GitHub RadarBlue team tool
TweetFeed collects Indicators of Compromise (IOCs) shared by the infosec community at Twitter. Here you will find malicious URLs, domains, IPs, and SHA256/MD5 hashes. 650 stars.
Project links:Open GitHub projectBack to radar
<div align="center"> <h1 align="center">TweetFeed</h1> <h3 align="center">Feeds of IOCs posted by the community at Twitter</h3>
<p align="center"> <b> <a href="https://tweetfeed.live">TweetFeed.live</a> | <a href="https://github.com/0xDanielLopez/TweetFeed_code">Source code</a> | <a href="https://tweetfeed.live/feedback.html">Feedback</a> </b> </p>
<h6 class="info-span"> Want to integrate with OpenCTI? <a class="info-link" href="https://github.com/OpenCTI-Platform/connectors/tree/master/external-import/tweetfeed" target="_blank">Now you can!</a> </h6>
---
--- </div>
If you like the project, please consider:
<div align="center">
<h3>Feeds</h3>
<table> <thead> </thead> <tbody> <tr> <th colspan=4>2026-04-26 20:15:11 (UTC)</th> </tr> <tr> <th>Today</th> <th>Last 7 days</th> <th>Last 30 days</th> <th>Last 365 days</th> </tr> <tr> <td>:clipboard: <a href="https://github.com/0xDanielLopez/TweetFeed/blob/master/today.csv">Today</a> (<a href="https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/today.csv">raw</a>)</td> <td>:clipboard: <a href="https://github.com/0xDanielLopez/TweetFeed/blob/master/week.csv">Week</a> (<a href="https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/week.csv">raw</a>)</td> <td>:clipboard: <a href="https://github.com/0xDanielLopez/TweetFeed/blob/master/month.csv">Month</a> (<a href="https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/month.csv">raw</a>)</td> <td>:clipboard: <a href="https://github.com/0xDanielLopez/TweetFeed/blob/master/year.csv">Year</a> (<a href="https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/year.csv">raw</a>)</td> </tr> </tbody> </table> </div>
<div align="center">
<h3>Output example</h3>
<table> <thead> <tr> <th><sub>Date (UTC)</sub></th> <th><sub>SourceUser</sub></th> <th><sub>Type</sub></th> <th><sub>Value</sub></th> <th><sub>Tags</sub></th> <th><sub>Tweet</sub></th> </tr> </thead> <tbody> <tr> <td><sub>2021-08-14 02:26:32</sub></td> <td><sub>phishunt_io</sub></td> <td><sub>url</sub></td> <td><sub>https://netflix.us2.cards/</sub></td> <td><sub>#phishing #scam</sub></td> <td><sub>https://twitter.com/phishunt_io/status/1426369619422502917</sub></td> </tr> <tr> <td><sub>2021-08-17 12:15:00</sub></td> <td><sub>TheDFIRReport</sub></td> <td><sub>ip</sub></td> <td><sub>185.56.76.94</sub></td> <td><sub>#Trickbot</sub></td> <td><sub>https://twitter.com/TheDFIRReport/status/1427604874053578756</sub></td> </tr> </tbody> </table> </div>
<div align="center">
<h3>Types</h3>
| Type | Today | Week | Month | Year | | :--- | :---: | :---: | :---: | :---: | | :link: URLs | 31 | 376 | 1825 | 58955 | | :globe_with_meridians: Domains | 26 | 258 | 1344 | 38583 | | :triangular_flag_on_post: IPs | 7 | 149 | 742 | 20195 | | :1234: SHA256 | 0 | 11 | 53 | 1256 | | :1234: MD5 | 1 | 39 | 124 | 3375 |
</div>
---
<div align="center">
<h3>Tags</h3>
| Tag | Today | Week | Month | Year | | :--- | :---: | :---: | :---: | :---: | | #phishing | 22 | 291 | 1203 | 45773 | | #scam | 0 | 0 | 34 | 7410 | | #opendir | 0 | 12 | 69 | 776 | | #malware | 3 | 51 | 157 | 4517 | | #maldoc | 0 | 0 | 0 | 0 | | #ransomware | 2 | 8 | 41 | 1029 | | #banker | 0 | 0 | 0 | 6 | | #AgentTesla | 0 | 2 | 2 | 87 | | #Alienbot | 0 | 0 | 0 | 0 | | #AsyncRAT | 0 | 0 | 20 | 1645 | | #Batloader | 0 | 0 | 0 | 0 | | #BazarLoader | 0 | 0 | 0 | 0 | | #CobaltStrike | 0 | 0 | 4 | 7610 | | #Dcrat | 0 | 0 | 2 | 308 | | #Emotet | 0 | 0 | 0 | 0 | | #Formbook | 0 | 1 | 1 | 577 | | #GootLoader | 0 | 0 | 0 | 0 | | #GuLoader | 0 | 0 | 0 | 38 | | #IcedID | 0 | 0 | 0 | 0 | | #Lazarus | 0 | 0 | 13 | 152 | | #Lokibot | 0 | 0 | 0 | 157 | | #log4j | 0 | 3 | 3 | 7 | | #Log4shell | 0 | 0 | 0 | 0 | | #Njrat | 0 | 0 | 14 | 771 | | #Qakbot | 0 | 0 | 0 | 759 | | #Raccoon | 0 | 1 | 1 | 4 | | #RedLine | 0 | 0 | 0 | 123 | | #Remcos | 0 | 5 | 20 | 2151 | | #RaspberryRobin | 0 | 0 | 0 | 0 | | #Spring4Shell | 0 | 0 | 0 | 0 | | #SocGolish | 0 | 0 | 0 | 7 | | #Ursnif | 0 | 0 | 0 | 0 |
</div>
---
<div align="center">
<h3>Top Reporters (today)</h3>
| Number | User | IOCs | | :--- | :---: | :---: | | #1 | K_N1kolenko | 25 | | #2 | skocherhan | 20 | | #3 | urldna_bot | 16 | | #4 | Metemcyber | 16 | | #5 | smica83 | 9 | | #6 | @Phish_Destroy | 6 | | #7 | @CarlyGriggs13 | 4 | | #8 | @urldna_bot | 2 | | #9 | PhishStats | 3 | | #10 | masaomi346 | 2 |
</div>
Search tweets that contain certain tags or that are posted by certain infosec people.
- #phishing
- #scam
- #opendir
- #malware
- #maldoc
- #ransomware
- #banker
- #AgentTesla
- #Alienbot
- #AsyncRAT
- #BazarLoader
- #Batloader
- #CobaltStrike
- #Dcrat
- #Emotet
- #Formbook
- #GootLoader
- #GuLoader
- #IcedID
- #Lazarus
- #Lokibot
- #log4j
- #Log4shell
- #Njrat
- #Qakbot
- #Raccoon
- #RedLine
- #Remcos
- #RaspberryRobin
- #Spring4Shell
- #SocGholish
- #Ursnif<big><pre> **TweetFeed list** </pre></big>
1. Search `SHA256` hashes with `yearly` tweets feed
let MaxAge = ago(30d);
let SHA256_whitelist = pack_array(
'XXX' // Some SHA256 hash you want to whitelist.
);
let TweetFeed = materialize (
(externaldata(report:string)
[@"https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/year.csv"]
with (format = "txt"))
| extend report = parse_csv(report)
| extend Type = tostring(report[2])
| where Type == 'sha256'
| extend SHA256 = tostring(report[3])
| where SHA256 !in(SHA256_whitelist)
| extend Tag = tostring(report[4])
| extend Tweet = tostring(report[5])
| project SHA256, Tag, Tweet
);
union (
TweetFeed
| join (
DeviceProcessEvents
| where Timestamp > MaxAge
) on SHA256
), (
TweetFeed
| join (
DeviceFileEvents
| where Timestamp > MaxAge
) on SHA256
), (
TweetFeed
| join (
DeviceImageLoadEvents
| where Timestamp > MaxAge
) on SHA256
) | project Timestamp, DeviceName, FileName, FolderPath, SHA256, Tag, Tweet<br>
2. Search `IP addresses` with `monthly` tweets feed
let MaxAge = ago(30d);
let IPaddress_whitelist = pack_array(
'XXX' // Some IP address you want to whitelist.
);
let TweetFeed = materialize (
(externaldata(report:string)
[@"https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/month.csv"]
with (format = "txt"))
| extend report = parse_csv(report)
| extend Type = tostring(report[2])
| where Type == 'ip'
| extend RemoteIP = tostring(report[3])
| where RemoteIP !in(IPaddress_whitelist)
| where not(ipv4_is_private(RemoteIP))
| extend Tag = tostring(report[4])
| extend Tweet = tostring(report[5])
| project RemoteIP, Tag, Tweet
);
union (
TweetFeed
| join (
DeviceNetworkEvents
| where Timestamp > MaxAge
) on RemoteIP
) | project Timestamp, DeviceName, RemoteIP, Tag, Tweet<br>
3. Search `urls` and `domains` with `weekly` tweets feed
let MaxAge = ago(30d);
let domain_whitelist = pack_array(
'XXX' // Some URL/Domain you want to whitelist.
);
let TweetFeed = materialize (
(externaldata(report:string)
[@"https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/week.csv"]
with (format = "txt"))
| extend report = parse_csv(report)
| extend Type = tostring(report[2])
| where Type in('url','domain')
| extend RemoteUrl = tostring(report[3])
| where RemoteUrl !in(domain_whitelist)
| extend Tag = tostring(report[4])
| extend Tweet = tostring(report[5])
| project RemoteUrl, Tag, Tweet
);
union (
TweetFeed
| join (
DeviceNetworkEvents
| where Timestamp > MaxAge
) on RemoteUrl
) | project Timestamp, DeviceName, RemoteUrl, Tag, Tweet<!--- Image: Twitter --->
Please note that all the data is collected from Twitter and sorted/served here as it is on best effort.
I have tried to tune as much as possible the searches trying to collect only valuable info. However please consider making your own analysis before taking any action related to these IOCs.
Anyway feel free to [reach me out](https://twitter.com/0xDanielLopez) or to provide any kind of [feedback](https://tweetfeed.live/feedback.html) regarding any contribution or suggestion.
<hr>
<b>By the community, for the community.</b>