last_fetch_at":"2026-05-16T07:49:15.649Z","last_fetch_count":920,"last_fetch_ok":true,"method":"http","notes":"","url":"https://raw.githubusercontent.com/AssoEchap/stalkerware-indicators/master/generated/hosts","audit_at":"2026-04-29T20:01:13.537Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"operational","license":"GPL-3.0","operator":"AssoEchap / Stalkerware Indicators","tier":3},{"feed_id":"cins_badguys","audit_at":"2026-04-29T20:01:13.499Z","audit_days_since":0,"audit_last_modified":"2026-04-29T19:04:01.000Z","audit_status":"operational","categories":["malware_virus","hacking"],"enabled":true,"interval_sec":3600,"ioc_type":"ip","kind":"ti","label":"CINS Score (SentinelOne) — community IP score badguys","last_error":"","last_fetch_at":"2026-05-16T07:51:40.052Z","last_fetch_count":15000,"last_fetch_ok":true,"license":"Free public","method":"http","notes":"","operator":"CINS Score (SentinelOne)","tier":3,"url":"https://cinsscore.com/list/ci-badguys.txt"},{"feed_id":"cybercrime_tracker","categories":["banking_trojan","malware_virus"],"enabled":true,"interval_sec":3600,"ioc_type":"both","kind":"ti","label":"Cybercrime-tracker — banking trojan C2 URLs/IPs","last_error":"","last_fetch_at":"2026-05-16T07:49:45.756Z","last_fetch_count":19145,"last_fetch_ok":true,"method":"http","notes":"","url":"https://cybercrime-tracker.net/all.php","audit_at":"2026-04-29T20:01:13.503Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"operational","license":"Free public","operator":"Cybercrime-tracker.net","tier":3},{"feed_id":"digitalside_domains","categories":["malware_virus"],"enabled":true,"interval_sec":3600,"ioc_type":"domain","kind":"ti","label":"DigitalSide OSINT — latest malicious domains","last_error":"","last_fetch_at":"2026-05-16T08:12:56.411Z","last_fetch_count":133,"last_fetch_ok":true,"method":"http","notes":"","url":"https://raw.githubusercontent.com/davidonzo/Threat-Intel/master/lists/latestdomains.txt","audit_at":"2026-04-29T20:01:13.511Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"unreachable","license":"CC-BY-4.0","operator":"DigitalSide Threat-Intel","tier":3},{"feed_id":"digitalside_ips","categories":["malware_virus"],"enabled":true,"interval_sec":3600,"ioc_type":"ip","kind":"ti","label":"DigitalSide OSINT — latest malicious IPs","last_error":"","last_fetch_at":"2026-05-16T08:12:56.782Z","last_fetch_count":21669,"last_fetch_ok":true,"method":"http","notes":"","url":"https://raw.githubusercontent.com/davidonzo/Threat-Intel/master/lists/latestips.txt","audit_at":"2026-04-29T20:01:13.512Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"unreachable","license":"CC-BY-4.0","operator":"DigitalSide Threat-Intel","tier":3},{"feed_id":"hagezi_doh","audit_at":"2026-04-29T20:01:13.461Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"operational","auth_required":false,"categories":["potentially_dangerous"],"deprecation_note":"","enabled":true,"interval_sec":3600,"ioc_type":"domain","kind":"security","label":"Hagezi — DNS-over-HTTPS resolver hostnames","last_error":"","last_fetch_at":"2026-05-16T07:52:06.467Z","last_fetch_count":3462,"last_fetch_ok":true,"license":"GPL-3.0","license_caveat":"","method":"http","notes":"","operator":"Hagezi / DNS Blocklists","tier":3,"url":"https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/doh.txt"},{"feed_id":"hagezi_gambling","categories":["gambling"],"enabled":true,"interval_sec":86400,"ioc_type":"domain","kind":"security","label":"Hagezi Gambling — gambling/casino domains","last_fetch_ok":true,"method":"http","notes":"Online gambling + casino + sports-betting endpoints.","operator":"Hagezi / DNS Blocklists","tier":3,"url":"https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/gambling.txt","last_error":"","last_fetch_at":"2026-05-16T01:19:26.189Z","last_fetch_count":207690},{"feed_id":"hagezi_nrd","audit_at":"2026-04-29T20:01:13.467Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"unreachable","auth_required":false,"categories":["newly_registered"],"deprecation_note":"","enabled":true,"interval_sec":3600,"ioc_type":"domain","kind":"security","label":"Hagezi — Newly Registered Domains (NRD)","last_error":"","last_fetch_at":"2026-05-16T07:52:53.111Z","last_fetch_count":2421121,"last_fetch_ok":true,"license":"GPL-3.0","license_caveat":"","method":"http","notes":"","operator":"Hagezi / DNS Blocklists","tier":3,"url":"https://raw.githubusercontent.com/hagezi/dns-blocklists/main/domains/nrd14-8.txt"},{"feed_id":"hagezi_nsfw","categories":["adult_nsfw"],"enabled":true,"interval_sec":86400,"ioc_type":"domain","kind":"security","label":"Hagezi NSFW — adult content (operator opt-in)","last_fetch_ok":true,"method":"http","notes":"Adult content endpoints. Operator opt-in (workplace/education).","operator":"Hagezi / DNS Blocklists","tier":3,"url":"https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/nsfw.txt","last_error":"","last_fetch_at":"2026-05-16T01:19:26.883Z","last_fetch_count":95668},{"feed_id":"hagezi_piracy","categories":["piracy"],"enabled":true,"interval_sec":86400,"ioc_type":"domain","kind":"security","label":"Hagezi Anti-Piracy — copyright-infringement domains","last_fetch_ok":true,"method":"http","notes":"Streaming/torrent/warez endpoints. Known to copyright-infringe.","operator":"Hagezi / DNS Blocklists","tier":3,"url":"https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/anti.piracy.txt","last_error":"","last_fetch_at":"2026-05-16T01:19:23.933Z","last_fetch_count":12773},{"feed_id":"hagezi_threatintel","audit_at":"2026-04-29T20:01:13.524Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"operational","categories":["malware_virus","phishing"],"enabled":true,"interval_sec":3600,"ioc_type":"domain","kind":"ti","label":"Hagezi Threat Intelligence (multi-source aggregated)","last_error":"","last_fetch_at":"2026-05-16T07:52:12.779Z","last_fetch_count":1000188,"last_fetch_ok":true,"license":"MIT","method":"http","notes":"","operator":"Hagezi / DNS Blocklists","tier":3,"url":"https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/tif.txt"},{"feed_id":"hagezi_tif","audit_at":"2026-04-29T20:01:13.525Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"operational","auth_required":false,"categories":["malware_virus","phishing"],"deprecation_note":"","enabled":true,"interval_sec":3600,"ioc_type":"domain","kind":"ti","label":"Hagezi — Threat Intelligence Feed (multi-source)","last_error":"","last_fetch_at":"2026-05-16T08:13:08.835Z","last_fetch_count":1000188,"last_fetch_ok":true,"license":"GPL-3.0","license_caveat":"","method":"http","notes":"","operator":"Hagezi / DNS Blocklists","tier":3,"url":"https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/tif.txt"},{"feed_id":"hagezi_dyndns","categories":["dynamic_dns"],"enabled":true,"interval_sec":3600,"ioc_type":"domain","kind":"security","label":"Hagezi Dynamic DNS wildcard list","last_error":"","last_fetch_at":"2026-05-16T07:49:30.055Z","last_fetch_count":1479,"last_fetch_ok":true,"method":"http","notes":"","url":"https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/dyndns.txt","audit_at":"2026-04-29T20:01:13.465Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"operational","license":"MIT","operator":"Hagezi DNS Blocklists","tier":3},{"feed_id":"jarelllama_parked","categories":["parked"],"enabled":true,"interval_sec":21600,"ioc_type":"domain","kind":"security","label":"Jarelllama Parked-Domains (community-maintained)","last_fetch_ok":true,"method":"http","notes":"Heuristic check for parked / for-sale domains. Updated multiple times daily.","url":"https://raw.githubusercontent.com/jarelllama/Parked-Domains/main/parked_domains.txt","last_error":"","last_fetch_at":"2026-05-16T04:51:15.298Z","last_fetch_count":8,"operator":"Jarelllama","tier":3},{"feed_id":"hacked_websites","categories":["hacking","compromised"],"enabled":true,"interval_sec":3600,"ioc_type":"domain","kind":"security","label":"Big List of Hacked Domains","last_error":"","last_fetch_at":"2026-05-16T07:49:22.302Z","last_fetch_count":9,"last_fetch_ok":true,"method":"http","notes":"","url":"https://raw.githubusercontent.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web-Sites/master/hacked-domains.list","audit_at":"2026-04-29T20:01:13.459Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"operational","license":"MIT","operator":"Mitchell Krogza","tier":3},{"feed_id":"abuse_phishing_db","audit_at":"2026-04-29T20:01:13.486Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"operational","categories":["phishing","malware_virus"],"enabled":true,"interval_sec":3600,"ioc_type":"domain","kind":"ti","label":"Mitchell Krogza — Phishing Database (active)","last_error":"","last_fetch_at":"2026-05-16T07:52:06.294Z","last_fetch_count":3,"last_fetch_ok":true,"license":"MIT","method":"http","notes":"","operator":"Mitchell Krogza / Phishing.Database","tier":3,"url":"https://raw.githubusercontent.com/Phishing-Database/Phishing.Database/master/phishing-domains-NEW-today.txt","deprecation_note":"Repo migrated from `mitchellkrogza/` to `Phishing-Database/` org. Old links redirect; pin new."},{"feed_id":"phishing_db_inactive","categories":["dead"],"enabled":true,"interval_sec":86400,"ioc_type":"domain","kind":"security","label":"Phishing.Database — Inactive (dead phishing domains)","last_fetch_ok":true,"method":"http","notes":"Domains previously phishing but now offline / dead. Useful for historical correlation.","url":"https://raw.githubusercontent.com/Phishing-Database/Phishing.Database/master/phishing-domains-INACTIVE.txt","last_error":"","last_fetch_at":"2026-05-15T22:52:30.097Z","last_fetch_count":0,"operator":"Phishing.Database","tier":3},{"feed_id":"maltrail_mass_scanner","audit_at":"2026-04-29T20:01:13.528Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"operational","categories":["scanner","ddos_amplifier"],"enabled":true,"interval_sec":3600,"ioc_type":"ip","kind":"ti","label":"Maltrail — mass scanner trails","last_error":"","last_fetch_at":"2026-05-16T07:50:59.592Z","last_fetch_count":19215,"last_fetch_ok":true,"license":"MIT","method":"http","notes":"","operator":"Stamparm / Maltrail","tier":3,"url":"https://raw.githubusercontent.com/stamparm/maltrail/master/trails/static/mass_scanner.txt"},{"feed_id":"disposable_email","categories":["spam"],"enabled":true,"interval_sec":3600,"ioc_type":"domain","kind":"security","label":"Disposable email domains","last_error":"","last_fetch_at":"2026-05-16T07:49:22.967Z","last_fetch_count":5447,"last_fetch_ok":true,"method":"http","notes":"","url":"https://raw.githubusercontent.com/disposable-email-domains/disposable-email-domains/master/disposable_email_blocklist.conf","audit_at":"2026-04-29T20:01:13.442Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"operational","license":"MIT","operator":"disposable-email-domains","tier":3},{"feed_id":"davidonzo_domains","categories":["malware_virus"],"enabled":true,"interval_sec":3600,"ioc_type":"domain","kind":"ti","label":"Davidonzo Threat-Intel Domains","last_error":"","last_fetch_at":"2026-05-16T07:49:15.490Z","last_fetch_count":133,"last_fetch_ok":true,"method":"http","notes":"","url":"https://raw.githubusercontent.com/davidonzo/Threat-Intel/master/lists/latestdomains.txt","audit_at":"2026-04-29T20:01:13.508Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"operational","license":"MIT","operator":"Davidonzo / Threat-Intel","tier":4},{"feed_id":"davidonzo_ips","categories":["malware_virus"],"enabled":true,"interval_sec":3600,"ioc_type":"ip","kind":"ti","label":"Davidonzo Threat-Intel IPs","last_error":"","last_fetch_at":"2026-05-16T07:49:00.457Z","last_fetch_count":21669,"last_fetch_ok":true,"method":"http","notes":"","url":"https://raw.githubusercontent.com/davidonzo/Threat-Intel/master/lists/latestips.txt","audit_at":"2026-04-29T20:01:13.509Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"operational","license":"MIT","operator":"Davidonzo / Threat-Intel","tier":4},{"feed_id":"firehol_level1","audit_at":"2026-04-29T20:01:13.520Z","audit_days_since":0,"audit_last_modified":"2026-04-29T07:43:41.000Z","audit_status":"operational","categories":["malware_virus","hacking"],"enabled":true,"interval_sec":3600,"ioc_type":"cidr","kind":"ti","label":"FireHOL Level 1 — most aggressive aggregated IP block list","last_error":"","last_fetch_at":"2026-05-16T07:51:42.801Z","last_fetch_count":4485,"last_fetch_ok":true,"license":"GPL-3.0","method":"http","notes":"","operator":"FireHOL","tier":4,"url":"https://iplists.firehol.org/files/firehol_level1.netset"},{"feed_id":"firehol_level2","audit_at":"2026-04-29T20:01:13.521Z","audit_days_since":0,"audit_last_modified":"2026-04-29T16:53:33.000Z","audit_status":"operational","categories":["malware_virus","hacking"],"enabled":true,"interval_sec":3600,"ioc_type":"cidr","kind":"ti","label":"FireHOL Level 2 — broader aggregated IP block list","last_error":"","last_fetch_at":"2026-05-16T07:51:49.225Z","last_fetch_count":16118,"last_fetch_ok":true,"license":"GPL-3.0","method":"http","notes":"","operator":"FireHOL","tier":4,"url":"https://iplists.firehol.org/files/firehol_level2.netset"},{"feed_id":"shreshta_nrd_1w","categories":["newly_registered","first_seen"],"enabled":true,"interval_sec":3600,"ioc_type":"domain","kind":"security","label":"Shreshta NRD 1-week","last_error":"","last_fetch_at":"2026-05-16T07:49:33.580Z","last_fetch_count":5702,"last_fetch_ok":true,"method":"http","notes":"","url":"https://raw.githubusercontent.com/shreshta-labs/newly-registered-domains/main/nrd-1w.csv","audit_at":"2026-04-29T20:01:13.478Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"operational","license":"MIT","operator":"Shreshta Labs / NRD","tier":4},{"feed_id":"ipsum_ips","categories":["hacking","scanner"],"enabled":true,"interval_sec":3600,"ioc_type":"ip","kind":"ti","label":"ipsum Multi-Source Score (>=4)","last_error":"","last_fetch_at":"2026-05-16T07:49:04.301Z","last_fetch_count":125506,"last_fetch_ok":true,"method":"http","notes":"","url":"https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt","audit_at":"2026-04-29T20:01:13.526Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"operational","license":"MIT","operator":"Stamparm / ipsum","tier":4},{"feed_id":"_decay_watch_dead","categories":["dead"],"enabled":true,"ioc_type":"domain","kind":"security","label":"Decay-Watch derived: dead domains (last_seen 14-180d)","last_fetch_ok":true,"method":"manual","notes":"Internal: tagged by decay_watch.ts, not fetched. Populated by recency heuristic.","url":"","operator":"TiHub Internal / Decay-Watch","tier":4},{"feed_id":"_decay_watch_newly_recovered","categories":["newly_recovered"],"enabled":true,"ioc_type":"domain","kind":"security","label":"Decay-Watch derived: newly recovered domains","last_fetch_ok":true,"method":"manual","notes":"Internal: tagged by decay_watch.ts, not fetched. Populated by recency heuristic.","url":"","operator":"TiHub Internal / Decay-Watch","tier":4},{"feed_id":"_placeholder_exploit_kit","categories":["exploit_kit"],"enabled":true,"ioc_type":"domain","kind":"security","label":"Placeholder: exploit_kit (no upstream yet)","last_fetch_ok":true,"method":"manual","notes":"Exploit kit landing pages (RIG/Magnitude/Fallout). Source via malware-traffic-analysis discovery.","operator":"TiHub Internal / Placeholder","tier":4,"url":""},{"feed_id":"_placeholder_info_stealer","categories":["info_stealer"],"enabled":true,"ioc_type":"domain","kind":"security","label":"Placeholder: info_stealer (no upstream yet)","last_fetch_ok":true,"method":"manual","notes":"Stealc/Vidar/RedLine/AgentTesla family. Discovery-bot-targeted.","operator":"TiHub Internal / Placeholder","tier":4,"url":""},{"feed_id":"_placeholder_iot_botnet","categories":["iot_botnet"],"enabled":true,"ioc_type":"domain","kind":"security","label":"Placeholder: iot_botnet (no upstream yet)","last_fetch_ok":true,"method":"manual","notes":"Mirai/Gafgyt/Dvinis-class IoT botnets. GreyNoise community + custom discovery.","operator":"TiHub Internal / Placeholder","tier":4,"url":""},{"feed_id":"_placeholder_ja4","categories":["ja4"],"enabled":true,"ioc_type":"domain","kind":"security","label":"Placeholder: ja4 (no upstream yet)","last_fetch_ok":true,"method":"manual","notes":"JA4 (newer TLS fingerprint). No public OSINT source yet — placeholder, will populate when source found via discovery bot.","operator":"TiHub Internal / Placeholder","tier":4,"url":""},{"feed_id":"raw_githubusercontent_com_c2_servers","kind":"ti","label":"raw.githubusercontent.com — botnet_cc (raw.githubusercontent.com)","enabled":true,"ioc_type":"domain","categories":["botnet_cc","dynamic_dns"],"url":"https://raw.githubusercontent.com/Tempest-Solutions-Company/pihole_blocklists/main/c2_servers.txt","method":"http","interval_sec":3600,"notes":"Added via preview wizard 2026-05-07T14:03:50.125Z; verdict=review score=53","tier":4,"operator":"raw.githubusercontent.com","license":"","audit_status":"unknown","auth_required":false,"license_caveat":"","deprecation_note":"","audit_at":null,"audit_last_modified":null,"audit_days_since":null,"last_fetch_at":"2026-05-16T08:05:17.647Z","last_fetch_ok":true,"last_fetch_count":62947,"last_error":""},{"feed_id":"tweetfeed_today","categories":["malware_virus"],"enabled":true,"interval_sec":3600,"ioc_type":"both","kind":"ti","label":"TweetFeed — today's IOCs (Twitter OSINT)","last_error":"","last_fetch_at":"2026-05-16T07:49:43.605Z","last_fetch_count":0,"last_fetch_ok":true,"method":"http","notes":"","url":"https://api.tweetfeed.live/v1/today","audit_at":"2026-04-29T20:01:13.551Z","audit_days_since":null,"audit_last_modified":null,"audit_status":"unreachable","license":"Free","operator":"TweetFeed (Twitter OSINT)","tier":5},{"feed_id":"raw_githubusercontent_com_linuxmooseetrules","kind":"ti","label":"raw.githubusercontent.com — malware_virus (raw.githubusercontent.com)","enabled":true,"ioc_type":"domain","categories":["malware_virus"],"url":"https://raw.githubusercontent.com/eset/malware-ioc/master/moose/LinuxMooseETrules.txt","method":"http","interval_sec":3600,"notes":"Added via preview wizard 2026-05-07T12:19:02.743Z; verdict=reject score=0 FORCED-OVERRIDE","tier":5,"operator":"raw.githubusercontent.com","license":"","audit_status":"unknown","auth_required":false,"license_caveat":"","deprecation_note":"","audit_at":null,"audit_last_modified":null,"audit_days_since":null,"last_fetch_at":"2026-05-16T08:05:21.566Z","last_fetch_ok":true,"last_fetch_count":0,"last_error":""}]}