Threat Intelligence

alpha_blocklist_alpha

Customer specific IP blocklist alpha.

alpha_blocklist_beta

Customer specific IP blocklist beta.

business_akamai

Akamai Technologies, Inc. is an American delivery company that provides content delivery network (CDN), cybersecurity, DDoS mitigation, and cloud services.

business_google

Google LLC is an American multinational corporation and technology company focusing on online advertising, search engine technology, cloud computing, computer software, quantum computing, e-commerce, consumer electronics, and artificial intelligence (AI).

business_google_service

This category aims to identify use of Google services such as Gmail, Google Maps, Google Drive, etc. It is derived from the published list of all Google IP addresses, with the Google Cloud addresses filtered out.

business_microsoft_365

Microsoft 365 is a suite of productivity software hosted online by Microsoft. It includes online versions of Exchange (Outlook.com), OneDrive, Teams, Word, Excel, PowerPoint, SharePoint, etc.

business_tencent

Tencent is a Chinese based technology conglomerate and holding company whose subsidiaries market various Internet-related services and products, including in entertainment, artificial intelligence, and other technology.

cdn_akamai_delivery

A major content delivery and edge computing platform that also provides DDoS mitigation.

cdn_alibaba_cdn_platform

Infrastructure identified as Alibaba CDN platform

cdn_amazon_cloudfront

A cloud-based CDN operated by Amazon Web Services.

cdn_azure_frontdoor

A cloud-based CDN and application load balancer offered by Microsoft Azure that manages traffic between clients and origins.

cdn_azure_frontdoor_backend

IP addresses that Front Door uses to access origin resources.

cdn_azure_frontdoor_frontend

IP addresses that clients use to reach resources behind the Front Door CDN.

cdn_cloudflare

A major content delivery and edge computing platform that also provides DDoS mitigation.

cdn_fastly

Self-described as an “edge cloud platform”, Fastly provides CDN, image optimization, video and streaming, cloud security, and load balancing services.

cdn_google_cloud_cdn

As part of the Google Cloud Platform, Google’s Cloud CDN uses Google's global edge network to provide CDN and load balancing services using the same infrastructure as Google services such as Gmail, Search, and Photos.

cloud_amazon_ec2

EC2 is the AWS cloud compute service; this category includes virtual servers in AWS as well as any AWS services which Amazon has built on EC2 servers.

cloud_amazon_route53

Amazon Route 53 is a cloud based Domain Name System (DNS) service focused on connecting user requests to infrastructure running in AWS, such as EC2 instances, load balancers, and S3 buckets. Route 53 also offers domain name registration, and integrated health checks.

cloud_amazon_s3

S3 is the AWS cloud storage service.

cloud_aws

Amazon Web Services (AWS) provides a wide array of on-demand cloud services.

cloud_azure

Microsoft Azure provides a wide array of on-demand cloud services.

cloud_azure_active_directory_serviceendpoint

IP addresses associated with Azure Active Directory Service Endpoints. These endpoints are used inside Azure virtual networks to access the Azure PaaS API.

cloud_azure_appservice

A Microsoft Azure based platform as a service (PaaS) which allows publishing Web apps running on multiple frameworks and written in different programming languages.

cloud_azure_azureactivedirectory

A cloud based identity and access management (IAM) solution offered by Microsoft; also known as Microsoft Entra ID.

cloud_azure_azurespringcloud

An open source project that aims to make it easier to use Azure services in Java Spring applications.

cloud_azure_hosting

Microsoft Azure’s cloud compute service.

cloud_azure_storage

Microsoft Azure cloud storage service.

cloud_azure_windowsvirtualdesktop

A Microsoft Azure-based system for virtualizing Windows operating systems, providing virtualized desktops and applications in the cloud using the Remote Desktop Protocol.

cloud_google_cloud_platform

Google Cloud Platform (GCP) provides a wide array of on-demand cloud services.

cloud_huawei_cloud

Huawei cloud provides a wide array of on-demand cloud services.

cloud_linodeusercontent

Linode by Akamai, provides a wide array of on-demand cloud services.

cloud_microsoft_365_sharepoint

A collection of enterprise content management and knowledge management tools developed by Microsoft.

cybersecurity_1password

A subscription based password management platform.

cybersecurity_cisco_umbrella

Also known as OpenDNS, this company provides a wide range of cybersecurity solutions.

cybersecurity_comodo

A security company offering website and consumer security software, as well as an enterprise endpoint detection platform.

cybersecurity_kaspersky

A Russia based company that provides a wide range of cybersecurity and anti-virus products.

cybersecurity_mcafee

A security company offering antivirus software, privacy tools, and identity protection services.

cybersecurity_palo_alto_networks

A security company that provides a wide range of cybersecurity tools and infrastructure.

cybersecurity_qualys

An Enterprise Cyber Risk & Security Platform that includes scanning services

cybersecurity_symantec

A division of Broadcom, Symantec offers various Enterprise Security solutions.

cybersecurity_verisign

An Internet infrastructure company that operates DNS root name servers, as well as several DNS authoritative registries.

cybersecurity_whatismyip

A website that allows clients to discover their own external or public IP address.

debug_green_snow_blocklist

Newly added source that needs evaluation

debug_likely_false_positive

For filtering. If ips from this category appear in a malicious category, they are likely false positives.

debug_scriptzteam_bad_ips

Newly added source that needs evaluation

debug_unevaluated

Threat intelligence from a new source that hasn't been fully vetted

file_sharing_apple_icloud

A cloud storage service offered by Apple that enables users to store and sync data across devices. Synced data includes applications like mail, photos, notes, contacts, and files.

file_sharing_bittorrent_tracker

A type of server used by the BitTorrent protocol to keep track of files and file parts available on peer machines. Detecting communication with BitTorrent trackers can identify hosts with BitTorrent software installed, and help reduce false positives when detecting file transfer activity.

file_sharing_dropbox

A cloud storage service used to sync files between devices, access files via the web, and share files with other users.

file_sharing_idrive

A cloud backup service that can sync files between devices, as well as backup files, entire drives, mobile devices, and 3rd party cloud accounts.

file_sharing_mega_service

An online file transfer service that employs end-to-end encryption. Because of the service’s strong privacy features, it is a favorite of hackers and people transferring less savory data.

file_sharing_microsoft_onedrive

A cloud storage service operated by Microsoft used to sync files between devices, access files via the web, and share files with other users.

file_sharing_weiyun

Cloud storage service provided by Tencent, a major Chinese tech company that also develops WeChat and QQ.

file_sharing_wetransfer

An online file transfer service geared toward transferring very large files such as raw images and videos.

games_steam

Steam is a video game digital distribution service and storefront managed by Valve.

hosting_bulletproof

Bulletproof hosting (sometimes abbreviated as BPH) is a service provided by internet hosting companies that allow all types of activity, including illegal ones, without much restriction. BPH providers are often unresponsive to complaints and ignore requests to stop harmful activities. They are often located in countries with less strict regulations than the United States, and may be able to bribe officials or avoid regulatory action.

mail_microsoft_365_exchange

A subscription based enterprise cloud email service hosted by Microsoft.

malware_botnet

Botnet malware is typically not interested in theft of data on a particular host, but rather they aim to infect as many hosts as possible, and to force those hosts to conduct malicious activity. Some common activities performed by botnets are: DDoS, sending SPAM email, click-fraud, and brute force attacks.

malware_command_and_control

When malware is deployed to hosts that are not directly accessible from the Internet, it will typically make an outbound connection to a command and control (C2) server. This outbound connection can happen many different ways, but one of the most common methods is direct TCP/IP (including HTTP requests). This list contains IP addresses known to receive outbound malware communications.

malware_cryptominer

Cryptominer malware is specifically designed to use a device's computing power to mine cryptocurrency. The malware can be installed to run persistently, be fileless to only remain in memory, or just run malicious javascript in a victim’s browser.

malware_dropper

A dropper is a type of malware designed to install other malware onto a target system. This malware may run some operational security (OPSEC) checks, perform some security product evasion, download additional malware, create persistence, and possibly remove itself from the target (though some droppers remain persistent).

malware_exploit

One method of installing malware is to provide malicious input that causes a program to execute arbitrary attacker code. This could be through memory corruption and a controlled crash, by escaping a secure context to execute unintended commands, or some combination of the two. Exploits can be remote, where the attacker can directly access the target, or local, where the attacker relies on a user or client software to access exploit code.

malware_hacktool

This category describes open source or publicly available tools that are used by both white hat and black hat hackers. White hat uses include penetration testing and security research; however, the tools are just as useful for more nefarious purposes.

malware_implant

This category describes malware that is meant for sustained access to a victim computer or network. Implant malware is generally installed with persistence and executed without further user interaction when the host computer boots to maintain access. The malware is also usually coded with stealth or anti-analysis techniques, to extend the life of the compromise.

malware_malicious_proxy

This category describes malware that is specifically designed to tunnel attacker traffic through its victim host. This can be used to pivot deeper into the victim network or used by actors to conduct attacks against other networks that appear to originate from the victim network. Proxy access may also be sold to 3rd party actors for anonymous internet access.

malware_ransomware

Ransomware refers to a type of malware that aims to block access to a victim’s files until a ransom is paid. This is typically done by encrypting the files and demanding some kind of difficult to trace cryptocurrency to receive the key for decryption. There is a closely related type of attack, where victim data is exfiltrated, and the ransom is demanded in order for the attacker to not publicly leak the victim’s files. That type of attack typically does not require encrypting malware, and may be accomplished using implant malware, or operating system native tools; therefore the attack may not be covered by this threat intelligence category.

malware_shellcode

Shellcode is most commonly used in conjunction with memory corruption exploits, but the term can also sometimes describe modules or additional functionality downloaded by other malware.

malware_stealer

Stealer malware is specialized to collect and exfiltrate victim data and accounts. It looks for valuable files such as cryptocurrency wallets, collects keystrokes, dumps credentials, and steals session cookies from browsers.

malware_trojan

A Trojan horse is a type of malware that disguises itself as a legitimate program to infect a computer and perform unauthorized actions.

malware_webshell

Webshells are attacker controlled content on a legitimate website; they can consist of a simple script meant to facilitate deeper compromise, or complex malware to provide external control of malicious assets and exfiltration of stolen data. This threat intelligence category describes either serving malware for installation, or detected malware already installed.

messaging_apple_push

A platform notification service created by Apple that enables third party application developers to send notification data to applications installed on Apple devices.

messaging_discord

An instant messaging and VoIP social platform which allows communication through voice calls, video calls, text messaging, media, and group chat.

messaging_disqus

Blog comment service that helps content creators with social integration, comment moderation, anti-spam, and translation, among other features.

messaging_google_chat

A communication service offered by Google that provides direct messaging, group conversations, tasks, and file sharing.

messaging_infobip

A cloud based customer engagement and contact center solution which integrates with many different communication channels, such as: sms, voice, Instagram, or email.

messaging_irc_servers

A decentralized communications platform that supports text-based chat, private messaging, and file sharing.

messaging_jpush

China based push notification service that performs push notifications to Android, iOS and Windows Phone apps in geographies where Google services are not allowed.

messaging_kakaotalk

South Korea based mobile messaging app with voice, instant messaging, and file sharing services.

messaging_kik

Canada based instant messaging mobile application which also provides photo, video, and sketch sharing.

messaging_messagebird

A cloud based marketing, customer support, and in-chat payments solution which integrates with many different communication channels, such as: sms, voice, WhatsApp, or email.

messaging_meta_messaging

Facebook Messenger and Instagram (owned by Meta) share a common messaging platform. This makes it possible for users on these two different platforms to chat and exchange messages.

messaging_pushover

A platform for sending push notifications via a simple web-hook, and receiving push notifications on mobile or desktop clients.

messaging_qq

Instant messaging software service and web portal from the Chinese company Tencent; provides online social games, music, shopping, microblogging, movies, and instant messaging.

messaging_rocket_chat

Open source team collaboration platform with self hosting or managed options. The platform provides live chat, social, sms, 3rd party integrations, and encrypted messages, among other features.

messaging_samsung_push

A service from Samsung that handles push notifications for all Samsung applications.

messaging_signal

An end-to-end encrypted messaging service for chat, voice calls, and video calls, voice notes, and file sharing.

messaging_sinch

Sweden based communication platform that focuses on messaging, voice, and email communication between businesses and their customers.

messaging_snapchat

American multimedia sharing, instant messaging, and video chat application that focuses on privacy features such as disappearing messages, end-to-end encryption, and password protected storage.

messaging_stream_io

Integration platform to add chat messaging, audio/video conferencing, activity feeds, and AI ChatBots into 3rd party applications.

messaging_telegram

A cloud-based, cross-platform, instant messaging service that also provides file sharing, group voice/video calling, public livestreams, and large one-to-many channels. Some features support end-to-end encryption.

messaging_threema

Switzerland based, paid, cross-platform, encrypted instant messaging app that offers voice/video calling, file & location sharing.

messaging_whatsapp

Instant messaging and VoIP application from the American owned Meta Platforms, offers voice/video calling, file sharing, location sharing, and multi-platform access.

messaging_zalo

Vietnam based instant messaging and VoIP calling application for mobile or desktop.

neto_abusech_threatfox

ThreatFox is a platform from abuse.ch and Spamhaus dedicated to sharing indicators of compromise (IOCs) associated with malware, with the infosec community, AV vendors and cyber threat intelligence providers.

neto_abusech_urlhaus

URLhaus is a platform from abuse.ch and Spamhaus dedicated to sharing malicious URLs that are being used for malware distribution.

neto_attack

A generic category for hosts observed in various types of attacks, including attacks against web, ftp, ssh, or mail servers, or supply chain attacks.

neto_beacon_tuning

Reputation List specifically for tuning beacons to reduce false positives. TODO: ask Tom about this

neto_bitcoin_node

Bitcoin node.

neto_bl_threats

From the Black Lotus Labs fetcher. Customer specific.

neto_bots

In this context, a bot is a software application that runs automated tasks. These tasks might include malicious activity such as sending SPAM, scraping data from social media sites, generating fake reviews/clicks/social media posts, or something more benign such as a chatbot.

neto_bruteforce

Hosts observed conducting brute force attacks such as repeated login attempts.

neto_bruteforceblocker

From Black Lotus Labs

neto_cins

3rd party threat intelligence from Cins Army; these addresses have been identified by the wider security community as malicious or having a poor reputation.

neto_compromised

Hosts that exhibit signs of compromise or hostile activity, but not enough information is known to classify them as a specific activity.

neto_dns_over_http

Identified DNS over HTTP servers

neto_greynoise

greynoise. Customer specific.

neto_ipfs_gateway

An IPFS Gateway

neto_misc

Hosts involved in mass scanning, exploitation attempts, or generally suspicious behavior.

neto_phishing

Hosts reported to be associated with fraudulent requests for money, personal information, or unwitting assistance to attackers targeting an organization.

neto_potentially_unwanted_files

Hosts serving potentially dangerous or malicious files. File types include autoit scripts or Windows DLLs which are very likely to be part of an attack, and also .txt or .json files which may or may not be benign. Because this category is populated by hosts reported in conjunction with another attack, the files should be treated as malicious until proven otherwise.

neto_scanners

Hosts observed performing various scans that aren’t identified as belonging to a legitimate scanner service.

neto_sinkholes

Also known as: DNS sinkhole, sinkhole server, internet sinkhole, or blackhole DNS. In this context, a sinkhole is a hijacked or seized DNS name which redirects malicious traffic such as malware beacons to either a non-attacker controlled server or a non-routable IP address.

neto_spamhaus_drop

3rd party threat intelligence from the Spamhaus project. This category consists of netblocks that are leased or stolen by professional spam or cyber-crime operations, and used for dissemination of malware, trojan downloaders, botnet controllers, or other kinds of malicious activity.

neto_suspicious_ssl

These addresses have SSL certificates that appear to be crafted to deceive users; for instance a self-signed certificate claiming to be a '.mil' domain.

neto_tor_exit_node

These addresses indicate traffic leaving the Tor anonymization network. This type of traffic is not inherently malicious; however, the Tor network provides a free and reliable source of anonymization that is often capitalized on by malicious actors.

nuisance_agafurretor_com

Adware which gets installed into web browsers and pushes questionable or potentially malicious advertisements to users.

nuisance_conduit_toolbar

An online platform that allowed web publishers to create custom toolbars, web apps, and mobile apps at no cost. The toolbar has browser hijacking functionality, and is often regarded as malware.

nuisance_lijit

Potentially used by adware, but also embedded into some websites; this ad serving domain is widely regarded as associated with PUPs.

remote_desktop_anydesk

A platform-independent remote access tool for personal computers and other devices running the host application; offers remote control, file transfer, and VPN functionality. This software is often used in technical support scams.

remote_desktop_relays_net_anydesk_com

Hosts used to relay AnyDesk remote access connections.

remote_desktop_simplehelp

Server software for Windows, Linux and macOS.

remote_desktop_teamviewer

A remote management and remote control platform for single device or enterprise access. Provides file sharing, multi-connection support, 3rd party integrations, and security features. This software is often used in technical support scams.

scanner_service_censys_scanners

A paid attack surface management service that performs continuous, automated scanning to discover an organization’s internet-exposed assets.

scanner_service_internettl_org

A research project that identifies servers on the Internet. InterneTTL continuously scans every host on the Internet providing IT and security teams with real time visibility into active servers.

scanner_service_onyphe_bot

Scanning bot associated with the ONYPHE Attack Surface Management (ASM), Attack Surface Discovery (ASD) and Cyber Threat Intelligence (CTI) solution.

scanner_service_qualys_scanners

Scanners associated with the Qualys vulnerability management platform

scanner_service_shadowserver_scanner

A free (charitably funded) vulnerability and malware discovery service, that scans the entire internet and makes reports available to requesting network owners, governments, law enforcement agencies, and others.

scanner_service_shodan

A search engine that scans the internet and provides an index of active devices, operating systems, open ports, services running, software versions, and even default passwords in some cases.

social_media_bluesky

A US based microblogging social media service, similar to Twitter.

social_media_discourse

An open source Internet forum system. Features include threading, categorization and tagging of discussions, configurable access control, live updates, expanding link previews, infinite scrolling, and real-time notifications.

social_media_facebook

Social media and social networking platform owned by Meta Platforms.

social_media_instagram

A photo and video sharing social networking service owned by Meta Platforms.

social_media_linkedin

A business and employment-focused social media platform.

social_media_meta

A US based technology company that owns and operates Facebook, Instagram, Threads, and WhatsApp, among other products and services.

social_media_okcupid

A US based online dating and friendship service.

social_media_reddit

A US based social news aggregation, content rating, and forum social network.

social_media_tiktok

China based short-form video hosting service.

social_media_tinder

An online dating and geosocial networking application.

social_media_twitter

A US based social networking service, also known as ‘X’.

social_media_wechat

China based instant messaging, social media, and mobile payment application.

social_media_weibo

China based microblogging (short posts without titles) website.

super_cdn

A collection of all CDN hosts tracked by Netography.

super_malware

A collection of all malware hosts tracked by Netography.

super_netify_adult

A collection of all adult websites tracked by Netify.

super_netify_cdn

A collection of all CDN hosts tracked by Netify.

super_netify_cybersecurity

A collection of all cybersecurity hosts tracked by Netify.

super_netify_file_sharing

A collection of all file sharing hosts tracked by Netify.

super_netify_hosting

A collection of all cloud compute hosting addresses tracked by Netify.

super_netify_messaging

A collection of all instant messaging hosts tracked by Netify.

super_netify_os_software_updates

A collection of all operating system update hosts tracked by Netify.

super_netify_remote_desktop

A collection of all remote desktop hosts tracked by Netify.

super_netify_social_media

A collection of all social media hosts tracked by Netify.

super_netify_voip

A collection of all VoIP hosts tracked by Netify.

super_netify_vpn_and_proxy

A collection of all vpn and proxy hosts tracked by Netify.

super_non_threat_list

A curated collection of hosts that Netography believes have a high likelihood of being benign or belonging to services that generate a large number of false positives.

super_threat_list

A curated collection of hosts that Netography believes have a high likelihood of being malicious or generating threat related activity.

technology_azure_dns

Public DNS service from Microsoft Azure.

technology_cloudflare_dns

A privacy and speed focused public DNS provider operated by Cloudflare.

technology_github

A developer platform that allows developers to create, store, manage and share their code using Git source control software.

technology_github_actions

GitHub Actions is a CI platform built into GitHub that helps users automate software deployment workflows. These workflows are triggered by events like pushing code or creating pull requests. GitHub Actions can access sensitive resources like source code and secrets, so users should employ strong security practices around access.

technology_google_dns

A free, global DNS resolution service offered by Google that you can use as an alternative to your current DNS provider.

technology_level3_dns

Public DNS service run by Level3 Communications a.k.a Lumen Technologies.

technology_monlist_enabled_ntp

NTP hosts that appear to have the 'monlist' feature enabled. These servers MAY be used in NTP reflection/amplification attacks, but are not inherently malicious themselves.

technology_nsone

Managed DNS service operated by IBM.

technology_quad9_dns

A security and privacy focused public DNS provider operated by the Swiss-based Quad9 Foundation.

technology_self_hosted_gitlab

Gitlab is a web-based comprehensive DevOps platform that includes the Git repository manager, issue tracking, continuous integration/continuous deployment pipelines, code review tools, and more. Apart from the official Gitlab.com, users can run private instances of GitLab on their own infrastructure.

voip_google_hangouts

A chat, voice, and video conferencing platform from Google which was discontinued in November of 2022. These hosts may be in use by Google Meet or Google Chat which superseded Hangouts in 2021.

voip_microsoft_365_skype

A telecommunications platform operated by Microsoft which features video and voice calling, video conferencing, instant messaging, and calls from computer to traditional telephone networks, among other features.

voip_webex

A US based web conferencing and video conferencing platform owned and operated by Cisco Systems.

voip_zoom

A popular video conferencing solution owned and operated by US based Zoom Video Communications.

vpn_and_proxy_cyberghostvpn

A Romania based public VPN service.

vpn_and_proxy_expressvpn

A Hong Kong based public VPN service.

vpn_and_proxy_hide_me

A Malaysia based public VPN service.

vpn_and_proxy_hma

A UK based public VPN service.

vpn_and_proxy_hola_vpn

An Israel based peer-to-peer VPN service. When a user accesses certain domains that are known to use geo-blocking, the Hola application redirects the request to go through the computers and Internet connections of other users in non-blocked areas, thereby circumventing the blocking. Non-paying users of the service share a portion of their idle upload bandwidth to be used for serving cached content.

vpn_and_proxy_hotspot_shield

A US based public VPN service.

vpn_and_proxy_nordvpn

A Lithuania based public VPN service.

vpn_and_proxy_privateinternetaccess

A US based public VPN service.

vpn_and_proxy_proton_vpn

A Switzerland based public VPN service.

vpn_and_proxy_softether

A free & open-source, cross-platform, multi-protocol VPN client and VPN server software. Supports many VPN protocols including VPN over ICMP and VPN over DNS.

vpn_and_proxy_surfshark

A Netherlands based public VPN service that also offers data leak detection, private internet search, antivirus, and a private DNS resolver.

vpn_and_proxy_tor_entry_node

The Tor network provides user anonymity by routing traffic through multiple encrypted layers across a network of relays, which obscures the origin of the connection from the destination; the intended destination of the user is also obscured from ISPs or corporate networks. A TOR entry node is the first relay in a Tor network that receives traffic from a user.

vpn_and_proxy_tunnelbear

A Canada based public VPN service.

vpn_and_proxy_zscaler

An enterprise grade zero-trust overlay network service used to replace traditional VPNs with one-to-one SSL tunnels between clients and applications.