Cyware Threat Intelligence eXchange

View all threat data objects from Team Cymru feeds

'source' = "Team Cymru"

View bot IP addresses from Team Cymru feeds

'source' = "Team Cymru" AND 'tag' = "Controller IP Address"source' = "Team Cymru" AND 'tag' = "BOT IP Address"

View all controller IP addresses from Team Cymru feeds

'source' = "Team Cymru" AND 'tag' = "Controller IP Address"

View all controller host addresses from Team Cymru feeds

'source' = "Team Cymru" AND 'tag' = "Controller Host Address"

View malware samples from Team Cymru feeds

'source' = "Team Cymru" AND 'tag' = "Malware Sample"

View threat data objects from BARS Feed

'source' = "Team Cymru" AND 'source_collection' = "BARS Feeds"

View threat data objects from Controller Feed

'source' = "Team Cymru" AND 'source_collection' = "Controller Feeds"

TC: Total Objects

Displays the total number of threat data objects received from Team Cymru in the selected time range

TC: Total Indicators

Displays the total number of indicators received from Team Cymru in the selected time range

TC: BOT IP Adresses

Displays the total number of bot IP addresses from Team Cymru in the selected time range

TC: Controller IP Addresses

Displays the total number of controller IP addresses from Team Cymru in the selected time range

TC: Controller Host Addresses

Displays the total number of controller host addresses from Team Cymru in the selected time range

TC: Malware Samples

Displays the total number of malware samples from Team Cymru in the selected time range

TC: Object Distribution by Collection

Categorizes and displays threat data objects by object type (such as identity, indicator, observable) from the Controller and BARS feeds  in the selected time range

TC: IP Address Distribution by Detection Type

Displays the number of IP addresses grouped by their detection type (such as Active Probe, Netflow) as defined by Team Cymru in the selected time range

TC: Tag Distribution

Displays the number of threat data objects grouped by Team Cymru tags in the selected time range

TC: Indicator Distribution by Category

Displays the number of indicators based on Team Cymru tags in the selected time range

TC: Ingestion Trend by Collections

Displays the number of indicators ingested in the BARS and Controller Feed collections in the selected time range

TC: Ingestion Trend by Object Type

Displays the number of threat data objects categorized by object types in the selected time range

TC: Indicator Distribution by Source Collection Over Confidence Score

Displays indicators grouped by source collection and their confidence scores in the selected time range

TC: Indicator Distribution By IOC Type over Confidence Score

Displays indicators categorized by IOC type along with their confidence scores in the selected time range

Controller Feed

Cyware Generated

This tag represents the objects received from Team Cymru Controller Feeds

BARS BOTS Feed

Cyware Generated

This tag represents the objects received from Team Cymru BARS BOTS Feeds

BARS CNC Feed

Cyware Generated

This tag represents the objects received from Team Cymru BARS CNC Feeds

BARS DDOS Feed

Cyware Generated

This tag represents the objects received from Team Cymru BARS DDOS Feeds

BOT IP Address

Cyware Generated

This tag identifies the IP addresses of a device that has been compromised and now acts as a bot for the associated botnet

Controller Host Address

Cyware Generated

This tag identifies the IOCs that are hosting botnet or command and control infrastructures

Controller IP Address

Cyware Generated

This tag identifies the IP addresses that are part of a botnet or command and control infrastructure

Malware Sample

Cyware Generated

This tag identifies a hash of a file or executable representing a unique instance of malware observed in communication with a botnet or command and control infrastructures

<malware_family_name> Sample

Cyware Generated

This tag identifies a malware sample associated with a specific malware family, providing insight into its behavior and communication patterns

Communication Type/<Protocol Name>

Cyware Generated

This tag specifies the communication protocol (for example, HTTP, TCP) used to communicate with the associated botnet or command and control infrastructure

Associated Service/Port <Port Number>

Cyware Generated

This tag specifies the associated port number used to communicate with the associated botnet or command and control infrastructure

Associated Service/Port <Port Service Name>

Cyware Generated

This tag specifies the associated port service name used to communicate with the associated botnet or command and control infrastructure

Malware/<Malware Family Name>

Cyware Generated

This tag represents the malware family associated with the threat data object

<detection-type> detection

Cyware Generated

This tag represents the detection method used by Team Cymru to identify the IP address

SSL Usage Detected

Cyware Generated

This tag specifies that SSL usage was detected during the communication to the botnet or the controller associated with the event

Controller instruction decoded

Cyware Generated

This tag specifies that controller instruction was successfully decoded during the communication of the IP address to the botnet or controller associated with the event

DDoS related activity detected

Cyware Generated

This tag specifies that DDoS-related activity was detected for the botnet or controller related to the IP address.

Non-Standard port usage detected

Cyware Generated

This tag specifies that a non-standard port was used by the associated botnet or controller

<type>-based Controller

Cyware Generated

This tag describes the type of controller (for example, HTTP-based, IRC-based) managing botnet and command and ontrol operations.

TCP-based traffic attack

Cyware Generated

This tag specified that the associated infrastructure uses an attack leveraging TCP traffic

UDP-based traffic attack

Cyware Generated

This tag specified that the associated infrastructure uses an attack leveraging UDP traffic

ICMP-based traffic attack

Cyware Generated

This tag specified that the associated infrastructure is used to n attack using ICMP packets, such as ping floods or other ICMP-related vectors.

Syn flood attack

Cyware Generated

This tag specified that the associated infrastructure uses a type of DDoS attack that exploits the TCP handshake process/SYN Floods to overwhelm the target.

HTTP/HTTPS-based resource attack

Cyware Generated

This tag specified that the associated infrastructure uses an attack that uses HTTP or HTTPS traffic to overload a target, often targeting application-level resources.

blockchain

Team Cymru - IP Insights Feeds

The blockchain tag identifies infrastructure that utilizes blockchain technologies. This tag covers a range of blockchain applications, including cryptocurrency as well as other implementations of blockchain methodologies.

bogon

Team Cymru - IP Insights Feeds

Bogons are defined as Martians (private and reserved addresses defined by RFC 1918, RFC 5735, and RFC 6598) and netblocks that have not been allocated to a Regional Internet Registry (RIR) by the Internet Assigned Numbers Authority.

cdn

Team Cymru - IP Insights Feeds

The cdn tag characterizes IP addresses associated with Content Delivery Networks (CDNs). A Content Delivery Network (CDN) is a system of distributed servers strategically positioned around the world. Its primary purpose is to deliver web content, such as images, videos, scripts, and other static Cles, to end users in a faster, and more efficient manner. CDNs are sometimes associated with serving content for multiple different customers and can be an indication of possible shared hosting environment. The cdn tag has sub-tags to represent specific CDN vendors, such as cdn77, Akamai, and more.

cloud

Team Cymru - IP Insights Feeds

IP addresses with the cloud tag represent cloud computing infrastructure, such as storage, databases, virtual machines, and other functionality. Its sub-tags may denote specific cloud providers, such as Amazon, Microsoft, Google, and more. Other sub-tags can include specific functionality of the cloud service involved and regional information if available.

controller

Team Cymru - IP Insights Feeds

The controller tag indicates a system that is providing command and control (C2) services for a botnet. There are numerous types of controllers and new families (represented as sub-tags) are added frequently.

honeypot

Team Cymru - IP Insights Feeds

The honeypot tag is used to gag IP addresses that exhibit characteristics resembling honeypots. Honeypots are specialized server systems designed to mimic vulnerabilities, intentionally luring potential attackers. Honeypots come in various types and may be associated with related sub-tags such as gaspot.

ics

Team Cymru - IP Insights Feeds

IP addresses with the ICS tag are associated with industrial control systems (ICS) or supervisory control and data acquisition (SCADA) systems. The devices found here are programmable logic controllers (PLCs), remote terminal units (RTUs), sensors, actuators, and also software that helps manage these devices, such as SCADA and human-machine interfaces (HMIs). Sub-tags exist for ICS that help identify vendors of these devices and software, such as johnson_controls and Siemens.

iot

Team Cymru - IP Insights Feeds

IP addresses tagged as IoT have been observed as publicly accessible IOT (Internet of Things) devices such as IP cameras, smart TVs, printers, and DVRs. IoT devices provide "smart" capabilities by collecting and exchanging data over the Internet or providing more accessibility to various services. IOT devices are targeted by attackers by gaining unauthorized access and infecting devices to participate in botnet operations.

malware

Team Cymru - IP Insights Feeds

The malware tag identifies an IP address where a malicious file was recently hosted. All malware samples downloaded are checked against AV signatures to confirm they are malicious. IP addresses that are on shared hosting or CDNs are excluded from this category.

messaging

Team Cymru - IP Insights Feeds

Messaging IP addresses are used to identify infrastructure for common messaging applications and networks, such as Discord, WhatsApp, and Telegram, and can include more closed messaging servers using XMPP.

mobile

Team Cymru - IP Insights Feeds

This tag identifies IP address ranges associated with Internet service providers that provide Internet connectivity via cellular networks and associated wireless technology such as 4G and 5G.

nas

Team Cymru - IP Insights Feeds

IP addresses with the nas tag signify devices referred to as network-attached storage (NAS) devices. These are commonly utilized as file servers on local networks as they make data available over a network. Sub-tags may represent vendors and device model information if identified.

openresolvers

Team Cymru - IP Insights Feeds

The open resolvers tag identifies an IP associated with a Domain Name System (DNS) service that answers any DNS query from anyone. Open resolvers are often used in DNS amplification and reflection attacks.

orb

Team Cymru - IP Insights Feeds

Operational Relay Box (ORB) networks are infrastructures employed by threat groups, including Advanced Persistent Threats (APTs), to act as proxy networks that obscure their operational activities.

ost

Team Cymru - IP Insights Feeds

This tag identifies endpoints with a known Offensive Security Tool (OST). These tools are often used by penetration testers or security teams, but in some cases also by bad actors. Included in this category are those endpoints that act like a command and control or callback server. Some examples include gophish, deimos, and cobaltstrike. If an OST indicator is suspected of malicious activity, it will appear under the controller tag.

phishing

Team Cymru - IP Insights Feeds

The phishing tag identifies a host that has been implicated in hosting a malicious phishing page.

proxy

Team Cymru - IP Insights Feeds

The tag proxy identifies IP addresses running popular proxy software. In the context of network architecture, proxies operate as intermediary servers between clients and other servers, bridging the communication between these two ends. Proxies can be used to mask the IP addresses of either the server or the client on either side, adding a layer of security/privacy. Sub-tags, if present, represent common proxy software found running, such as squid or tinyproxy.

residential

Team Cymru - IP Insights Feeds

This tag identifies IP address ranges associated with Internet service providers that provide Internet connectivity to residential homes and businesses.

risknet

Team Cymru - IP Insights Feeds

Risk networks are tagged with the risknet tag. This tag is used to identify IP addresses belonging to hosting providers that have been associated with an elevated level of suspicious and/or malicious behavior.

router

Team Cymru - IP Insights Feeds

The router tag denotes IP addresses associated with devices running publicly accessible services that identify them as router software or Crmware. Typically, these are Small Oece/Home Oece (SOHO) routers. Cybercriminals frequently target SOHO routers, aiming to capitalize on potential security weaknesses inherent in these devices. Router IP addresses can have child tags that represent vendor and device model information if available.

satellite

Team Cymru - IP Insights Feeds

IP addresses linked to satellite connectivity are identiCed with the satellite tag. These IP addresses represent Very Small Aperture Terminals (VSAT) and Satellite ISP IP addresses used by their customers.

scanner

Team Cymru - IP Insights Feeds

IP addresses tagged as a scanners have been observed scanning the Internet. This scanning activity could potentially signify the presence of compromised machines, potentially harnessed by malicious actors to identify and exploit vulnerabilities in other systems connected to the network. Some of the IP addresses tagged as a scanner may have additional sub-tags that provide more insight into the activity. For example, Shodan or Censys sub-tags may be used to tag IP addresses from known vendors that scan the Internet, or sub-tags such as ssh-scanner are used to identify scanning activity observed scanning port 22 (SSH).

shared-host

Team Cymru - IP Insights Feeds

The shared-host tag indicates IP addresses that are hosting numerous domains.

sinkhole

Team Cymru - IP Insights Feeds

This tag refers to the IP addresses engaged in DNS sinkholing of malicious domains, directing them to a controlled IP address. The sub-tag sinkhole-ns specifically identifies the name servers participating in the sinkholing process. IP addresses lacking this sub-tag represent the actual sinkhole IPs responsible for receiving the redirected traffic.

tarpit

Team Cymru - IP Insights Feeds

The tarpit tag identified IP addresses with a device that purposely delays incoming scanning connections. IP addresses tied to these devices often have a large number of open ports. This technique can be used as a defense mechanism to slow down scanning activity by exhausting the attackers' resources.

top-site

Team Cymru - IP Insights Feeds

IP addresses tagged as a top-site represent IPs that received the highest recurring web (HTTP/HTTPS) traced in the last seven days and are associated with domains that have the highest amount of passive DNS records. Top sites are currently limited to the top 40,000 IP addresses and will be expanded in future updates.

tor

Team Cymru - IP Insights Feeds

IPs tagged as Tor are identified in Tor's Consensus.

vpn

Team Cymru - IP Insights Feeds

The VPN tag is utilized to identify IP addresses associated with Virtual Private Networks (VPNs). This umbrella term encompasses an array of commercial VPN service providers, such as NordVPN, ExpressVPN, among several others, that offer consumer-facing services designed to enhance online privacy and security. In addition to commercial VPN services, the VPN tag also includes IP addresses known to be operating as VPN endpoints. These endpoints often facilitate remote access to a particular network, which can be a critical function for businesses with remote employees, ensuring secure, encrypted access to company resources from potentially unsecured locations. Sub-tags are available for specific vendors and products if identified.

team_cymru_source_confidence

The confidence score assigned to a controller IP derived from Team Cymru Controller Feeds. This is replaced with team_cymru_reputation_score in newer releases.

source_threat_score

A generic custom attribute mapped to team_cymru_reputation_score, representing the threat reputation of a given IP address.

team_cymru_reputation_score

The reputation score provided by Team Cymru for the given IP address.

indicator_went_down

The timestamp indicates when the associated controller was last seen inactive.

indicator_last_checked

The timestamp of the last successful communication between Team Cymru and the controller at the specified IP address.

indicator_first_active

The timestamp of the first observation associating the IP address with the given controller.

indicator_came_up

The timestamp of the most recent time the controller at this IP address came up or re-emerged after inactivity. This is used for tracking controllers that are not constantly active.

address_uses_ssl

Indicates whether the indicator has been observed using SSL for its communication.

Note:

address_resolves

Indicates whether DNS resolution for the associated controller was successful for the given address (IP, URL, domain)

address_active

Indicates whether the associated controller is currently operational on the specified address (IP, URL, domain)

team_cymru_insights_rating

The IP insights rating provided by Team Cymru for an IP address. Possible values: Malicious, Suspicious, No Rating.

team_cymru_ip_insights_categories

Categories assigned to an IP address based on Team Cymru IP Insights parent tags. Type: List. Possible values: blockchain, bogon, cdn, cloud, controller, honeypot, ics, iot, malware, messaging, mobile, nas, openresolvers, orb, ost, phishing, proxy, residential, risknet, router, satellite, scanner, shared-host, sinkhole, tarpit, top-site, tor, vpn.

ssl_usage_detected

Indicates whether SSL usage has been observed in communications between the indicator and associated infrastructures.

Note: This calculated based on the IP address’s own attributes extracted by breaking down the reputation key. The SSL usage may not be consistent for every communication.

non_standard_port_usage

Indicates whether non-standard port usage has been observed in communications between the indicator and associated infrastructures.

Note: Non-standard port usage may not occur for every communication.

indicator_category

Contains the category of the indicator based on Team Cymru data. Possible values: controller_ip_address, malware_sample, controller_host_address, bot_ip_address.

detection_type

Describes the detection method used by Team Cymru to identify the given IP address.

ddos_related_activity_detected

Indicates whether the given object has been involved in any DDoS-related activity.

controller_instruction_decoded

Indicates whether the controller instruction was successfully decoded during communication between the given IP address and the botnet or controller associated with the event.

controller_id

Contains the Team Cymru-defined IDs of associated botnets and controllers.

x_team_cymru_reputation_key

The reputation key assigned by Team Cymru for the given IP address, representing the key parameters used in the reputation score.

x_team_cymru_reputation_key_enumeration

A detailed breakdown of the reputation key, showing the various parameters used by Team Cymru to calculate the reputation score.