TweetFeed
TweetFeed collects Indicators of Compromise (IOCs) shared by the infosec community at Twitter. Here you will find malicious URLs, domains, IPs, and SHA256/MD5 hashes.
Install / Use
/learn @0xDanielLopez/TweetFeedREADME
</div>
☰ Content
:heart: Support the project
If you like the project, please consider:
- Giving it a star :star:
- Invite to a coffee :coffee:
:page_facing_up: Data collected
<div align="center"> <h3>Feeds</h3> <table> <thead> </thead> <tbody> <tr> <th colspan=4>2026-03-24 21:19:25 (UTC)</th> </tr> <tr> <th>Today</th> <th>Last 7 days</th> <th>Last 30 days</th> <th>Last 365 days</th> </tr> <tr> <td>:clipboard: <a href="https://github.com/0xDanielLopez/TweetFeed/blob/master/today.csv">Today</a> (<a href="https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/today.csv">raw</a>)</td> <td>:clipboard: <a href="https://github.com/0xDanielLopez/TweetFeed/blob/master/week.csv">Week</a> (<a href="https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/week.csv">raw</a>)</td> <td>:clipboard: <a href="https://github.com/0xDanielLopez/TweetFeed/blob/master/month.csv">Month</a> (<a href="https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/month.csv">raw</a>)</td> <td>:clipboard: <a href="https://github.com/0xDanielLopez/TweetFeed/blob/master/year.csv">Year</a> (<a href="https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/year.csv">raw</a>)</td> </tr> </tbody> </table> </div> <div align="center"> <h3>Output example</h3> <table> <thead> <tr> <th><sub>Date (UTC)</sub></th> <th><sub>SourceUser</sub></th> <th><sub>Type</sub></th> <th><sub>Value</sub></th> <th><sub>Tags</sub></th> <th><sub>Tweet</sub></th> </tr> </thead> <tbody> <tr> <td><sub>2021-08-14 02:26:32</sub></td> <td><sub>phishunt_io</sub></td> <td><sub>url</sub></td> <td><sub>https://netflix.us2.cards/</sub></td> <td><sub>#phishing #scam</sub></td> <td><sub>https://twitter.com/phishunt_io/status/1426369619422502917</sub></td> </tr> <tr> <td><sub>2021-08-17 12:15:00</sub></td> <td><sub>TheDFIRReport</sub></td> <td><sub>ip</sub></td> <td><sub>185.56.76.94</sub></td> <td><sub>#Trickbot</sub></td> <td><sub>https://twitter.com/TheDFIRReport/status/1427604874053578756</sub></td> </tr> </tbody> </table> </div>:bar_chart: Some statistics
<div align="center"> <h3>Types</h3>| Type | Today | Week | Month | Year | | :--- | :---: | :---: | :---: | :---: | | :link: URLs | 114 | 626 | 2192 | 68667 | | :globe_with_meridians: Domains | 88 | 447 | 1643 | 44139 | | :triangular_flag_on_post: IPs | 27 | 178 | 594 | 22985 | | :1234: SHA256 | 2 | 10 | 56 | 1573 | | :1234: MD5 | 7 | 34 | 214 | 3729 |
</div><div align="center"> <h3>Tags</h3>
| Tag | Today | Week | Month | Year | | :--- | :---: | :---: | :---: | :---: | | #phishing | 50 | 200 | 745 | 56890 | | #scam | 0 | 14 | 103 | 8911 | | #opendir | 6 | 14 | 67 | 785 | | #malware | 0 | 30 | 92 | 7612 | | #maldoc | 0 | 0 | 0 | 0 | | #ransomware | 1 | 6 | 38 | 1057 | | #banker | 0 | 0 | 0 | 6 | | #AgentTesla | 0 | 0 | 1 | 200 | | #Alienbot | 0 | 0 | 0 | 0 | | #AsyncRAT | 0 | 26 | 44 | 2087 | | #Batloader | 0 | 0 | 0 | 0 | | #BazarLoader | 0 | 0 | 0 | 0 | | #CobaltStrike | 0 | 24 | 29 | 9131 | | #Dcrat | 0 | 0 | 3 | 355 | | #Emotet | 0 | 0 | 0 | 0 | | #Formbook | 0 | 0 | 47 | 577 | | #GootLoader | 0 | 0 | 0 | 0 | | #GuLoader | 0 | 0 | 0 | 46 | | #IcedID | 0 | 0 | 0 | 0 | | #Lazarus | 0 | 3 | 11 | 156 | | #Lokibot | 0 | 0 | 0 | 153 | | #log4j | 0 | 0 | 0 | 4 | | #Log4shell | 0 | 0 | 0 | 0 | | #Njrat | 2 | 16 | 28 | 918 | | #Qakbot | 0 | 0 | 0 | 910 | | #Raccoon | 0 | 0 | 0 | 3 | | #RedLine | 0 | 4 | 4 | 138 | | #Remcos | 0 | 5 | 16 | 2648 | | #RaspberryRobin | 0 | 0 | 0 | 0 | | #Spring4Shell | 0 | 0 | 0 | 0 | | #SocGolish | 0 | 0 | 0 | 7 | | #Ursnif | 0 | 0 | 0 | 0 |
</div><div align="center"> <h3>Top Reporters (today)</h3>
| Number | User | IOCs | | :--- | :---: | :---: | | #1 | skocherhan | 144 | | #2 | Metemcyber | 24 | | #3 | urldna_bot | 20 | | #4 | SarlackLab | 20 | | #5 | PhishStats | 8 | | #6 | @Phish_Destroy | 6 | | #7 | @CarlyGriggs13 | 4 | | #8 | @urldna_bot | 2 | | #9 | ShadowOpCode | 3 | | #10 | suyog41 | 2 |
</div>:question: How it works?
Search tweets that contain certain tags or that are posted by certain infosec people.
Tags being searched
(not case sensitive)
- #phishing
- #scam
- #opendir
- #malware
- #maldoc
- #ransomware
- #banker
- #AgentTesla
- #Alienbot
- #AsyncRAT
- #BazarLoader
- #Batloader
- #CobaltStrike
- #Dcrat
- #Emotet
- #Formbook
- #GootLoader
- #GuLoader
- #IcedID
- #Lazarus
- #Lokibot
- #log4j
- #Log4shell
- #Njrat
- #Qakbot
- #Raccoon
- #RedLine
- #Remcos
- #RaspberryRobin
- #Spring4Shell
- #SocGholish
- #Ursnif
Also search Tweets posted by
(these are trusted folks that sometimes don't use tags)
<big><pre> TweetFeed list </pre></big>
:mag: Hunting IOCs via Microsoft Defender
1. Search SHA256 hashes with yearly tweets feed
let MaxAge = ago(30d);
let SHA256_whitelist = pack_array(
'XXX' // Some SHA256 hash you want to whitelist.
);
let TweetFeed = materialize (
(externaldata(report:string)
[@"https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/year.csv"]
with (format = "txt"))
| extend report = parse_csv(report)
| extend Type = tostring(report[2])
| where Type == 'sha256'
| extend SHA256 = tostring(report[3])
| where SHA256 !in(SHA256_whitelist)
| extend Tag = tostring(report[4])
| extend Tweet = tostring(report[5])
| project SHA256, Tag, Tweet
);
union (
TweetFeed
| join (
DeviceProcessEvents
| where Timestamp > MaxAge
) on SHA256
), (
TweetFeed
| join (
DeviceFileEvents
| where Timestamp > MaxAge
) on SHA256
), (
TweetFeed
| join (
DeviceImageLoadEvents
| where Timestamp > MaxAge
) on SHA256
) | project Timestamp, DeviceName, FileName, FolderPath, SHA256, Tag, Tweet
2. Search IP addresses with monthly tweets feed
let MaxAge = ago(30d);
let IPaddress_whitelist = pack_array(
'XXX' // Some IP address you want to whitelist.
);
let TweetFeed = materialize (
(externaldata(report:string)
[@"https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/month.csv"]
with (format = "txt"))
| extend report = parse_csv(report)
| extend Type = tostring(report[2])
| where Type == 'ip'
| extend RemoteIP = tostring(report[3])
| where RemoteIP !in(IPaddress_whitelist)
| where not(ipv4_is_private(RemoteIP))
| extend Tag = tostring(report[4])
| extend Tweet = tostring(report[5])
| project RemoteIP, Tag, Tweet
);
union (
TweetFeed
| join (
DeviceNetworkEvents
| where Timestamp > MaxAge
) on RemoteIP
) | project Timestamp, DeviceName, RemoteIP, Tag, Tweet
3. Search urls and domains with weekly tweets feed
let MaxAge = ago(30d);
let domain_whitelist = pack_array(
'XXX' // Some URL/Domain you want to whitelist.
);
let TweetFeed = materialize (
(externaldata(report:string)
[@"https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/week.csv"]
with (format = "txt"))
| extend report = parse_csv(report)
| extend Type = tostring(report[2])
| where Type in('url','domain')
| extend RemoteUrl = tostring(report[3])
| where RemoteUrl !in(domain_whitelist)
| extend Tag = tostring(report[4])
| extend Tweet = tostring(report[5])
| project RemoteUrl, Tag, Tweet
);
union (
TweetFeed
| join (
DeviceNetworkEvents
| where Timestamp > MaxAge
) on RemoteUrl
) | project Timestamp, DeviceName, RemoteUrl, Tag, Tweet
:bust_in_silhouette: Author
<!---  --->:pushpin: Disclaimer
Please note that all the data is collected from Twitter and sorted/served here as it is on best effort.
I have tried to tune as much as po
Security Score
Audited on Mar 24, 2026