Spydithreatintel

<div align="center"> <h1>Spydi's ThreatIntel Feed 🛡️</h1>

</div>

📢 Update: Blocklists are now served from Cloudflare R2 for faster global delivery and reduced latency. Use the download links below instead of raw GitHub URLs. Website & API coming soon!

🚀 About

Comprehensive threat intelligence blocklists aggregated from multiple OSINT sources, honeypot networks, and C2 trackers. Multi-source validation, confidence-based tiers, and CDN-aware whitelisting.

📑 Quick Links: IP Blocklists • Domain Blocklists • Sources • Credits

⚠️ License Notice: Each OSINT feed is governed by its own terms. Users must review original source documentation for specific licensing details.

---

🔥 IP Blocklists

Confidence-based tiers with multi-source validation

| Tier | Blocklist | Download | |:----:|-----------|:--------:| | 🎯 High | High Confidence (Limited ~5K) | 📥 Download | | 🎯 High | High Confidence (Unlimited) | 📥 Download | | ⚖️ Medium | Medium Confidence (Limited ~25K) | 📥 Download | | ⚖️ Medium | Medium Confidence (Unlimited) | 📥 Download | | 🔬 Low | Low Confidence (All Others) | 📥 Download | | 📊 Research | Full Research Blocklist | 📥 Download | | 🗄️ Archive | Permanent (Append-Only) | 📥 Download |

<details> <summary>🔍 <strong>Confidence Scoring Details</strong></summary>

Multi-Source Validation: IPs are scored by how many independent threat intelligence sources report them.

| Tier | Threshold | Description | |------|-----------|-------------| | 🎯 High Limited | 5+ sources | Strictest tier - confirmed malicious across 5+ feeds | | 🎯 High Unlimited | 3+ sources | High confidence - validated by 3+ independent sources | | ⚖️ Medium | 2+ sources | Medium confidence - corroborated by 2 sources | | 🔬 Low | 1 source | Single-source reports - use with caution |

Example: An IP reported by ThreatFox, Feodo Tracker, IPsum, CINS Score, and Blocklist.de would have source_count=5 → appears in High Limited.

Whitelist Protection: CDN ranges (Cloudflare, Akamai, Fastly, Tailscale) are automatically excluded to prevent false positives.

</details>

---

🌐 Domain Blocklists

Independent category processing - import any/all into Pi-hole/AdGuard

| Category | Blocklist | Download | |:--------:|-----------|:--------:| | 🛡️ Security | Malicious Domains | 📥 Download | | 📧 Spam | Spam/Scam/Abuse Domains | 📥 Download | | 📺 Privacy | Ads & Tracking Domains | 📥 Download | | 🗄️ Archive | Permanent Domains (Append-Only) | 📥 Download |

📁 Whitelisting

Reduce false positives using these curated lists:

| Name | Purpose | Raw URL | |------|---------|---------| | Removed IPs | Legitimate IPs removed from blocklists | 📥 Raw | | Whitelisted IPs | Critical infrastructure IPs (Cloudflare, Akamai, Fastly) | 📥 Raw | | Community IPs | Community-submitted IP whitelist | 📥 Raw | | Community Domains | Community-submitted domain whitelist | 📥 Raw |

💡 Found a false positive? Submit a Whitelist IP Request or Whitelist Domain Request — automated validation and processing via GitHub Actions.

---

🕵️ Tracked Threats & Source list

1. Actively monitored infrastructure across 50+ threat actors:

<details> <summary>🔍 Expand Threat Catalog</summary>

| C2s | Malware | Botnets | |-----|---------|---------| | Cobalt Strike | AcidRain Stealer | 7777 | | Metasploit Framework | Misha Stealer (AKA Grand Misha) | BlackNET | | Covenant | Patriot Stealer | Doxerina | | Mythic | RAXNET Bitcoin Stealer | Scarab | | Brute Ratel C4 | Titan Stealer | 63256 | | Posh | Collector Stealer | Kaiji | | Sliver | Mystic Stealer | MooBot | | Deimos | Gotham Stealer | Mozi | | PANDA | Meduza Stealer | | | NimPlant C2 | Quasar RAT | | | Havoc C2 | ShadowPad | | | Caldera | AsyncRAT | | | Empire | DcRat | | | Ares | BitRAT | | | Hak5 Cloud C2 | DarkComet Trojan | | | Pantegana | XtremeRAT Trojan | | | Supershell | NanoCore RAT Trojan | | | Poseidon C2 | Gh0st RAT Trojan | | | Viper C2 | DarkTrack RAT Trojan | | | Vshell | njRAT Trojan | | | Villain | Remcos Pro RAT Trojan | | | Nimplant C2 | Poison Ivy Trojan | | | RedGuard C2 | Orcus RAT Trojan | | | Oyster C2 | ZeroAccess Trojan | | | byob C2 | HOOKBOT Trojan | | | | RisePro Stealer | | | | NetBus Trojan | | | | Bandit Stealer | | | | Mint Stealer | | | | Mekotio Trojan | | | | Gozi Trojan | | | | Atlandida Stealer | | | | VenomRAT | | | | Orcus RAT | | | | BlackDolphin | | | | Artemis RAT | | | | Godzilla Loader | | | | Jinx Loader | | | | Netpune Loader | | | | SpyAgent | | | | SpiceRAT | | | | Dust RAT | | | | Pupy RAT | | | | Atomic Stealer | | | | Lumma Stealer | | | | Serpent Stealer | | | | Axile Stealer | | | | Vector Stealer | | | | Z3us Stealer | | | | Rastro Stealer | | | | Darkeye Stealer | | | | AgniStealer | | | | Epsilon Stealer | | | | Bahamut Stealer | | | | Unam Web Panel / SilentCryptoMiner | | | | Vidar Stealer | | | | Kraken RAT | | | | Bumblebee Loader | | | | Viper RAT | | | | Spectre Stealer | |

</details>

2. Sources: Curated feeds including C2 servers, honeypot data, Mass-scanners, and OSINT feeds.

<details> <summary>📚 View Full Source List</summary>

| Sources | Source URL | |---------|------------| | C2 IP Feed | C2_iplist.txt | | Honeypot Master list | honeypot_iplist.txt | | maltrail_scanners | maltrail_ips.txt | | botvrij_eu | botvrij_eu | | feodotracker | feodotracker | | feodotracker_recommended | feodotracker_recommended | | Blocklist_de_all | Blocklist_de_all | | ThreatView_High_Confidence | ThreatView_High_Confidence | | IPsumLevel_7 | IPsumLevel7 | | CINS_Score | CINS_Score | | DigitalSide | DigitalSide | | duggytuxy | duggytuxy | | etnetera.cz | etnetera.cz | | emergingthreats-compromised | ET_Comp | | greensnow.co | greensnow.co | | Threatfox | Threatfox | | More coming Soon! | Future Updates |

</details>

3. Whitelist Coverage Matrix:

<details> <summary>View Whitelist Sources 🛡️</summary>

| Provider | Type | Coverage | Source Link | |----------|------|----------|-------------| | Cloudflare | CDN IPv4/IPv6 | Global CDN | Cloudflare IPs | | Akamai | CDN IPv4/IPv6 | Global CDN & Shield IPs | Akamai IPs | | Fastly | CDN IPv4/IPv6 | Global CDN | Fastly IPs | | Tailscale | DERP & Control Panel | Relay servers and control plane | Tailscale DERP | | Uptime Robot | IPv4 | UptimeRobot Monitoring | UptimeRobot IPs |

</details>

---

🙌 Acknowledgements

Gratitude to our OSINT partners This project stands on the shoulders of these valuable resources:

• Abuse.ch - Feodo Tracker
• Botvrij.eu - Threat Intelligence
• Blocklist.de - Attack Data
• CINS Army - Threat Scoring
• DigitalSide - Italian CERT
• ...and 10+ other community maintainers

Special Thanks to MontySecurity for their C2 Tracker framework and elliotwutingfeng