| URL | https://abuse.ch |
| https://twitter.com/abuse_ch | |
| https://linkedin.com/company/abuse-ch |
🦊 ThreatFox Update | We're now expiring IOCs older than 6 months. IOCs don’t last forever and internet infrastructure often gets re-used, therefore we're implementing a 6-month expiry policy to reduce false positives.
As a result, expired IOCs will no longer appear in ThreatFox exports or be available via the ThreatFox APIs. Thanks for your continued support! 🙏
8️⃣ weeks, 2️⃣ months, or 6️⃣0️⃣ days. No matter how you count it, mandatory authentication will go live on June 30, 2025.
From this date, authentication will be required to access data via API across all our platforms. This change will help us manage heavy usage more effectively and ensures greater platform stability for everyone.
Rely on the APIs? Make sure you’re authenticated and ready well ahead of time ✅
Who loves YARAify? We do! 💛 And now there’s even more to love with the latest cool features making threat hunting easier🕵️♂️. Now you can...
👉 Auto-delete files after scanning! If enabled, YARAify now deletes raw files after 7 days - while keeping scan results and metadata available. Want to keep those juicy files private? You can still disable file sharing ⛔
👉 Trigger a file rescan for a previously uploaded sample! Also accessible via the API. ✨ Bonus: Grab Python 3 script from our GitHub repo: https://github.com/abusech/YARAify
👉 Deploy YARA rules directly via the API! ✨ And, yes, there’s a sample script on GitHub for that too!
🎥 Want a walkthrough? Jump to 11:08 in this demo to see these updates in action:
https://www.youtube.com/live/xobmSNfZ-sk
📢 Reminder: We’ve introduced rate limits on excessive API queries from unauthenticated users to ensure the platforms are running smoothly for everyone. ✅👌
#AuthenticateNow – it’s quick, easy, and helps keep the platform stable for all 💪 #SteadyPlatform #SteadySignals
One ccTLD has surged to the 🔝 of our malicious ccTLDs Top20, racking up 148,868 entries! 😱 That’s a massive 83% more than, .cn, now bumped to # 2️⃣.
Find out which ccTLD in the latest Domain Report here👇
https://www.spamhaus.org/resource-hub/domain-reputation/domain-reputation-update-oct-2024-mar-2025/
🦊 NEW on ThreatFox: ASN information and statistics! Now when you browse a network IOC (IP, domain, or URL), you’ll get details on the associated ASN, including:
👉 ASN number
👉 ASN name
👉 Country
👉 No. of observed IOC
👉 Malware families
…and even more insights and statistics!
Make sure you’re authenticated first and check out this new feature 👉 https://threatfox.abuse.ch/browse/
Or, watch it in action here 📽️ (skip to 16:50 in the demo!)
https://www.youtube.com/live/xobmSNfZ-sk
"RIDE OR DIE" - Can anyone label this malware? Seems to be a NodeJS executable. Tagged as #NodeLoader
Botnet C2s 🛰️
5.252.153.120:3000 🇵🇦
66.63.187.72:3000 🇺🇸
85.209.153.84:3000 🇺🇸
95.164.53.146:3000 🇩🇪
Dropping ⚙
http://62.60.226 .200/defender/file1.exe
http://62.60.226 .200/defender/build17.exe
Malware samples ☣️
https://bazaar.abuse.ch/browse/signature/NodeLoader/
ThreatFox IOCs 🦊
https://threatfox.abuse.ch/browse/tag/NodeLoader/
The Spamhaus Project