Introducing ThreatFox

Published on 8th March 2021, 12:41:55 UTC

In 2018, I've launched URLhaus - a platform where security researchers and threat analysts can share malware distribution sites with the community. A year ago, in March 2020, the launch of MalwareBazaar enabled the community to share malware samples with others and hunt for such by e.g. using YARA rules. The goal of always was to make threat intelligence easy accessible for everyone - for free, and without the need of a registration on a platform. Today, I'm very excited to announce the launch of my most recent project: ThreatFox!

Screenshot of

What is ThreatFox?

ThreatFox is a community driven project where security researchers and threat analysts can share indicators of compromise (IOCs) with the infosec community. Currently, you can share domains, IP addresses, email addresses and file hashes associated with malware, botnet command&control (C&C), payload or payload delivery on ThreatFox. ThreatFox comes with a handful features:

  • You can request IOCs from the community and reward contributors with credits
  • You earn 5 credits for every IOC shared. However, you can earn up to 100 credits from others for a single IOC based on their IOC requests
  • Every IOC is associated with a malware family. For this purpose, ThreatFox relies on the malware naming scheme of Malepdia
  • Each IOC has an confidence level between 0% - 100%
  • An IOC can have an external reference (e.g. link to a whitepaper or social media posting)
  • An IOC may have a comment from the contributor
  • IOCs can be shared anonymously
  • There is an extensive API available for both, reporting and retrieving IOCs to/from ThreatFox
  • In addition, IOCs are exported in various formats such as MISP events, JSON, CSV, Suricata IDS ruleset and more

Why ThreatFox?

I love OSINT! There are many smart and talented IT-security researchers, threat analysts, CERT/CSIRT/SOC employees and IT-security enthusiast around. Some of them share parts of their analysis and indicators of compromise (IOCs) publicly, usually on github or social media like Twitter. While this is great, it is a pain at the same time: You need to invest a lot of time into searching for these IOCs and, even worse, automation is in many cases not easily possible (if not impossible).

ThreatFox is a platform where people who would like to share their indicators of compromise (IOCs) with the community can do so. For this purpose, ThreatFox offers a web UI and an API. At the same time, security researchers who would like to use that data to protect their own constituency, users or customers can easily integrate it by taking advantage of the ThreatFox API.

What's the difference to other, similar platforms?

There are already many other platforms around for sharing IOCs. Unfortunately, you need to register on all of them to share or retrieve IOCs. Exactly that is probably the biggest difference between ThreatFox and other similar platforms:

ThreatFox is a free, community driven platform for sharing indicators of compromise with the world!

Special Thanks

Blog Archive