Automated Intelligence

Level-Up Your Security Stack with Enriched Threat Feeds

Monitor your cyber ecosystem

Our platform includes a comprehensive array of early detection feeds, which actively monitor domains, IPs, and URLs associated with various licensed and open-source frameworks, including C2 infrastructure.

Ingest threat-specific early detection data

Stay ahead of emerging threats and gain real-time insight into malicious campaigns targeting your organization.

Enrich alerts with risk and reputation scores

Provide context and prioritization to security alerts, enabling your team to focus on the most critical and potentially harmful incidents.

Map out active C2 servers

Monitor command and control servers in real-time, across a range of attack vectors.

Leverage a vast array of endpoints

Access a wide range of data sources and scoring systems to help you assess the trustworthiness and potential risks associated with various digital entities and online activities, including IP, domain, ASN and URL scoring.

Integrate With The World’s Leading First-Party DNS Threat Database

Use the Silent Push API to feed enriched data into your security infrastructure, allowing you to detect and respond to potential threats faster and more efficiently.

Curated Threat Feeds

Our feeds reflect an ongoing commitment to bolstering cyber defenses across the global security community. Real-time IOFA updates  provide your security teams with up-to-date insights that safeguard your digital infrastructure.

1877 Team Domains and IPs

The 1877 Team is a Kurdish hacktivist group founded in July 2021, that has claimed responsibility for large doxing campaigns, massive website defacements, DDoS attacks, and the compromise of servers and databases from governments, universities, telecommunication, defense, and IT corporations. The hacker’s primary targets lie in the Middle East, but African, Asian, and Western organizations have also been affected. The 1877 Team’s self-proclaimed goals include pressuring governments, spreading public dissent, and establishing a reputation within the cybercriminal space.

Two feeds.

7777 Botnet

IPs involved in the 7777 botnet – a 10,000 node botnet that’s used to brute-force Microsoft Azure user credentials.

Android Malware - ERMAC Domains and IPs

ERMAC is an Android banking trojan that overwrites the screen display to steal user’s credentials.

Two feeds – domains and IPs.

Android Malware - Hookbot Domains and IPs.

A malware family based on apk.ermac. It provides WebSocket communication and has RAT capabilities.

Two feeds – domains and IPs.

Android Malware - SpyNote Domains and IPs

SpyNote is spyware that logs and steals a variety of information, including key strokes, call logs, and information on installed applications.

Two feeds – domains and IPs.

APT - APT37 Domains

APT 37 has been active since 2012 and focuses on targeting organisations primarily in South Korea, both from the public and private sectors including electronics, manufacturing, aerospace, chemicals, automotive and healthcare.

APT - BlueNoroff Domains and IPs

BlueNoroff are a threat actor linked to Lazarus. Attacks are financially motivated and target mostly ATMs, banks, fin-tech, and cryptocurrency companies.

Two feeds – domains and IPs.

APT - Flax Typhoon IPs

China-linked Flax Typhoon gains and maintains long-term access to Taiwanese organizations’ networks with minimal use of malware, relying on tools built into the operating system, along with some normally benign software to quietly remain in these networks.

APT - Gamaredon Apex Domains

Gamaredon is a Russian APT that has been active since 2013. The malicious group targets Ukrainian entities and its allies, and uses fast flux and wildcard DNS records to evade detection.

APT - Higaisa Domains and IPs

Higaisa is a South Korean threat actor which activity started in 2009. Targets include governments and public, and private organizations in North Korea, China, Japan, Russia, and other nations.

Two feeds – domains and IPs

APT - Kimusky Domains and IPs

Kimsuky is a North Korean APT group operating since 2012, targeting organizations in South Korea, US and Japan. This feed tracks IPs associated with the c2 infrastructure operated by the group.

Two feeds – domains and IPs.

Assorted Threat Domains and IPs

Domains and IPs used for exploits, malware distribution, phishing attacks, c2, botnets, and other underground criminal activity such as personal data sales and black business forums, among others.

Two feeds – domains and IPs.

Iced ID Domains and IPs

IcedID is a banking Trojan which first emerged in September 2017. It spreads by mail spam campaigns and often uses other malwares like Emotet to help it proliferate. IcedID uses evasive techniques like process injection and steganography and steals user financial data via both redirection attacks (installs a local proxy to redirect users to fake-cloned sites) and web injection attacks. Other than email spam, we have also observed its distribution through malvertisements on search engines. Recent variants of IcedID also have the capability to steal credentials from victims other than financial information.

Two feeds – domains and IPs.

Bazarcall Domains and IPs

Bazarcall works as a callback fraud initiated through phishing emails and potential victims are redirect to fake support pages to connect with modified versions of remote desktop tools to control their systems.

Two feeds – domains and IPs

Bulletproof Hosting Domains and IPs

This feed contains malicious domains and IPs detected in bulletproof hosting infrastructures such as Yalishanda, Eliteteam or DDoS-Guard, among others.

Two feeds – domains and IPs.

1877 Team Domains and IPs

The 1877 Team is a Kurdish hacktivist group founded in July 2021 and has claimed responsibility for large doxing campaigns, massive website defacements, DDoS attacks, and the compromise of servers and databases from governments, universities, telecommunication, defense, and IT corporations. The hacker’s primary targets lie in the Middle East, but African, Asian, and Western organizations have also been affected. The 1877 Team’s self-proclaimed goals include pressuring governments, spreading public dissent, and establishing a reputation within the cybercriminal space. Two feeds.

ACTINIUM Domains

Domains related to ACTINIUM, a Russian threat group which has been operational for almost a decade and has consistently launched attacks against organizations in Ukraine, or entities related to Ukrainian affairs.

Android Malware Domains and IPs

Domains and IPs associated with c2 infrastructure and admin panels of popular trojans associated with Android OS. Two feeds.

APT28 Domains and IPs

Domains and IPs utilized by APT 28 (also known as Fancy Bear), a Russian-based threat actor active since 2008. APT 28 has reportedly attacked infrastructures in the defense, energy, government, media, and aerospace sectors, particularly through the use of phishing campaigns and credential harvesting. Two feeds.

APT36 Domains & IPs

Domains and IPs associated with APT36 (also known as Earth Karkaddan), a Pakistani-based threat group known for targeting government and diplomatic organizations through cyber espionage, phishing, remote access trojans and social engineering. Two feeds.

Assorted Threats Domains and IPs

Various domains and IPs identified on malicious infrastructures seen across the world. The indicators on this feed include domains used for exploits, malware distribution, phishing attacks, command and control domains, botnets, personal data sales and ‘black’ business forums.

Vendor: Silent Push

Banking Malware Domains and IPs

Domains involved in deploying banking malware, such as IcedID, URSNIF, and Zusy, among others. Two feeds.

Bazarcall Domains and IPs

Covers domains and IP addresses for Bazarcall Scam which works as a callback fraud initiated through phishing emails and potential victims are redirected to fake support pages to connect with modified versions of remote desktop tools to control their systems. Silent Push worked with CISA to protect users as some of the federal employees became victims of the campaign as well. Two feeds.

CISA advisory can be seen here: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a

BlueNoroff Domains and IPs

Domains and IPs associated with BlueNoroff, a threat actor linked to the North Korean Lazarus group. The attacks from this group are financially motivated, targeting ATMs, banks, fintech, and cryptocurrency platforms. Two feeds.

BulletProof Hosting Domains and IPs

Domains detected in several bulletproof hosting infrastructures such as Yalishanda, Eliteteam or DDoS-Guard, among others. Two feeds.

Clearfake Domains and IPs

ClearFake is a malicious JavaScript framework injected into compromised WordPress sites that delivers other malware using the drive-by download technique. It often spoofs download pages impersonating browser extensions and application updates similar to campaigns like Socghoulish.

Two feeds.

Cloudflare Suspected Phishing Domains

This feed contains domains that present a phishing page warning from Cloudflare.

Cobalt Strike C2 Active Domains and IPs

Domains and IPs with live Cobalt Strike beacons. Two feeds.

Covenant C2 Domains and IPs

Domains and IP addresses that are linked to Covenant – a .NET command and control framework.

GitHub – cobbr/Covenant: Covenant is a collaborative .NET C2 framework for red teamers.

ScreenConnect Exploit IPs

IP addresses involved in exploiting vulnerable ScreenConnect servers (CVE-2024-1708 and CVE-2024-1709)

Emotet Cobalt Strike IPs

Emotet Domains and IPs

Emotet is a banking trojan spread primarily through malspam from malicious documents downloading trojans.

Two feeds – domains and IPs.

Empire C2 IPs

IP addresses that are linked to Empire 4 – a post-exploitation framework that includes a pure-PowerShell Windows agents, Python 3.x Linux/OS X agents, and C# agents.

Exploit Kit Domains

Fake Trading App/Crypto Scam Domains and IPs

Domains and IPs used to propagate several scams impersonating online trading services.

Two feeds – domains and IPs.

Fastflux Domains

Domains hosted on ‘fast flux’ infrastructure – an IP-swapping technique allows threat actors to hide their malicious activities from blocklists and takedowns.

File Extensions TLD Domains

Domains registered with the new .zip or .mov top-level domains. Threat actors might exploit these common file extensions TLDs to conduct malicious attacks, so we catalog these indicators as suspicious.

GoPhish C2 Domaind and IPs

Gophish is a powerful, open-source phishing framework.

https://getgophish.com/

Havoc Framework IPs

Havoc open-source command and control (C2) framework is used as an alternative to paid options such as Cobalt Strike and Brute Ratel. This feed collects C2 servers exposed externally using the post exploitation tool.

Infostealers Domains and IPs

Domains and IPs associated with information-stealing malware – designed to harvest personal information such as cookie data, user names, and passwords. Info stealers have gained popularity among cybercriminals due to their cheap cost and availability in malware-as-a-service products. Two feeds.

Infostealer - Meduza Domains and IPs

Domains and IP addressed involved in the Meduza infostealer network.

Loader - DarkGate Domains and IPs

Domains and IPs associated with Darkgate, a sophisticated malware first observed in 2017, that was exclusively used by its author (dubbed RastaFarEye) and sold as MaaS since July 2023. The malware, which has been distributed via VBS scripts or MSI files spread by malvertising campaigns, emails containing malicious attachments or phishing sent via compromised Teams accounts. Upon infection, the malware has functions capable of stealing credential, cookies and other sensitive information stealing, and download additional payloads such cryptocurrency mining and stealing and ransomware.

Two feeds.

Malvertising Domains and IPs

Domains and IPs linked to SEO poisoning/malvertising campaigns used to propagate malware spoofing AnyDesk, Remote Desktop, OBS, TeamViewer, MSI Afterburner, Blender, Open office, Audacity, Slack, Brave Browser, among others.

Two feeds.

Malicious Infrastructure - Domains

This feed consists of multiple type of campaigns varying from phishing, financial scams, SoucGhoulish fake updates to C2 domains belonging to infostealers and spywares. These are associated with the threat actors renting malicious infrastructure often with BulletProof hosting support.

Malicious Infrastructure - Nameservers

Domains with NS records pointing at suspicious name servers – including phishing activities, C2 operations and botnets.

Meta Phishing Pages

Meta/Facebook Phishing Pages

Metasploit Pro Server IPs

The world’s most used penetration testing framework

https://github.com/rapid7/metasploit-framework

Meterpreter IPs

Meterpreter is a Metasploit attack payload that provides an interactive shell from which an attacker can explore the target machine and execute code. Meterpreter is deployed using in-memory DLL injection. As a result, Meterpreter resides entirely in memory and writes nothing to disk. This feed contains Meterpreter C2 server IPs with public exposure

Mythic C2 Domains and IPs

A cross-platform, post-exploit, red teaming framework – https://github.com/its-a-feature/Mythic

Two feeds.

Nanocore C2 IPs

The NanoCore remote access Trojan (RAT) was first discovered in 2013 when it was being sold in underground forums. The malware has a variety of functions such as keylogger, a password stealer which can remotely pass along data to the malware operator. It also has the ability to tamper and view footage from webcams, screen locking, downloading and theft of files, and more. The current NanoCore RAT is now being spread through malspam campaign which utilizes social engineering in which the email contains fake bank payment receipt and request for quotation.

Open Directories Containing Malware

Pegasus Version 4

Phishing - Domains

Phishing domains from several campaigns across the Internet.

Phishing - Greatness Phishing Kit

Greatness focuses on Microsoft 365 phishing pages, providing its affiliates with an attachment and link builder that creates highly convincing decoy and login pages.

Phishing - Microsoft 365 Credential Harvesting

Ongoing phishing campaign impersonating O365 login pages to harvest credentials.

Phishing - Postal Offices and Delivery Services Domains and IPs

Phishing domains involved in postal office/delivery scams.

Two feeds.

Posh C2 IPs

PoshC2 is a proxy aware C2 framework used to aid penetration testers with red teaming, post-exploitation and lateral movement

https://github.com/Nettitude/PoshC2

Prolific Puma Domains and IPs

Prolific Puma provides an underground link shortening service to criminals. Infoblox states that during analysis, no legitimate content was observed being served through their shortener. For operation they use a registered domain generation algorithm (RDGA), based upon which they registered between 35k-75k domain names.

PupyRAT C2 IPs

Pupy is a cross-platform, multi function RAT and post-exploitation tool mainly written in python. It features an all-in-memory execution guideline and leaves a very low footprint.

https://github.com/n1nj4sec/pupy

Sandworm IPs

Contains IPs related to the actor known as Sandworm or Voodoo Bear, which is using a new malware, referred to as Cyclops Blink.

Shlayer Domains and IPs

Shlayer is  a family of adware bundlers that target macOS systems.

Two feeds

Silicon Valley Bank Suspect Domains

This feed contains all recently registered domains relating to the collapse of Silicon Valley Bank. Note that not all domains listed here will be malicious.

SPOT - Malicious Traffic

IOC’s collected by our noise collector, and tagged and being malicious.

SPOT - Malware Distribution Host IPs

IPs used to distribute malware

Lumma C2 IPs and Domains

IPs used as Lumma Stealer C2 – an information stealer that was first advertised on a Russian-speaking DarkWeb forum at the end of 2022. The malware is sold as MaaS and specializes in extracting both system data and sensitive information including web browser cookies, history and extensions, two-factor authentication credentials, passwords and cryptocurrency data.

SuperShell C2 IPs

Supershell is a C2 remote control platform accessed through WEB services. By establishing a reverse SSH tunnel, a fully interactive shell can be obtained, and it supports multi-platform architecture Payload.

Suspected Evilginx Domains and IPs

Evilginx2 is a man-in-the-middle attack framework used for phishing login credentials along with session cookies, which in turn allows to bypass 2-factor authentication protection.

Suspected Merlin C2 Domains and IPs

Merlin is a cross-platform post-exploitation Command & Control server

https://github.com/Ne0nd0g/merlin

Team TNT Domains

Scattered Spider Domains and IPs

Scattered Spider is a financially motivated threat actor that leverages sophisticated social engineering to target organizations across several industries. The threat actor usually impersonates help desk requesting a password update or reset and directing the targeted employees to a phishing page crafted to mimic the organization’s actual page. This group targets telecom, BPO, financial, insurance and entertainment industries, from which they try to extort money and most recently deploy ransomware.

Two feeds

Trojans - Downloader Domains

This feed contains IoCs associated with trojans that download and execute additional malware on compromised systems.

Trojans - DarkMe Domains

Underground Threats Domains

This feed contains several threats from tracking black markets and underground criminal activity like credit card sale domains, black business forums and sites hosting information about sale of personal data, social media account and passwords, sale of hacked financial accounts for banks and crypto wallets.

Viper C2 IPs

Viper is a RAT-based malware that was able to go undetected by almost all of today’s anti viruses, which is developed by http://neehack.com/

Web Skimmer Domains

Web skimming, also known as digital skimming, is a hacking technique that targets digital businesses by manipulating unmonitored and compromised client side web applications. Usually, these attacks are initiated by placing malicious JavaScript (JS) code strategically on payment and checkout pages of the website where unsuspecting users fill in their personal and financial details. Although commonly found on eCommerce websites, banking, finance, healthcare, tourism, and other eService platforms are also being targeted. This feed consists of domains used in these campaigns.

Worms - Raspberry Robin Domains

Feed containing domains associated with worms – malware that replicates itself to other computers. Some of the worms we track include Raspberry Robin.

Learn more about our early detection feeds

See how our platform provides real-time insights that protects organizations
from all manner of DNS-based attack vectors.