Malware IoC Reference — Auto-Generated Feed Digest

Last updated: 2026-03-24 | Total indicators: 11,667 | Sources: 9

This document is auto-generated weekly from 9 open-source threat intelligence feeds. It provides a structured reference for blue team operations, threat hunting, and incident response.

Feed Sources

Source	Provider	License	Indicators
C2 Tracker	montysecurity	MIT	2,407
ESET Malware IoC	ESET	BSD-2-Clause	0
PRODAFT IoC	PRODAFT	MIT	0
Cisco Talos IoC	Cisco Talos	Apache-2.0	0
Sophos IoC	Sophos	Permissive	4,437
Unit 42 IoC	Palo Alto Networks	MIT	0
OALabs IoC	OALabs	Permissive	0
TweetFeed	TweetFeed	MIT	4,706
Endor Labs Advisories	Endor Labs	Proprietary (blog)	117

Indicator Breakdown

Type	Count	% of Total
SHA-256 Hashes	6,806	58.3%
IP Addresses	5,814	49.8%
URLs	4,654	39.9%
Domains	4,494	38.5%
SHA-1 Hashes	1,314	11.3%
MD5 Hashes	216	1.9%
Email Addresses	36	0.3%

Multi-source indicators (seen by 2+ feeds): 0 — these are higher confidence.

C2 Infrastructure by Framework

Known command & control server IPs, grouped by offensive framework:

Framework	Active IPs
all	2407
Metasploit Framework C2	535
Sliver C2	474
Viper C2	250
GoPhish	174
Cobalt Strike C2	170
PANDA C2	157
BurpSuite	107
Hak5 Cloud C2	94
Mythic C2	91
Supershell C2	68
Havoc C2	43
XMRig Monero Cryptominer	43
Sectop RAT	39
XtremeRAT Trojan	22
Unam Web Panel	18
AsyncRAT	16
ShadowPad	16
RedGuard C2	14
DarkComet Trojan	13
Mozi Botnet	13
Quasar RAT	13
NanoCore RAT Trojan	11
Brute Ratel C4	5
Gh0st RAT Trojan	5
DcRAT	3
Villain C2	3
Caldera C2	2
Covenant C2	2
Hookbot	2
MobSF	2
NimPlant C2	2
Orcus RAT Trojan	2
Remcos RAT	2
Vshell C2	2
Ares RAT C2	1
NetBus Trojan	1
Pantegana C2	1
njRAT Trojan	1

Top Malware Campaigns & Threat Groups

Campaign / Family	Indicators	Types	Sources
files_hosted_on_discord	3007	sha256	sophos
all	2407	ip	c2-tracker
phishing	1186	ip, md5, domain, url	tweetfeed
malware-MyKings-v2	537	ip, sha1, domain, url	sophos
Metasploit Framework C2	535	ip	c2-tracker
malware-MyKings	526	ip, sha1, domain	sophos
Sliver C2	474	ip	c2-tracker
mal-fakealert	287	ip, sha1, md5, domain, url	sophos
Viper C2	250	ip	c2-tracker
GoPhish	174	ip	c2-tracker
Cobalt Strike C2	170	ip	c2-tracker
PANDA C2	157	ip	c2-tracker
scam	137	sha256, domain, url	tweetfeed
maldrivers_release_2	130	sha256, sha1, url	sophos
malware-Raticate	125	ip, sha256, domain	sophos
malware-MyKings-domains	123	domain	sophos
BurpSuite	107	ip	c2-tracker
Hak5 Cloud C2	94	ip	c2-tracker
Mythic C2	91	ip	c2-tracker
Supershell C2	68	ip	c2-tracker
malware-raticate-cloudeye	66	ip, sha256, domain, url	sophos
C2	66	ip, md5, domain, url	tweetfeed
repository-backdoor-IOCs	66	sha256, md5, domain, url	sophos
Havoc C2	43	ip	c2-tracker
XMRig Monero Cryptominer	43	ip	c2-tracker
Sectop RAT	39	ip	c2-tracker
ransomware_memento	37	ip, sha256, domain, url	sophos
The Return of PhantomRaven: Detecting Three New Waves of npm Supply Chain Attack	32	ip, domain, url, email	endorlabs
papercut-nday-indicators-of-compromise	31	ip, sha256, md5, domain, url	sophos
LummaStealer	27	domain, url	tweetfeed
XtremeRAT Trojan	22	ip	c2-tracker
ransomware_atomsilo	22	ip, sha256, domain, url	sophos
stealer	21	ip, md5, domain, url	tweetfeed
APT	20	ip, sha256, md5, domain, url	tweetfeed
Unam Web Panel	18	ip	c2-tracker
RAT	18	ip, url	tweetfeed
raccoonstealer	17	ip, sha256, domain, url	sophos
AsyncRAT	16	ip	c2-tracker
ShadowPad	16	ip	c2-tracker
npm is serving malware to 134,000 developers, and the maintainer can’t stop it	15	ip, sha256, domain, email	endorlabs
RedGuard C2	14	ip	c2-tracker
Njrat	14	ip, domain, url	tweetfeed
ransomware	14	ip, sha256, md5, domain, url	tweetfeed
DarkComet Trojan	13	ip	c2-tracker
Mozi Botnet	13	ip	c2-tracker
Quasar RAT	13	ip	c2-tracker
SANDWORM_MODE: Dissecting a Multi-Stage npm Supply Chain Attack	12	sha256, domain, url, email	endorlabs
Supply Chain Attack targeting Cline installs OpenClaw	12	sha256, sha1, domain, url, email	endorlabs
NanoCore RAT Trojan	11	ip	c2-tracker
smishing campaign targeting Indian customers 2023-04	11	sha256, domain, url	sophos
CVE-2025-12543: Host Header Validation Bypass in Undertow	10	domain, url, email	endorlabs
CVE-2026-25896: Entity Encoding Bypass in fast-xml-parser	9	sha1, domain, url	endorlabs
CanisterWorm: Malicious npm Packages Deploy Self-Propagating Supply Chain Worm	9	domain, url	endorlabs
usb worm with global reach	8	ip, sha256, url	sophos
Lokibot	8	ip, domain, url	tweetfeed
CVE-2026-27959: Userinfo Host Header Injection in Koa	8	domain, url, email	endorlabs
NanoCore	7	ip, domain, url	tweetfeed
malware	6	ip, md5, domain, url	tweetfeed
n8mare on auth street: supply chain attack targets n8n ecosystem	6	sha256, domain	endorlabs
Brute Ratel C4	5	ip	c2-tracker
Gh0st RAT Trojan	5	ip	c2-tracker
NetSupport	5	ip, md5	tweetfeed
CVE-2025-68428: Critical Path Traversal in jsPDF	5	domain, url	endorlabs
gootloader_cats_iocs	4	sha256	sophos
opendir	4	domain, url	tweetfeed
DcRAT	3	ip	c2-tracker
Villain C2	3	ip	c2-tracker
fleeceware-chatbot-apps	3	sha256, url	sophos
Caldera C2	2	ip	c2-tracker
Covenant C2	2	ip	c2-tracker
Hookbot	2	ip	c2-tracker
MobSF	2	ip	c2-tracker
NimPlant C2	2	ip	c2-tracker
Orcus RAT Trojan	2	ip	c2-tracker
Remcos RAT	2	ip	c2-tracker
Vshell C2	2	ip	c2-tracker
NetSupportRAT	2	ip, md5	tweetfeed
Xworm	2	domain, url	tweetfeed
Malicious 'Pyronut' Package Backdoors Telegram Bots with Remote Code Exe	2	domain	endorlabs
Ares RAT C2	1	ip	c2-tracker
NetBus Trojan	1	ip	c2-tracker
Pantegana C2	1	ip	c2-tracker
njRAT Trojan	1	ip	c2-tracker
npm Account Takeovers are a Growing Malware Trend	1	email	endorlabs

Blue Team Usage Guide

Threat Hunting Queries

Use these indicator types in your SIEM/EDR:

• IP addresses: Match against firewall logs, DNS queries, proxy logs
• File hashes: Scan endpoints via EDR, match in sandbox reports
• Domains: DNS monitoring, proxy blocklists, certificate transparency
• URLs: Web proxy logs, email gateway logs
• Email addresses: Email security gateway sender reputation

Integration Patterns

# Import C2 IPs into blocklist (example)
curl -sf https://blacktemple.net/iocs.json | jq -r '.indicators[] | select(.type=="ip") | .value' > c2-blocklist.txt

# Extract hashes for EDR scan
curl -sf https://blacktemple.net/iocs.json | jq -r '.indicators[] | select(.type=="sha256") | .value' > hash-watchlist.txt

# Filter multi-source (high confidence) indicators only
curl -sf https://blacktemple.net/iocs.json | jq '[.indicators[] | select(.sources | length > 1)]'

Confidence Assessment

• High: Indicators reported by 3+ independent sources
• Medium: Indicators from 2 sources, or from vendor-verified feeds (ESET, Talos, Sophos)
• Low: Single-source community indicators (TweetFeed) — use for watchlist, not blocking

YARA Rule Generation

For hash-based indicators, generate YARA rules:

rule BlackTemple_IoC_Hashes {
    meta:
        description = "Auto-generated from blacktemple.net IoC feed"
        date = "2026-03-24"
    condition:
        // Import hashes from iocs.json and match via hash module
        false // Replace with actual hash.sha256() conditions
}

Data Freshness

This digest is regenerated every Sunday. For the latest raw data, use the JSON API:

• Full feed: https://blacktemple.net/iocs.json
• Web interface: https://blacktemple.net/malware-ioc

---

Auto-generated by the blacktemple.net IoC pipeline. Sources are credited above. All data is sourced from open-source, freely redistributable threat intelligence feeds.