GitHub RadarDual-use project

0xDanielLopez/TweetFeed

TweetFeed collects Indicators of Compromise (IOCs) shared by the infosec community at Twitter. Here you will find malicious URLs, domains, IPs, and SHA256/MD5 hashes. 660 stars.

660 stars70 forkspushed Jun 12, 2026

Project links:Open GitHub project Back to radar

README Preview

Fetched from GitHub

<div align="center"> <h1 align="center">TweetFeed</h1> <h3 align="center">Feeds of IOCs posted by the community on Twitter/X</h3>

<p align="center"> <b> <a href="https://tweetfeed.live">TweetFeed.live</a>   |    <a href="https://tweetfeed.live/docs/">Docs</a>   |    <a href="https://tweetfeed.featurebase.app/">Feedback</a> </b> </p>

---

Image: TweetFeed.live

--- </div>

☰ Content

Everything in the dynamic blocks below (date, type counters, top tags, top reporters, output example) is regenerated by the pipeline every 15 minutes. Hand-written sections are stable.

:heart: Support the project

If you like the project, please consider:

Giving it a star :star:
Invite to a coffee :coffee:

:page_facing_up: Data collected

<h3>CSV feeds</h3>

<table> <thead> </thead> <tbody> <tr> <th colspan=4>2026-06-12 20:00:29 (UTC)</th> </tr> <tr> <th>Today</th> <th>Last 7 days</th> <th>Last 30 days</th> <th>Last 365 days</th> </tr> <tr> <td>:clipboard: <a href="https://github.com/0xDanielLopez/TweetFeed/blob/master/today.csv">Today</a> (<a href="https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/today.csv">raw</a>)</td> <td>:clipboard: <a href="https://github.com/0xDanielLopez/TweetFeed/blob/master/week.csv">Week</a> (<a href="https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/week.csv">raw</a>)</td> <td>:clipboard: <a href="https://github.com/0xDanielLopez/TweetFeed/blob/master/month.csv">Month</a> (<a href="https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/month.csv">raw</a>)</td> <td>:clipboard: <a href="https://github.com/0xDanielLopez/TweetFeed/blob/master/year.csv">Year</a> (<a href="https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/year.csv">raw</a>)</td> </tr> </tbody> </table>

<h3>Other formats</h3>

<table> <thead> <tr> <th>Format</th> <th>URL</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td><b>RSS 2.0</b></td> <td><a href="https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/rss.xml">rss.xml</a></td> <td>Today's IOCs (regenerated every 15 min)</td> </tr> <tr> <td><b>MISP</b></td> <td><a href="https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/misp/manifest.json">misp/manifest.json</a></td> <td>4 events (today / week / month / year). Add as a feed in MISP via <i>Sync Actions → Feeds → Add</i>.</td> </tr> <tr> <td><b>STIX 2.1</b></td> <td><a href="https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/stix/manifest.json">stix/manifest.json</a></td> <td>Bundles for today / week / month</td> </tr> </tbody> </table>

</div>

<h3>Output example</h3>

<p><b>CSV schema</b></p>

<pre><code>date, user, type, value, tags, tweet_url</code></pre>

<sub>Live samples: <a href="https://github.com/0xDanielLopez/TweetFeed/blob/master/today.csv">today.csv</a></sub>

</div>

:gear: Programmatic access

<table> <thead> <tr> <th>Surface</th> <th>URL</th> <th>Use case</th> </tr> </thead> <tbody> <tr> <td><b>REST API</b></td> <td><a href="https://api.tweetfeed.live/v1">api.tweetfeed.live</a></td> <td>JSON, no auth, CORS enabled. <code>/v1/{today,week,month,year}[/{type}[/{tag}]]</code></td> </tr> <tr> <td><b>MCP server</b></td> <td><a href="https://mcp.tweetfeed.live">mcp.tweetfeed.live</a></td> <td>JSON-RPC 2.0 endpoint exposing 8 tools (<code>query_iocs</code>, <code>check_url</code>, <code>check_ip</code>, <code>check_hash</code>, <code>list_recent_iocs</code>, <code>get_tag_info</code>, <code>get_trending</code>, <code>enrich_ioc</code>) for Claude / AI agents</td> </tr> </tbody> </table>

See <a href="https://tweetfeed.live/agents/">tweetfeed.live/agents/</a> for the copy-paste MCP config and full tool reference.

</div>

:bar_chart: Some statistics

<h3>Types</h3>

| Type | Today | Week | Month | Year | | :--- | :---: | :---: | :---: | :---: | | :link: URLs | 74 | 1093 | 7496 | 57452 | | :globe_with_meridians: Domains | 52 | 949 | 6561 | 40876 | | :triangular_flag_on_post: IPs | 22 | 149 | 896 | 13938 | | :1234: SHA256 | 24 | 137 | 539 | 1605 | | :1234: MD5 | 9 | 57 | 158 | 2706 |

</div>

---

<h3>Top 10 tags <sub>(by year activity, refreshed every 15 min)</sub></h3>

| Tag | Today | Week | Month | Year | | :--- | :---: | :---: | :---: | :---: | | #phishing | 46 | 623 | 3318 | 40638 | | #C2 | 7 | 69 | 252 | 20230 | | #Kimsuky | 16 | 1002 | 9053 | 13000 | | #DPRK | 16 | 1002 | 8984 | 11326 | | #scam | 20 | 152 | 502 | 7205 | | #CobaltStrike | 0 | 2 | 5 | 5454 | | #malware | 4 | 75 | 312 | 3526 | | #Interactsh | 0 | 0 | 0 | 1906 | | #APT | 0 | 79 | 207 | 1740 | | #Remcos | 0 | 11 | 20 | 1516 |

The full catalog of 120 tags with per-tag landing pages and CSV exports lives at tweetfeed.live/tags/.

</div>

---

<h3>Top Reporters (today)</h3>

| Number | User | IOCs | | :--- | :---: | :---: | | #1 | KesaGataMe0 | 21 | | #2 | urldna_bot | 20 | | #3 | smica83 | 20 | | #4 | bomccss | 18 | | #5 | tdatwja | 16 | | #6 | _IMalihi_ | 16 | | #7 | rxerium | 12 | | #8 | Kb4Threatlabs | 9 | | #9 | suyog41 | 9 | | #10 | AddressIntel | 6 |

</div>

:question: How it works?

Search tweets that contain certain tags or that are posted by certain infosec people.

Tags being searched

(case-insensitive matching, top 10 by year activity, refreshed every 15 min)

#phishing, #C2, #Kimsuky, #DPRK, #scam, #CobaltStrike, #malware,
#Interactsh, #APT, #Remcos

The full list of 120 tags lives at tweetfeed.live/tags/.

Also search Tweets posted by

(these are trusted folks that sometimes don't use tags)

<big><pre> **TweetFeed list** </pre></big>

:mag: Use TweetFeed in your stack

TweetFeed publishes the same data in CSV / JSON / RSS / MISP / STIX so you can wire it into whichever SIEM, EDR, or TIP you already run. Examples below default to year.csv (1-year window); swap to month.csv / week.csv / today.csv to keep the dataset smaller.

<details> <summary><b>Microsoft Defender XDR / Sentinel</b>  <sub>(KQL via <code>externaldata</code>)</sub></summary> <br>

1. Match `SHA256` hashes against the yearly feed

let MaxAge = ago(30d);
let SHA256_whitelist = pack_array(
'XXX' // Some SHA256 hash you want to whitelist.
);
let TweetFeed = materialize (
    (externaldata(report:string)
    [@"https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/year.csv"]
    with (format = "txt"))
    | extend report = parse_csv(report)
    | extend Type = tostring(report[2])
    | where Type == 'sha256'
    | extend SHA256 = tostring(report[3])
    | where SHA256 !in(SHA256_whitelist)
    | extend Tag = tostring(report[4])
    | extend Tweet = tostring(report[5])
    | project SHA256, Tag, Tweet
);
union (
    TweetFeed
    | join (
        DeviceProcessEvents
        | where Timestamp > MaxAge
    ) on SHA256
), (
    TweetFeed
    | join (
        DeviceFileEvents
        | where Timestamp > MaxAge
    ) on SHA256
), (
    TweetFeed
    | join (
        DeviceImageLoadEvents
        | where Timestamp > MaxAge
    ) on SHA256
) | project Timestamp, DeviceName, FileName, FolderPath, SHA256, Tag, Tweet

2. Match `IP addresses` against the monthly feed

let MaxAge = ago(30d);
let IPaddress_whitelist = pack_array(
'XXX' // Some IP address you want to whitelist.
);
let TweetFeed = materialize (
    (externaldata(report:string)
    [@"https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/month.csv"]
    with (format = "txt"))
    | extend report = parse_csv(report)
    | extend Type = tostring(report[2])
    | where Type == 'ip'
    | extend RemoteIP = tostring(report[3])
    | where RemoteIP !in(IPaddress_whitelist)
    | where not(ipv4_is_private(RemoteIP))
    | extend Tag = tostring(report[4])
    | extend Tweet = tostring(report[5])
    | project RemoteIP, Tag, Tweet
);
union (
TweetFeed
    | join (
        DeviceNetworkEvents
    | where Timestamp > MaxAge
    ) on RemoteIP
) | project Timestamp, DeviceName, RemoteIP, Tag, Tweet

3. Match `URLs` and `domains` against the weekly feed

let MaxAge = ago(30d);
let domain_whitelist = pack_array(
'XXX' // Some URL/Domain you want to whitelist.
);
let TweetFeed = materialize (
    (externaldata(report:string)
    [@"https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/week.csv"]
    with (format = "txt"))
    | extend report = parse_csv(report)
    | extend Type = tostring(report[2])
    | where Type in('url','domain')
    | extend RemoteUrl = tostring(report[3])
    | where RemoteUrl !in(domain_whitelist)
    | extend Tag = tostring(report[4])
    | extend Tweet = tostring(report[5])
    | project RemoteUrl, Tag, Tweet
);
union (
TweetFeed
    | join (
        DeviceNetworkEvents
    | where Timestamp > MaxAge
    ) on RemoteUrl
) | project Timestamp, DeviceName, RemoteUrl, Tag, Tweet

The same KQL works in Microsoft Sentinel if you replace DeviceProcessEvents / DeviceNetworkEvents with the equivalent Sentinel tables (SecurityEvent, CommonSecurityLog, etc.).

</details>

<details> <summary><b>Splunk</b>  <sub>(SPL with <code>inputlookup</code> after CSV import, or <code>rest</code> for ad-hoc fetch)</sub></summary> <br>

Schedule a recurring CSV import via the Add-on Builder or the inputs.conf REST modular input. Then:

index=firewall earliest=-30d
| join dest_ip [
    | inputlookup tweetfeed_iocs.csv
    | where Type="ip"
    | rename Value AS dest_ip
    | fields dest_ip, Tags, Tweet
]
| stats count by src_ip, dest_ip, Tags

For proxy / DNS logs vs. URLs and domains:

index=proxy sourcetype=zscaler earliest=-7d
| join url [
    | inputlookup tweetfeed_iocs.csv
    | where Type IN ("url","domain")
    | rename Value AS url
    | fields url, Tags, Tweet
]
| table _time, src, dest, url, Tags, Tweet

For process-execution hashes:

index=endpoint sourcetype=Sysmon EventCode=1 earliest=-30d
| eval hash=lower(Hashes)
| join hash [
    | inputlookup tweetfeed_iocs.csv
    | where Type IN ("sha256","md5")
    | rename Value AS hash
    |