Malware IoC Reference — Auto-Generated Feed Digest
Last updated: 2026-03-29 | Total indicators: 17,293 | Sources: 9
This document is auto-generated weekly from 9 open-source threat intelligence feeds. It provides a structured reference for blue team operations, threat hunting, and incident response.
Feed Sources
| Source | Provider | License | Indicators |
|---|---|---|---|
| C2 Tracker | montysecurity | MIT | 2,407 |
| ESET Malware IoC | ESET | BSD-2-Clause | 4,972 |
| PRODAFT IoC | PRODAFT | MIT | 0 |
| Cisco Talos IoC | Cisco Talos | Apache-2.0 | 653 |
| Sophos IoC | Sophos | Permissive | 4,437 |
| Unit 42 IoC | Palo Alto Networks | MIT | 0 |
| OALabs IoC | OALabs | Permissive | 0 |
| TweetFeed | TweetFeed | MIT | 4,717 |
| Endor Labs Advisories | Endor Labs | Proprietary (blog) | 109 |
Indicator Breakdown
| Type | Count | % of Total |
|---|---|---|
| SHA-256 Hashes | 12,220 | 70.7% |
| IP Addresses | 5,808 | 33.6% |
| MD5 Hashes | 5,280 | 30.5% |
| URLs | 5,160 | 29.8% |
| Domains | 4,754 | 27.5% |
| SHA-1 Hashes | 1,326 | 7.7% |
| Email Addresses | 38 | 0.2% |
Multi-source indicators (seen by 2+ feeds): 2 — these are higher confidence.
C2 Infrastructure by Framework
Known command & control server IPs, grouped by offensive framework:
| Framework | Active IPs |
|---|---|
| all | 2407 |
| Metasploit Framework C2 | 535 |
| Sliver C2 | 474 |
| Viper C2 | 250 |
| GoPhish | 174 |
| Cobalt Strike C2 | 170 |
| PANDA C2 | 157 |
| BurpSuite | 107 |
| Hak5 Cloud C2 | 94 |
| Mythic C2 | 91 |
| Supershell C2 | 68 |
| Havoc C2 | 43 |
| XMRig Monero Cryptominer | 43 |
| Sectop RAT | 39 |
| XtremeRAT Trojan | 22 |
| Unam Web Panel | 18 |
| AsyncRAT | 16 |
| ShadowPad | 16 |
| RedGuard C2 | 14 |
| DarkComet Trojan | 13 |
| Mozi Botnet | 13 |
| Quasar RAT | 13 |
| NanoCore RAT Trojan | 11 |
| Brute Ratel C4 | 5 |
| Gh0st RAT Trojan | 5 |
| DcRAT | 3 |
| Villain C2 | 3 |
| Caldera C2 | 2 |
| Covenant C2 | 2 |
| Hookbot | 2 |
| MobSF | 2 |
| NimPlant C2 | 2 |
| Orcus RAT Trojan | 2 |
| Remcos RAT | 2 |
| Vshell C2 | 2 |
| Ares RAT C2 | 1 |
| NetBus Trojan | 1 |
| Pantegana C2 | 1 |
| njRAT Trojan | 1 |
Top Malware Campaigns & Threat Groups
| Campaign / Family | Indicators | Types | Sources |
|---|---|---|---|
| files_hosted_on_discord | 3007 | sha256 | sophos |
| all | 2407 | ip | c2-tracker |
| phishing | 925 | ip, md5, domain, url | tweetfeed |
| groundbait | 596 | sha256, md5 | eset |
| malware-MyKings-v2 | 537 | ip, sha1, domain, url | sophos |
| Metasploit Framework C2 | 535 | ip | c2-tracker |
| malware-MyKings | 526 | ip, sha1, domain | sophos |
| Sliver C2 | 474 | ip | c2-tracker |
| mal-fakealert | 287 | ip, sha1, md5, domain, url | sophos |
| bandook | 272 | sha256, md5 | eset |
| Viper C2 | 250 | ip | c2-tracker |
| evilnum | 244 | sha256, md5 | eset |
| gamaredon | 214 | sha256, md5 | eset |
| machete | 204 | sha256, md5 | eset |
| scam | 195 | sha256, domain, url | tweetfeed |
| invisimole | 188 | sha256, md5 | eset |
| GoPhish | 174 | ip | c2-tracker |
| 2025/10 | 174 | ip, sha256, sha1, md5, domain, url, email | talos |
| Cobalt Strike C2 | 170 | ip | c2-tracker |
| badiis | 164 | sha256, md5 | eset |
| greyenergy | 164 | sha256, md5 | eset |
| PANDA C2 | 157 | ip | c2-tracker |
| dark_iot | 156 | sha256, md5 | eset |
| 2026/02 | 146 | ip, sha256, domain, url | talos |
| gelsemium | 138 | sha256, md5 | eset |
| 2025/09 | 131 | sha256, domain, url | talos |
| 2026/01 | 130 | ip, sha256, domain, url | talos |
| maldrivers_release_2 | 130 | sha256, sha1, url | sophos |
| malware-Raticate | 125 | ip, sha256, domain | sophos |
| malware-MyKings-domains | 123 | domain | sophos |
| muddywater | 122 | sha256, md5 | eset |
| nukesped_lazarus | 116 | md5 | eset |
| donot | 114 | sha256, md5 | eset |
| 2026/03 | 109 | ip, sha256, domain, url | talos |
| king_tut | 108 | sha256, md5 | eset |
| BurpSuite | 107 | ip | c2-tracker |
| evasive_panda | 96 | sha256, md5 | eset |
| janeleiro | 96 | sha256, md5 | eset |
| Hak5 Cloud C2 | 94 | ip | c2-tracker |
| mikroceen | 94 | sha256, md5 | eset |
| Mythic C2 | 91 | ip | c2-tracker |
| deceptivedevelopment | 82 | sha256, md5 | eset |
| ace_cryptor | 74 | sha256, md5 | eset |
| Supershell C2 | 68 | ip | c2-tracker |
| longnosedgoblin | 68 | sha256, md5 | eset |
| malware-raticate-cloudeye | 66 | ip, sha256, domain, url | sophos |
| repository-backdoor-IOCs | 66 | sha256, md5, domain, url | sophos |
| edr_killers | 64 | sha256, md5 | eset, talos |
| attor | 64 | sha256, md5 | eset |
| blacklotus | 62 | sha256, md5 | eset |
| especter | 62 | sha256, md5 | eset |
| asylum_ambuscade | 58 | sha256, md5 | eset |
| moustachedbouncer | 58 | sha256, md5 | eset |
| famoussparrow | 56 | sha256, md5 | eset |
| moose | 56 | sha256, md5 | eset |
| C2 | 53 | ip, md5, domain, url | tweetfeed |
| PlushDaemon | 46 | sha256, md5 | eset |
| exchange_exploitation | 46 | sha256, md5 | eset |
| GhostRedirector | 44 | sha256, md5 | eset |
| asyncrat | 44 | sha256, md5 | eset |
| backdoordiplomacy | 44 | sha256, md5 | eset |
| deprimon | 44 | sha256, md5 | eset |
| mustang_panda | 44 | sha256, md5 | eset |
| Havoc C2 | 43 | ip | c2-tracker |
| XMRig Monero Cryptominer | 43 | ip | c2-tracker |
| cosmicbeetle | 42 | sha256, md5 | eset |
| kasidet | 42 | sha256, md5 | eset |
| mozi | 42 | sha256, md5 | eset |
| Sectop RAT | 39 | ip | c2-tracker |
| hamkombat | 38 | sha256, md5 | eset |
| mirrorface | 38 | sha256, md5 | eset |
| ransomware_memento | 37 | ip, sha256, domain, url | sophos |
| 2025/11 | 37 | sha256, domain, url | talos |
| dukes | 36 | sha256, md5 | eset |
| 2025/12 | 32 | sha256, ip, domain, url | eset, talos |
| The Return of PhantomRaven: Detecting Three New Waves of npm Supply Chain Attack | 32 | ip, domain, url, email | endorlabs |
| papercut-nday-indicators-of-compromise | 31 | ip, sha256, md5, domain, url | sophos |
| ballisticbobcat | 30 | sha256, md5 | eset |
| aridspy | 30 | sha256, md5 | eset |
| mispadu | 30 | sha256, md5 | eset |
| LummaStealer | 27 | domain, url | tweetfeed |
| amavaldo | 26 | sha256, md5 | eset |
| blackwood | 26 | sha256, md5 | eset |
| dnsbirthday | 26 | sha256, md5 | eset |
| lummastealer | 26 | sha256, md5 | eset |
| modiloader | 26 | sha256, md5 | eset |
| malware | 25 | ip, md5, domain, url | tweetfeed |
| stealer | 24 | ip, md5, domain, url | tweetfeed |
| goldenjackal | 24 | sha256, md5 | eset |
| grandoreiro | 24 | sha256, md5 | eset |
| XtremeRAT Trojan | 22 | ip | c2-tracker |
| ransomware_atomsilo | 22 | ip, sha256, domain, url | sophos |
| guildma | 20 | sha256, md5 | eset |
| hybridpetya | 20 | sha256, md5 | eset |
| kobalos | 20 | sha256, md5 | eset |
| Unam Web Panel | 18 | ip | c2-tracker |
| ceranakeeper | 18 | sha256, md5 | eset |
| embargo | 18 | sha256, md5 | eset |
| emotet | 18 | sha256, md5 | eset |
| fishmonger | 18 | sha256, md5 | eset |
Blue Team Usage Guide
Threat Hunting Queries
Use these indicator types in your SIEM/EDR:
- IP addresses: Match against firewall logs, DNS queries, proxy logs
- File hashes: Scan endpoints via EDR, match in sandbox reports
- Domains: DNS monitoring, proxy blocklists, certificate transparency
- URLs: Web proxy logs, email gateway logs
- Email addresses: Email security gateway sender reputation
Integration Patterns
# Import C2 IPs into blocklist (example)
curl -sf https://blacktemple.net/iocs.json | jq -r '.indicators[] | select(.type=="ip") | .value' > c2-blocklist.txt
# Extract hashes for EDR scan
curl -sf https://blacktemple.net/iocs.json | jq -r '.indicators[] | select(.type=="sha256") | .value' > hash-watchlist.txt
# Filter multi-source (high confidence) indicators only
curl -sf https://blacktemple.net/iocs.json | jq '[.indicators[] | select(.sources | length > 1)]'
Confidence Assessment
- High: Indicators reported by 3+ independent sources
- Medium: Indicators from 2 sources, or from vendor-verified feeds (ESET, Talos, Sophos)
- Low: Single-source community indicators (TweetFeed) — use for watchlist, not blocking
YARA Rule Generation
For hash-based indicators, generate YARA rules:
rule BlackTemple_IoC_Hashes {
meta:
description = "Auto-generated from blacktemple.net IoC feed"
date = "2026-03-29"
condition:
// Import hashes from iocs.json and match via hash module
false // Replace with actual hash.sha256() conditions
}
Data Freshness
This digest is regenerated every Sunday. For the latest raw data, use the JSON API:
- Full feed:
https://blacktemple.net/iocs.json - Web interface:
https://blacktemple.net/malware-ioc
Auto-generated by the blacktemple.net IoC pipeline. Sources are credited above. All data is sourced from open-source, freely redistributable threat intelligence feeds.