Free Cyber Threat Intelligence
straight from honeypots.

Malicious IPs, domains, hashes and attacker commands observed in the wild. Downloadable every hour, no API key, no signup.

Search an IOC → Browse feeds API docs

Loading… • Source: Cowrie SSH/Telnet honeypot

Malicious IPs

000000

—

Malicious domains

0000

—

File hashes (SHA256)

000

—

Attacker commands

0000

—

Quick IOC lookup

Paste an IP, domain or hash to check if it's in our feeds.

Trends & distribution

Daily new IPs — last 30 days

Attackers observed per day.

Top /8 IP ranges

By first octet, across all observed attackers.

Top malicious TLDs

Among URLs captured in attacker commands.

Feeds you can consume

🌐 IP blocklist

All attacker IPs ever seen. One IP per line, sorted. Also available per-day.

all_ip.txt Daily files

🔗 Domains & URLs

URLs extracted from attacker shell commands — typically malware drop-points.

all_domains.txt

🔐 SHA256 hashes

Hashes of payloads attackers dropped on the honeypot.

sha256.txt

⚡ Attacker commands

Unique shell commands typed on the honeypot — TTPs, C2 probes, wipers.

commands.txt

🛡️ Suricata rules

IDS rules auto-generated from today's IP blocklist. Drop-in for your sensor.

Browse rules

📝 Raw Cowrie logs (sanitised)

Full JSON event logs, with the honeypot IP masked. Great for lab replays.

Browse logs

How we collect this

Check-The-Sum runs a Cowrie SSH/Telnet honeypot: a fake shell that records every attacker session, every command typed, and every file downloaded. Every hour a Python pipeline parses the raw event log, extracts IOCs, sanitises our own IP, and publishes the feeds here as static files — no database, no API key, no friction.

We also share everything with VirusTotal and AbuseIPDB so that the wider community benefits too.

Free Cyber Threat Intelligencestraight from honeypots.

Statistics