π’ Update: Blocklists are now served from Cloudflare R2 for faster global delivery and reduced latency. Use the download links below instead of raw GitHub URLs. Website & API coming soon!
Comprehensive threat intelligence blocklists aggregated from multiple OSINT sources, honeypot networks, and C2 trackers. Multi-source validation, confidence-based tiers, and CDN-aware whitelisting.
π Quick Links: IP Blocklists β’ Domain Blocklists β’ Sources β’ Credits
β οΈ License Notice: Each OSINT feed is governed by its own terms. Users must review original source documentation for specific licensing details.
Confidence-based tiers with multi-source validation
| Tier | Blocklist | Download |
|---|---|---|
| π― High | High Confidence (Limited ~5K) | π₯ Download |
| π― High | High Confidence (Unlimited) | π₯ Download |
| βοΈ Medium | Medium Confidence (Limited ~25K) | π₯ Download |
| βοΈ Medium | Medium Confidence (Unlimited) | π₯ Download |
| π¬ Low | Low Confidence (All Others) | π₯ Download |
| π Research | Full Research Blocklist | π₯ Download |
| ποΈ Archive | Permanent (Append-Only) | π₯ Download |
π Confidence Scoring Details
Multi-Source Validation: IPs are scored by how many independent threat intelligence sources report them.
| Tier | Threshold | Description |
|---|---|---|
| π― High Limited | 5+ sources | Strictest tier - confirmed malicious across 5+ feeds |
| π― High Unlimited | 3+ sources | High confidence - validated by 3+ independent sources |
| βοΈ Medium | 2+ sources | Medium confidence - corroborated by 2 sources |
| π¬ Low | 1 source | Single-source reports - use with caution |
Example: An IP reported by ThreatFox, Feodo Tracker, IPsum, CINS Score, and Blocklist.de would have source_count=5 β appears in High Limited.
Whitelist Protection: CDN ranges (Cloudflare, Akamai, Fastly, Tailscale) are automatically excluded to prevent false positives.
Independent category processing - import any/all into Pi-hole/AdGuard
| Category | Blocklist | Download |
|---|---|---|
| π‘οΈ Security | Malicious Domains | π₯ Download |
| π§ Spam | Spam/Scam/Abuse Domains | π₯ Download |
| πΊ Privacy | Ads & Tracking Domains | π₯ Download |
| ποΈ Archive | Permanent Domains (Append-Only) | π₯ Download |
Reduce false positives using these curated lists:
| Name | Purpose | Raw URL |
|---|---|---|
| Removed IPs | Legitimate IPs removed from blocklists | π₯ Raw |
| Whitelisted IPs | Critical infrastructure IPs (Cloudflare, Akamai, Fastly) | π₯ Raw |
| Community IPs | Community-submitted IP whitelist | π₯ Raw |
| Community Domains | Community-submitted domain whitelist | π₯ Raw |
π‘ Found a false positive? Submit a Whitelist IP Request or Whitelist Domain Request β automated validation and processing via GitHub Actions.
- Actively monitored infrastructure across 50+ threat actors:
π Expand Threat Catalog
| C2s | Malware | Botnets |
|---|---|---|
| Cobalt Strike | AcidRain Stealer | 7777 |
| Metasploit Framework | Misha Stealer (AKA Grand Misha) | BlackNET |
| Covenant | Patriot Stealer | Doxerina |
| Mythic | RAXNET Bitcoin Stealer | Scarab |
| Brute Ratel C4 | Titan Stealer | 63256 |
| Posh | Collector Stealer | Kaiji |
| Sliver | Mystic Stealer | MooBot |
| Deimos | Gotham Stealer | Mozi |
| PANDA | Meduza Stealer | |
| NimPlant C2 | Quasar RAT | |
| Havoc C2 | ShadowPad | |
| Caldera | AsyncRAT | |
| Empire | DcRat | |
| Ares | BitRAT | |
| Hak5 Cloud C2 | DarkComet Trojan | |
| Pantegana | XtremeRAT Trojan | |
| Supershell | NanoCore RAT Trojan | |
| Poseidon C2 | Gh0st RAT Trojan | |
| Viper C2 | DarkTrack RAT Trojan | |
| Vshell | njRAT Trojan | |
| Villain | Remcos Pro RAT Trojan | |
| Nimplant C2 | Poison Ivy Trojan | |
| RedGuard C2 | Orcus RAT Trojan | |
| Oyster C2 | ZeroAccess Trojan | |
| byob C2 | HOOKBOT Trojan | |
| RisePro Stealer | ||
| NetBus Trojan | ||
| Bandit Stealer | ||
| Mint Stealer | ||
| Mekotio Trojan | ||
| Gozi Trojan | ||
| Atlandida Stealer | ||
| VenomRAT | ||
| Orcus RAT | ||
| BlackDolphin | ||
| Artemis RAT | ||
| Godzilla Loader | ||
| Jinx Loader | ||
| Netpune Loader | ||
| SpyAgent | ||
| SpiceRAT | ||
| Dust RAT | ||
| Pupy RAT | ||
| Atomic Stealer | ||
| Lumma Stealer | ||
| Serpent Stealer | ||
| Axile Stealer | ||
| Vector Stealer | ||
| Z3us Stealer | ||
| Rastro Stealer | ||
| Darkeye Stealer | ||
| AgniStealer | ||
| Epsilon Stealer | ||
| Bahamut Stealer | ||
| Unam Web Panel / SilentCryptoMiner | ||
| Vidar Stealer | ||
| Kraken RAT | ||
| Bumblebee Loader | ||
| Viper RAT | ||
| Spectre Stealer |
- Sources: Curated feeds including C2 servers, honeypot data, Mass-scanners, and OSINT feeds.
π View Full Source List
| Sources | Source URL |
|---|---|
| C2 IP Feed | C2_iplist.txt |
| Honeypot Master list | honeypot_iplist.txt |
| maltrail_scanners | maltrail_ips.txt |
| botvrij_eu | botvrij_eu |
| feodotracker | feodotracker |
| feodotracker_recommended | feodotracker_recommended |
| Blocklist_de_all | Blocklist_de_all |
| ThreatView_High_Confidence | ThreatView_High_Confidence |
| IPsumLevel_7 | IPsumLevel7 |
| CINS_Score | CINS_Score |
| DigitalSide | DigitalSide |
| duggytuxy | duggytuxy |
| etnetera.cz | etnetera.cz |
| emergingthreats-compromised | ET_Comp |
| greensnow.co | greensnow.co |
| Threatfox | Threatfox |
| More coming Soon! | Future Updates |
- Whitelist Coverage Matrix:
View Whitelist Sources π‘οΈ
| Provider | Type | Coverage | Source Link |
|---|---|---|---|
| Cloudflare | CDN IPv4/IPv6 | Global CDN | Cloudflare IPs |
| Akamai | CDN IPv4/IPv6 | Global CDN & Shield IPs | Akamai IPs |
| Fastly | CDN IPv4/IPv6 | Global CDN | Fastly IPs |
| Tailscale | DERP & Control Panel | Relay servers and control plane | Tailscale DERP |
| Uptime Robot | IPv4 | UptimeRobot Monitoring | UptimeRobot IPs |
Gratitude to our OSINT partners This project stands on the shoulders of these valuable resources:
- Abuse.ch - Feodo Tracker
- Botvrij.eu - Threat Intelligence
- Blocklist.de - Attack Data
- CINS Army - Threat Scoring
- DigitalSide - Italian CERT
- ...and 10+ other community maintainers
Special Thanks to MontySecurity for their C2 Tracker framework and elliotwutingfeng for Inversion DNSBL Blocklists.
Help us build the most reliable threat intelligence feed in the open-source community! π
We welcome contributions from security researchers, network administrators, and cybersecurity enthusiasts to enhance this resource for:
- π Individuals: Strengthen personal network security with accurate blocklists
- π’ SMBs: Deploy cost-effective threat blocking without enterprise overhead
- ποΈ Enterprises: Integrate scalable, production-ready threat intelligence
We're particularly interested in contributions that help us:
- π Deduplication: Eliminate redundant entries across multiple feeds
- π― False Positive Reduction: Identify and remove legitimate IPs/domains incorrectly flagged
- β Validation: Flag outdated indicators or confirm active threats
- π·οΈ Context Enhancement: Add threat actor attribution, geolocation tags, or threat categories
- β‘ Automation: Suggest workflow improvements for data processing and curation
Get involved in multiple ways:
- π Request Whitelisting - Submit a Whitelist IP or Whitelist Domain request to report false positives (automated validation & processing)
- π Report Issues - Flag duplicates, false positives, or outdated entries in GitHub Issues
- π¬ Share Feedback - Help improve enterprise/SMB integration patterns and use cases
- π Documentation - Enhance guides for non-technical users and integration tutorials
- π§ Code Contributions - Improve processing scripts, add new data sources, or enhance automation
Every contribution helps make cybersecurity more accessible and effective for everyone! π
π§ Email: spydisec@proton.me