TweetFeed

Feeds of IOCs posted by the community at Twitter

TweetFeed.live   |    Source code   |    Feedback

Want to integrate with OpenCTI? Now you can!

---

---

☰ Content

• Data collected
• Some statistics
• How it works
• Hunting IOCs via Microsoft Defender
• Author
• Disclaimer

❤️ Support the project

If you like the project, please consider:

• Giving it a star ⭐
• Invite to a coffee ☕

📄 Data collected

Feeds

2025-04-14 20:06:30 (UTC)
Today	Last 7 days	Last 30 days	Last 365 days
📋 Today (raw)	📋 Week (raw)	📋 Month (raw)	📋 Year (raw)

Output example

Date (UTC)	SourceUser	Type	Value	Tags	Tweet
2021-08-14 02:26:32	phishunt_io	url	https://netflix.us2.cards/	#phishing #scam	https://twitter.com/phishunt_io/status/1426369619422502917
2021-08-17 12:15:00	TheDFIRReport	ip	185.56.76.94	#Trickbot	https://twitter.com/TheDFIRReport/status/1427604874053578756

📊 Some statistics

Types

Type	Today	Week	Month	Year
🔗 URLs	416	2410	11166	49948
🌐 Domains	290	1583	7749	35998
🚩 IPs	147	792	3266	13051
🔢 SHA256	17	75	408	1621
🔢 MD5	13	84	365	1211

---

Tags

Tag	Today	Week	Month	Year
#phishing	517	2790	14267	66590
#scam	43	320	1769	7409
#opendir	0	31	106	635
#malware	80	546	4308	18002
#maldoc	0	0	0	4
#ransomware	0	3	86	302
#banker	0	0	0	3
#AgentTesla	0	3	11	55
#Alienbot	0	0	0	0
#AsyncRAT	29	100	388	1367
#Batloader	0	0	0	0
#BazarLoader	0	0	0	0
#CobaltStrike	58	299	1495	6727
#Dcrat	2	16	52	374
#Emotet	0	0	0	0
#Formbook	0	0	7	22
#GootLoader	0	0	0	5
#GuLoader	0	0	10	16
#IcedID	0	0	0	0
#Lazarus	0	0	0	52
#Lokibot	0	0	6	237
#log4j	0	0	0	9
#Log4shell	0	0	0	0
#Njrat	4	38	205	1084
#Qakbot	2	45	121	572
#Raccoon	0	0	0	0
#RedLine	0	5	19	110
#Remcos	15	116	476	1274
#RaspberryRobin	0	0	0	0
#Spring4Shell	0	0	0	0
#SocGolish	0	0	0	7
#Ursnif	0	0	0	0

---

Top Reporters (today)

Number	User	IOCs
#1	Phish_Destroy	246
#2	drb_ra	160
#3	romonlyht	154
#4	skocherhan	110
#5	malwrhunterteam	36
#6	@Phish_Destroy	6
#7	@CarlyGriggs13	4
#8	@urldna_bot	2
#9	Metemcyber	15
#10	urldna_bot	10

❓ How it works?

Search tweets that contain certain tags or that are posted by certain infosec people.

Tags being searched

(not case sensitive)

- #phishing
- #scam
- #opendir
- #malware
- #maldoc
- #ransomware
- #banker
- #AgentTesla
- #Alienbot
- #AsyncRAT
- #BazarLoader
- #Batloader
- #CobaltStrike
- #Dcrat
- #Emotet
- #Formbook
- #GootLoader
- #GuLoader
- #IcedID
- #Lazarus
- #Lokibot
- #log4j
- #Log4shell
- #Njrat
- #Qakbot
- #Raccoon
- #RedLine
- #Remcos
- #RaspberryRobin
- #Spring4Shell
- #SocGholish
- #Ursnif

Also search Tweets posted by

(these are trusted folks that sometimes don't use tags)

TweetFeed list

🔍 Hunting IOCs via Microsoft Defender

1. Search SHA256 hashes with yearly tweets feed

let MaxAge = ago(30d);
let SHA256_whitelist = pack_array(
'XXX' // Some SHA256 hash you want to whitelist.
);
let TweetFeed = materialize (
    (externaldata(report:string)
    [@"https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/year.csv"]
    with (format = "txt"))
    | extend report = parse_csv(report)
    | extend Type = tostring(report[2])
    | where Type == 'sha256'
    | extend SHA256 = tostring(report[3])
    | where SHA256 !in(SHA256_whitelist)
    | extend Tag = tostring(report[4])
    | extend Tweet = tostring(report[5])
    | project SHA256, Tag, Tweet 
);
union (
    TweetFeed
    | join (
        DeviceProcessEvents
        | where Timestamp > MaxAge
    ) on SHA256
), (
    TweetFeed
    | join (
        DeviceFileEvents
        | where Timestamp > MaxAge
    ) on SHA256
), ( 
    TweetFeed
    | join (
        DeviceImageLoadEvents
        | where Timestamp > MaxAge
    ) on SHA256
) | project Timestamp, DeviceName, FileName, FolderPath, SHA256, Tag, Tweet

2. Search IP addresses with monthly tweets feed

let MaxAge = ago(30d);
let IPaddress_whitelist = pack_array(
'XXX' // Some IP address you want to whitelist.
);
let TweetFeed = materialize (
    (externaldata(report:string)
    [@"https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/month.csv"]
    with (format = "txt"))
    | extend report = parse_csv(report)
    | extend Type = tostring(report[2])
    | where Type == 'ip'
    | extend RemoteIP = tostring(report[3])
    | where RemoteIP !in(IPaddress_whitelist)
    | where not(ipv4_is_private(RemoteIP))
    | extend Tag = tostring(report[4])
    | extend Tweet = tostring(report[5])
    | project RemoteIP, Tag, Tweet 
);
union (
TweetFeed
    | join (
        DeviceNetworkEvents
    | where Timestamp > MaxAge
    ) on RemoteIP
) | project Timestamp, DeviceName, RemoteIP, Tag, Tweet

3. Search urls and domains with weekly tweets feed

let MaxAge = ago(30d);
let domain_whitelist = pack_array(
'XXX' // Some URL/Domain you want to whitelist.
);
let TweetFeed = materialize (
    (externaldata(report:string)
    [@"https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/week.csv"]
    with (format = "txt"))
    | extend report = parse_csv(report)
    | extend Type = tostring(report[2])
    | where Type in('url','domain')
    | extend RemoteUrl = tostring(report[3])
    | where RemoteUrl !in(domain_whitelist)
    | extend Tag = tostring(report[4])
    | extend Tweet = tostring(report[5])
    | project RemoteUrl, Tag, Tweet 
);
union (
TweetFeed
    | join (
        DeviceNetworkEvents
    | where Timestamp > MaxAge
    ) on RemoteUrl
) | project Timestamp, DeviceName, RemoteUrl, Tag, Tweet

👤 Author

• Daniel López

📌 Disclaimer

Please note that all the data is collected from Twitter and sorted/served here as it is on best effort.

I have tried to tune as much as possible the searches trying to collect only valuable info. However please consider making your own analysis before taking any action related to these IOCs.

Anyway feel free to reach me out or to provide any kind of feedback regarding any contribution or suggestion.

---

By the community, for the community.