📢 Update: Blocklists are now served from Cloudflare R2 for faster global delivery and reduced latency. Use the download links below instead of raw GitHub URLs. Website & API coming soon!
Comprehensive threat intelligence blocklists aggregated from multiple OSINT sources, honeypot networks, and C2 trackers. Multi-source validation, confidence-based tiers, and CDN-aware whitelisting.
📑 Quick Links: IP Blocklists • Domain Blocklists • Sources • Credits
⚠️ License Notice: Each OSINT feed is governed by its own terms. Users must review original source documentation for specific licensing details.
Confidence-based tiers with multi-source validation
| Tier | Blocklist | Download |
|---|---|---|
| 🎯 High | High Confidence (Limited ~5K) | 📥 Download |
| 🎯 High | High Confidence (Unlimited) | 📥 Download |
| ⚖️ Medium | Medium Confidence (Limited ~25K) | 📥 Download |
| ⚖️ Medium | Medium Confidence (Unlimited) | 📥 Download |
| 🔬 Low | Low Confidence (All Others) | 📥 Download |
| 📊 Research | Full Research Blocklist | 📥 Download |
| 🗄️ Archive | Permanent (Append-Only) | 📥 Download |
🔍 Confidence Scoring Details
Multi-Source Validation: IPs are scored by how many independent threat intelligence sources report them.
| Tier | Threshold | Description |
|---|---|---|
| 🎯 High Limited | 5+ sources | Strictest tier - confirmed malicious across 5+ feeds |
| 🎯 High Unlimited | 3+ sources | High confidence - validated by 3+ independent sources |
| ⚖️ Medium | 2+ sources | Medium confidence - corroborated by 2 sources |
| 🔬 Low | 1 source | Single-source reports - use with caution |
Example: An IP reported by ThreatFox, Feodo Tracker, IPsum, CINS Score, and Blocklist.de would have source_count=5 → appears in High Limited.
Whitelist Protection: CDN ranges (Cloudflare, Akamai, Fastly, Tailscale) are automatically excluded to prevent false positives.
Independent category processing - import any/all into Pi-hole/AdGuard
| Category | Blocklist | Download |
|---|---|---|
| 🛡️ Security | Malicious Domains | 📥 Download |
| 📧 Spam | Spam/Scam/Abuse Domains | 📥 Download |
| 📺 Privacy | Ads & Tracking Domains | 📥 Download |
| 🗄️ Archive | Permanent Domains (Append-Only) | 📥 Download |
Reduce false positives using these curated lists:
| Name | Purpose | Raw URL |
|---|---|---|
| Removed IPs | Legitimate IPs removed from blocklists | 📥 Raw |
| Whitelisted IPs | Critical infrastructure IPs (Cloudflare, Akamai, Fastly) | 📥 Raw |
- Actively monitored infrastructure across 50+ threat actors:
🔍 Expand Threat Catalog
| C2s | Malware | Botnets |
|---|---|---|
| Cobalt Strike | AcidRain Stealer | 7777 |
| Metasploit Framework | Misha Stealer (AKA Grand Misha) | BlackNET |
| Covenant | Patriot Stealer | Doxerina |
| Mythic | RAXNET Bitcoin Stealer | Scarab |
| Brute Ratel C4 | Titan Stealer | 63256 |
| Posh | Collector Stealer | Kaiji |
| Sliver | Mystic Stealer | MooBot |
| Deimos | Gotham Stealer | Mozi |
| PANDA | Meduza Stealer | |
| NimPlant C2 | Quasar RAT | |
| Havoc C2 | ShadowPad | |
| Caldera | AsyncRAT | |
| Empire | DcRat | |
| Ares | BitRAT | |
| Hak5 Cloud C2 | DarkComet Trojan | |
| Pantegana | XtremeRAT Trojan | |
| Supershell | NanoCore RAT Trojan | |
| Poseidon C2 | Gh0st RAT Trojan | |
| Viper C2 | DarkTrack RAT Trojan | |
| Vshell | njRAT Trojan | |
| Villain | Remcos Pro RAT Trojan | |
| Nimplant C2 | Poison Ivy Trojan | |
| RedGuard C2 | Orcus RAT Trojan | |
| Oyster C2 | ZeroAccess Trojan | |
| byob C2 | HOOKBOT Trojan | |
| RisePro Stealer | ||
| NetBus Trojan | ||
| Bandit Stealer | ||
| Mint Stealer | ||
| Mekotio Trojan | ||
| Gozi Trojan | ||
| Atlandida Stealer | ||
| VenomRAT | ||
| Orcus RAT | ||
| BlackDolphin | ||
| Artemis RAT | ||
| Godzilla Loader | ||
| Jinx Loader | ||
| Netpune Loader | ||
| SpyAgent | ||
| SpiceRAT | ||
| Dust RAT | ||
| Pupy RAT | ||
| Atomic Stealer | ||
| Lumma Stealer | ||
| Serpent Stealer | ||
| Axile Stealer | ||
| Vector Stealer | ||
| Z3us Stealer | ||
| Rastro Stealer | ||
| Darkeye Stealer | ||
| AgniStealer | ||
| Epsilon Stealer | ||
| Bahamut Stealer | ||
| Unam Web Panel / SilentCryptoMiner | ||
| Vidar Stealer | ||
| Kraken RAT | ||
| Bumblebee Loader | ||
| Viper RAT | ||
| Spectre Stealer |
- Sources: Curated feeds including C2 servers, honeypot data, Mass-scanners, and OSINT feeds.
📚 View Full Source List
| Sources | Source URL |
|---|---|
| C2 IP Feed | C2_iplist.txt |
| Honeypot Master list | honeypot_iplist.txt |
| maltrail_scanners | maltrail_ips.txt |
| botvrij_eu | botvrij_eu |
| feodotracker | feodotracker |
| feodotracker_recommended | feodotracker_recommended |
| Blocklist_de_all | Blocklist_de_all |
| ThreatView_High_Confidence | ThreatView_High_Confidence |
| IPsumLevel_7 | IPsumLevel7 |
| CINS_Score | CINS_Score |
| DigitalSide | DigitalSide |
| duggytuxy | duggytuxy |
| etnetera.cz | etnetera.cz |
| emergingthreats-compromised | ET_Comp |
| greensnow.co | greensnow.co |
| Threatfox | Threatfox |
| More coming Soon! | Future Updates |
- Whitelist Coverage Matrix:
View Whitelist Sources 🛡️
| Provider | Type | Coverage | Source Link |
|---|---|---|---|
| Cloudflare | CDN IPv4/IPv6 | Global CDN | Cloudflare IPs |
| Akamai | CDN IPv4/IPv6 | Global CDN & Shield IPs | Akamai IPs |
| Fastly | CDN IPv4/IPv6 | Global CDN | Fastly IPs |
| Tailscale | DERP & Control Panel | Relay servers and control plane | Tailscale DERP |
| Uptime Robot | IPv4 | UptimeRobot Monitoring | UptimeRobot IPs |
Gratitude to our OSINT partners This project stands on the shoulders of these valuable resources:
- Abuse.ch - Feodo Tracker
- Botvrij.eu - Threat Intelligence
- Blocklist.de - Attack Data
- CINS Army - Threat Scoring
- DigitalSide - Italian CERT
- ...and 10+ other community maintainers
Special Thanks to MontySecurity for their C2 Tracker framework and elliotwutingfeng for Inversion DNSBL Blocklists.
Help us build the most reliable threat intelligence feed in the open-source community! 🚀
We welcome contributions from security researchers, network administrators, and cybersecurity enthusiasts to enhance this resource for:
- 🏠 Individuals: Strengthen personal network security with accurate blocklists
- 🏢 SMBs: Deploy cost-effective threat blocking without enterprise overhead
- 🏗️ Enterprises: Integrate scalable, production-ready threat intelligence
We're particularly interested in contributions that help us:
- 🔄 Deduplication: Eliminate redundant entries across multiple feeds
- 🎯 False Positive Reduction: Identify and remove legitimate IPs/domains incorrectly flagged
- ✅ Validation: Flag outdated indicators or confirm active threats
- 🏷️ Context Enhancement: Add threat actor attribution, geolocation tags, or threat categories
- ⚡ Automation: Suggest workflow improvements for data processing and curation
Get involved in multiple ways:
- 📝 Submit Verified IOCs - Add new threat indicators via Pull Request with source attribution
- 🐛 Report Issues - Flag duplicates, false positives, or outdated entries in GitHub Issues
- 💬 Share Feedback - Help improve enterprise/SMB integration patterns and use cases
- 📚 Documentation - Enhance guides for non-technical users and integration tutorials
- 🔧 Code Contributions - Improve processing scripts, add new data sources, or enhance automation
Every contribution helps make cybersecurity more accessible and effective for everyone! 🌐
📧 Email: spydisec@proton.me