Overview
This section contains Indicators of Compromise (IOCs) in JSON/CSV format.
Feeds are designed for ingestion into SIEM/EDR environments.
Available IOC Feeds
March 2026
- ZeroTrace Multi-Family MaaS Operation (Open Directory 74.0.42.25)
- Sliver C2 / ScareCrow Loader Open Directory Kit (45.94.31.220)
February 2026
- Webserver Compromise Kit 91.236.230.250
- Remcos RAT OpenDirectory Campaign (203[.]159[.]90[.]147)
- NsMiner Cryptojacker
January 2026
- Arsenal-237 New Files: full_test_enc.exe (Advanced Rust Ransomware)
- Arsenal-237 New Files: new_enc.exe (Human-Operated Rust Ransomware)
- Arsenal-237 New Files: dec_fixed.exe (Ransomware Decryptor)
- Arsenal-237 New Files: enc_c2.exe (Rust Ransomware with Tor C2)
- Arsenal-237 New Files: chromelevator.exe (Browser Credential Theft)
- Arsenal-237 New Files: nethost.dll (DLL Hijacking Persistence)
- Arsenal-237 New Files: rootkit.dll (Kernel-Mode Rootkit)
- Arsenal-237 New Files: BdApiUtil64.sys (Vulnerable Baidu Driver)
- Arsenal-237 New Files: lpe.exe (Privilege Escalation)
- Arsenal-237 New Files: killer_crowdstrike.dll (CrowdStrike-Specific Termination)
- Arsenal-237 New Files: killer.dll (BYOVD Process Termination)
- Arsenal-237: enc/dec Ransomware Family
- Arsenal-237: uac_test.exe
- Arsenal-237: FleetAgentFUD.exe
- Arsenal-237: FleetAgentAdvanced.exe
- Arsenal-237: agent_xworm_v2.exe (XWorm RAT v2.4.0)
- Arsenal-237: agent_xworm.exe (XWorm RAT v6)
- Arsenal-237: agent.exe (PoetRAT)
December 2025
November 2025
- Hybrid Loader/Stealer Ecosystem Masquerading as Sogou
- Houselet.exe - The Go-Based Loader Masquerading as PlayStation Remote Play
October 2025
Usage
- Import feeds directly into SIEM/EDR workflows.
- Use feeds for enrichment in CTI platforms.
- Adapt feeds for custom detection pipelines.
License
IOC feeds are licensed under Creative Commons Attribution-NonCommercial 4.0 International (CC BY-NC 4.0).
Free to use in your environment, but not for commercial purposes.