Cyber Threat
Intelligence Feeds
Cyber Threat
Intelligence Feeds
Cyber Threat
Intelligence Feeds
Threat Feeds to Enrich your Security Platform
Threat Feeds to Enrich your Security Platform
Threat Feeds to Enrich your Security Platform
C2 Feed
This feature provides you with a unique feed of active Command and Control (C2) servers.
IOC Hunter Feed
A dedicated IOC feed enriched from trusted research, linking C2 servers to known threat actors and malware campaigns.
New Certificates
This feed updates in real time for past 24 hours. The feed is available to download in JSON or ZIP format.
Custom Feeds
Custom Feeds
Custom Feeds
Hunt provides custom feeds tailored to specific user requirements, which can be configured following a consultation with our sales team to define precise needs. Custom feeds are designed to meet unique user needs, enabling the creation of tailored queries such as listing all active HTTP/HTTPS services by IP and port in designated countries.
Sample of the feed
Sample of the feed
Sample of the feed
"ip".:18.135.30.45",
"port":4086,
"hostname":"ipso.alert-manager.co.uk",
"timestamp":"2023-11-27T10:59:02",
"scan_urli":"https://ipso.alert-manager.co.uk:4086/login",
"confidence":100,
"extra"
{
"geoip_city":"London",
"geoip_country": "United Kingdom",
"geoip_asn": "AMAZON-02",
"geoip_asn_num":16509,
"geoip_subnetwork":"18.132.0.0/14",
"domain_private_name":"alert-manager.co.uk",
"domain_type": "REGULAR"
},
"malware_namee":"Gophish"
"ip".:18.135.30.45",
"port":4086,
"hostname":"ipso.alert-manager.co.uk",
"timestamp":"2023-11-27T10:59:02",
"scan_urli":"https://ipso.alert-manager.co.uk:4086/login",
"confidence":100,
"extra"
{
"geoip_city":"London",
"geoip_country": "United Kingdom",
"geoip_asn": "AMAZON-02",
"geoip_asn_num":16509,
"geoip_subnetwork":"18.132.0.0/14",
"domain_private_name":"alert-manager.co.uk",
"domain_type": "REGULAR"
},
"malware_namee":"Gophish"
"ip".:18.135.30.45",
"port":4086,
"hostname":"ipso.alert-manager.co.uk",
"timestamp":"2023-11-27T10:59:02",
"scan_urli":"https://ipso.alert-manager.co.uk:4086/login",
"confidence":100,
"extra"
{
"geoip_city":"London",
"geoip_country": "United Kingdom",
"geoip_asn": "AMAZON-02",
"geoip_asn_num":16509,
"geoip_subnetwork":"18.132.0.0/14",
"domain_private_name":"alert-manager.co.uk",
"domain_type": "REGULAR"
},
"malware_namee":"Gophish"
faq
faq
faq
Frequently
asked questions
Frequently
asked questions
Frequently
asked questions
What does the C2 Feed provide?
The C2 Feed provides high-confidence malicious infrastructure identified through Hunt’s scanning processes. The feed is delivered as a newline-delimited JSON dataset and is accessed through an API endpoint.
Returned entries may include IP address, hostname, scan URI, port, timestamp, malware name, malware subsystem, confidence score, and additional metadata.
What does the C2 Feed provide?
The C2 Feed provides high-confidence malicious infrastructure identified through Hunt’s scanning processes. The feed is delivered as a newline-delimited JSON dataset and is accessed through an API endpoint.
Returned entries may include IP address, hostname, scan URI, port, timestamp, malware name, malware subsystem, confidence score, and additional metadata.
What does the C2 Feed provide?
The C2 Feed provides high-confidence malicious infrastructure identified through Hunt’s scanning processes. The feed is delivered as a newline-delimited JSON dataset and is accessed through an API endpoint.
Returned entries may include IP address, hostname, scan URI, port, timestamp, malware name, malware subsystem, confidence score, and additional metadata.
How is data in the C2 Feed generated?
Hunt scans the internet for malware protocols, SSL certificates, and JARM/JA4 hashes. Hosting providers that favor malicious activity are subject to additional scanning.
Custom validation logic is applied to C2 candidates, and signatures and validators are updated by the Hunt Research team to enhance accuracy and discovery.
How is data in the C2 Feed generated?
Hunt scans the internet for malware protocols, SSL certificates, and JARM/JA4 hashes. Hosting providers that favor malicious activity are subject to additional scanning.
Custom validation logic is applied to C2 candidates, and signatures and validators are updated by the Hunt Research team to enhance accuracy and discovery.
How is data in the C2 Feed generated?
Hunt scans the internet for malware protocols, SSL certificates, and JARM/JA4 hashes. Hosting providers that favor malicious activity are subject to additional scanning.
Custom validation logic is applied to C2 candidates, and signatures and validators are updated by the Hunt Research team to enhance accuracy and discovery.
What time range does the C2 Feed return?
Each request to the C2 Feed returns data from the last 7 days relative to the time the feed is requested.
The C2 Feed is updated on a daily basis and accessed through API requests.
What time range does the C2 Feed return?
Each request to the C2 Feed returns data from the last 7 days relative to the time the feed is requested.
The C2 Feed is updated on a daily basis and accessed through API requests.
What time range does the C2 Feed return?
Each request to the C2 Feed returns data from the last 7 days relative to the time the feed is requested.
The C2 Feed is updated on a daily basis and accessed through API requests.
What infrastructure types are included in the C2 Feed?
The C2 Feed includes infrastructure classified under multiple malware subsystems. These include C2, Exploit Server, Infrastructure, Management, Phishing, Red Team Tools, Redirect, Team Server, and Victim.
The malware subsystem field indicates how the infrastructure is categorized.
What infrastructure types are included in the C2 Feed?
The C2 Feed includes infrastructure classified under multiple malware subsystems. These include C2, Exploit Server, Infrastructure, Management, Phishing, Red Team Tools, Redirect, Team Server, and Victim.
The malware subsystem field indicates how the infrastructure is categorized.
What infrastructure types are included in the C2 Feed?
The C2 Feed includes infrastructure classified under multiple malware subsystems. These include C2, Exploit Server, Infrastructure, Management, Phishing, Red Team Tools, Redirect, Team Server, and Victim.
The malware subsystem field indicates how the infrastructure is categorized.
What does the IOC Hunter Feed provide?
The IOC Hunter Feed provides indicators of compromise derived from published threat research. Each entry includes the IOC value, IOC type, publication metadata, publication timestamp, and descriptive context.
When available, entries may also include associated malware names and threat actor information as provided by the source publication.
What does the IOC Hunter Feed provide?
The IOC Hunter Feed provides indicators of compromise derived from published threat research. Each entry includes the IOC value, IOC type, publication metadata, publication timestamp, and descriptive context.
When available, entries may also include associated malware names and threat actor information as provided by the source publication.
What does the IOC Hunter Feed provide?
The IOC Hunter Feed provides indicators of compromise derived from published threat research. Each entry includes the IOC value, IOC type, publication metadata, publication timestamp, and descriptive context.
When available, entries may also include associated malware names and threat actor information as provided by the source publication.
Can the IOC Hunter Feed be filtered?
Yes. The IOC Hunter Feed supports optional API query parameters, including days to limit results by publication age and publication_domain to filter results by publication apex domain.
These parameters are applied at request time when accessing the feed through the API.
Can the IOC Hunter Feed be filtered?
Yes. The IOC Hunter Feed supports optional API query parameters, including days to limit results by publication age and publication_domain to filter results by publication apex domain.
These parameters are applied at request time when accessing the feed through the API.
Can the IOC Hunter Feed be filtered?
Yes. The IOC Hunter Feed supports optional API query parameters, including days to limit results by publication age and publication_domain to filter results by publication apex domain.
These parameters are applied at request time when accessing the feed through the API.
How are the C2 Feed and IOC Hunter Feed accessed?
Both the C2 Feed and IOC Hunter Feed are accessed through API requests using an API token.
Data is returned in JSON format, with GZ-compressed JSON available for retrieval. Both feeds are updated on a daily basis.
How are the C2 Feed and IOC Hunter Feed accessed?
Both the C2 Feed and IOC Hunter Feed are accessed through API requests using an API token.
Data is returned in JSON format, with GZ-compressed JSON available for retrieval. Both feeds are updated on a daily basis.
How are the C2 Feed and IOC Hunter Feed accessed?
Both the C2 Feed and IOC Hunter Feed are accessed through API requests using an API token.
Data is returned in JSON format, with GZ-compressed JSON available for retrieval. Both feeds are updated on a daily basis.
Hunt adversary infrastructure in real time. Surface C2 servers, enrich IOCs,
and map attacker activity at scale with our unified threat hunting platform.
©2026 Hunt Intelligence, Inc.
Hunt adversary infrastructure in real time. Surface C2 servers, enrich IOCs,
and map attacker activity at scale with our unified threat hunting platform.
©2026 Hunt Intelligence, Inc.
Hunt adversary infrastructure in real time. Surface C2 servers, enrich IOCs,
and map attacker activity at scale with our unified threat hunting platform.
©2025 Hunt Intelligence, Inc.