Export IOCs
ThreatFox offers the exporting of indicators of compromise (IOCs) in following formats:
Expiration of IOCs
Since 2025-05-01, we are expiring IOCs that are older than 6 months. We are doing so to avoid false positives, mostly happening on cloud based infrastructure where assets (e.g. IP addresses) are changing customers quickly. Expired IOCs are not exposed on the ThreatFox API and data Export. However, they are still visibile and searchable through the ThreatFox UI, but flagged to be expired.
Obtain an Auth-Key (Required)
In order to access the datasets listed below, you need to obtain an Auth-Key first. If you don't have one you can get one for free here:
Whenever you try to download a dataset or file from below, you must include the URI parameter auth-key which contains your Auth-Key as value. Example curl command:
curl -i "https://threatfox-api.abuse.ch/files/exports/full.csv.zip?auth-key=YOUR-AUTH-KEY-HERE"
Daily MISP Events
You can download ThreatFox IOCs as daily MISP events. New MISP events are generated at midnight.
When using the ThreatFox MISP event feed, we recommend you to remove the IOC flag for IOCs on our events that older than 6 month to avoid false positives.
Login required
In order to view this documentation, you need to log in and create an Auth-Key.
host file (domains only)
Some commercial and open source security software (such as Pi-hole) can detect access to domain names based on the host file format. For this purpose, ThreatFox offers a list of domain based IOCs. The host file below contains the following datasets observed in the past 6 month:
- Payload delivery domains
- Botnet C2 domains
The following file gets generated every 5 minutes. To achieve the best protection, we recommend to fetch it every 5 minutes.
Login required
In order to view this documentation, you need to log in and create an Auth-Key.
Suricata IDS Ruleset
ThreatFox provides a ruleset containing all network based Indicators Of Compromise (IOCs) for Suricata IDS. As we believe that IOCs have an expiration date too and to avoid false positive, we only export IOCs for the past 6 month. Please note that the ruleset has been tested with Suricata version 6.0.0. The ruleset gets generated every 5 minutes. To achieve the best protection, we recommend to fetch it every 5 minutes.
Login required
In order to view this documentation, you need to log in and create an Auth-Key.
DNS Response Policy Zone (RPZ)
By using an DNS Reponse Policy Zone (RPZ), also known as DNS firewall, you can detect the resolution of certain domain names ovserved in the past 6 month on your DNS resolver. ThreatFox offerst the following IOCs as RPZ dataset:
- Payload delivery domains
- Botnet C2 domains
More information about DNS RPZ can be found on dnsrpz.info. The following file gets generated every 5 minutes. To achieve the best protection, we recommend to fetch it every 5 minutes.
Login required
In order to view this documentation, you need to log in and create an Auth-Key.
JSON files
The following data exports exists in JSON format:
Login required
In order to view this documentation, you need to log in and create an Auth-Key.
CSV files
The following data exports exists in CSV format:
Login required
In order to view this documentation, you need to log in and create an Auth-Key.