Live IOC Feed — Indicators of Compromise

Live Indicators of Compromise (IOC) Feed

Threatstealth aggregates live indicators of compromise from 9 threat intelligence vendor feeds — malicious IP addresses, domains, file hashes, and URLs — updated every 5 minutes for active threat detection and blocking.

• IP reputation feed — malicious IPv4 and IPv6 addresses from 9 aggregated vendor intelligence sources
• Domain intelligence — phishing domains, C2 infrastructure, and malware distribution sites
• File hash feed — MD5, SHA-1, and SHA-256 hashes of known malware and suspicious executables
• URL feed — malicious URLs, phishing links, and drive-by download sources
• 5-minute update cycle — lowest-latency IOC aggregation for real-time detection and firewall blocking

IOC Feed Architecture: Aggregation, Deduplication, and Normalisation

The Threatstealth IOC aggregation pipeline ingests raw indicator data from nine source feeds on independent polling schedules ranging from one to fifteen minutes depending on feed update frequency and criticality. Indicators from all sources are processed through a deduplication engine that merges duplicate entries across feeds while preserving multi-source attribution — an IP address seen in five separate feeds carries a higher confidence score than one seen in only one. All indicators are normalised into a unified schema with standardised indicator type classifications, confidence tiers, severity ratings, and enrichment fields before entering the delivery pipeline.

• Nine-source ingestion — independent polling of commercial and open-source intelligence feeds with source-specific cadences
• Deduplication engine — cross-source merging that increases confidence scores for indicators appearing in multiple feeds
• Schema normalisation — unified indicator format with standardised type, severity, confidence, and enrichment fields
• Confidence tiering — three-tier confidence model (Low/Medium/High) based on source count and source reliability scores
• Enrichment pipeline — automatic ASN lookup, geolocation, WHOIS data, and threat actor tagging for each indicator

IP Reputation Intelligence: Malicious Address Classification

The IP reputation component of the IOC feed covers malicious IPv4 and IPv6 addresses across multiple abuse categories: command-and-control server infrastructure, known botnet endpoints, brute-force attack sources, scanning infrastructure, and Tor exit nodes frequently used to anonymise attacks. Each IP entry includes the abuse category, confidence score, first-seen and last-seen timestamps, and source attribution. Threatstealth cross-references newly added IPs against the current WAF and EDR alert queues to surface cases where the organisation is already interacting with newly flagged malicious infrastructure, enabling retrospective investigation of historical sessions with the flagged addresses.

• C2 infrastructure — command-and-control server IP addresses used by active malware families and botnets
• Botnet endpoint coverage — known infected host IPs participating in DDoS, spam, and credential stuffing botnets
• Scanner identification — IP addresses operated by aggressive security scanners, grey-market researchers, and attackers
• Tor exit node coverage — Tor network exit node addresses frequently used to anonymise attacks and credential abuse
• Retrospective alert correlation — new IP additions matched against historical WAF and EDR alert data automatically

Domain Intelligence and URL Reputation Coverage

Domain and URL intelligence covers three primary threat categories: phishing domains (sites impersonating legitimate services to harvest credentials), malware distribution networks (domains and URLs delivering malicious payloads), and command-and-control infrastructure (domains used by malware families for beacon communication and tasking). Domain entries include registration age, registrar, hosting provider, associated IP addresses, and any known malware family associations. The URL feed covers specific malicious endpoints within otherwise legitimate domains — including compromised WordPress sites hosting phishing kits and legitimate file-sharing services used to distribute malware.

• Phishing domain coverage — newly registered and active phishing domains impersonating financial, cloud, and enterprise services
• Malware distribution URLs — specific URLs delivering exploit kits, drive-by downloads, and malicious document templates
• C2 domain coverage — command-and-control domains used by RATs, ransomware, and advanced persistent threat groups
• Domain registration intelligence — age, registrar, and hosting provider data to assess newly registered suspicious domains
• Compromised site tracking — legitimate domains temporarily hosting malicious content flagged for monitoring or blocking

File Hash Intelligence and Malware Family Attribution

The file hash component of the IOC feed provides MD5, SHA-1, and SHA-256 hashes for known malicious executables, document-based malware, ransomware payloads, and suspicious scripts. Each hash entry includes malware family attribution where identification has been performed through sandbox analysis or signature matching, severity classification, first-seen date, and any associated campaign tags. For SOC teams, hash-based IOC matching provides definitive malware identification when a file hash matches the feed — eliminating the ambiguity that accompanies behaviour-based detections and enabling immediate confident classification of flagged files as known-malicious.

• Ransomware payload hashes — executables and scripts associated with active ransomware families and affiliate campaigns
• RAT and backdoor coverage — remote access trojan and backdoor binary hashes across major malware families
• Document malware — malicious Office and PDF file hashes used in phishing and spear-phishing campaigns
• Malware family attribution — sandbox analysis-confirmed family labels for hash entries where identification is available
• EDR integration — direct import of hash IOCs into EDR custom indicator lists for automatic file blocking