Infoblox Threat Intel detects, curates, and publishes threat intelligence data pertaining to relevant cyber campaigns. TIG is sharing indicators of compromise (IOCs) related to threats that are of high interest to the cyber security community through this public repository. The following contains descriptions about the contents of each dataset (i.e data folder). The folders within this repository contain csv and JSON files that are MISP compatible.
This material is being provided by Infoblox under the Creative Commons CC BY 4.0 license. This license allows you to share and adapt the material, in particular to use it for both commercial and non-commercial security purposes, under the terms of: attribution to Infoblox and the license. For more details, see the LICENSE file in our repo or visit https://creativecommons.org/licenses/by/4.0/
The indicators folder contains both csv and JSON formatted files that are compatible with MISP. The contents relate to compelling cyber crime events, such as IOCs controlled by specific DNS threat actors or cyber campaigns related to major war conflicts and natural disasters.
The majority of the content is based on Infoblox internal analytics and validation analysis, though some OSINT is also included. Files contain a classification column describing the threat severity of indicators. Indicators with malicious classifications are largely confirmed threats and suspicious classifications are high risk. Infoblox recommends blocking traffic from high threat severity network indicators described in these files.
This folder contains useful information associated with malicious binaries that can help security professionals find other related software on their networks. Information includes configuration settings or encryption keys used by malware. We also provide YARA rules for specific threats. Security operation center (SOC) teams and threat researchers can run these rules retrospectively to determine if their networks were previously targeted by malware.
Infoblox is sharing code with the cybersecurity community in the hopes of facilitating threat research, investigation, and automated detection. This includes utility code that can help researchers re-produce the results we describe and share via our publications. We normally distribute our code samples under the GNU General Public License v3.0+ license.
| Field | Description |
|---|---|
| type | The data type of the IOC. Possible options: domain, ip, url, sha256, and email. |
| indicator | Also known as an IOC, this analysis artifact is a piece of forensic data related to online activities. |
| classification | Descriptive labels that explain the nature of the IOC. |
| detected_date | The value is formatted in ISO 8601 and is the date when we detected the IOC. |
The indicators in this repo include those relevant to our publications on the threat environment.
"Ukraine War" Malspam Delivers Remcos RAT
Ukraine Themed Malspam Delivers Agent Tesla
Scammers First on the Scene for Türkiye's “Disaster of the Century”
The Smish is Coming from Inside the House
VexTrio DDGA Domains Spread Adware, Spyware, and Scam Web Forms
Vast Malvertising Network Hijacks Browser Settings to Spread Riskware
Emotet: A Malware Family That Keeps Going
Scams Using Fake Celebrity Endorsements Target EU Countries
French Smishing Campaign Uses Fake Social Security Portal
Don’t Dial that Number! Distribution of Phishing Lookalikes through Fake Support Calls
Dog Hunt: Finding Decoy Dog Toolkit via Anomalous DNS Traffic
Decoy Dog is No Pupy (Indicators of Compromise)
Decoy Dog is No Ordinary Pupy (Whitepaper)
Suspicious DGA Domains, Discovered in DNS, Turn up in Malware Campaigns
Open Tangle Creates a Phishing Net for Consumers
Prolific Puma: Shadowy Link Shortening Service Enables Cybercrime
Your Package Can’t Be Delivered: Identifying USPS Smishing Infrastructure
Cybercrime Central: VexTrio Operates Massive Criminal Affiliate Program
RDGAs: The Next Chapter In Domain Generation Algorithms
VIGORISH VIPER: A VENOMOUS BET
NO, ELON MUSK WAS NOT IN THE U.S. PRESIDENTIAL DEBATE
DNS PREDATORS ATTACK: VIPERS AND HAWKS HIJACK SITTING DUCKS DOMAINS
A PHISHING TALE OF DOH AND DNS MX ABUSE
TELEGRAM TANGO: DANCING WITH A SCAMMER
CLOUDY WITH A CHANCE OF HIJACKING. FORGOTTEN DNS RECORDS ENABLE SCAN ACTORS
Infoblox customers can find additional detailed information about the decision criteria for a given indicator in the notes
field within the Threat Intelligence Data Exchange (TIDE) database.