malware-intel
ThreatFox (abuse.ch)
An open indicator-of-compromise sharing platform from abuse.ch, cataloguing millions of IPs, domains, hashes and URLs tied to named malware. It is queried via its API with the free abuse.ch Auth-Key. Useful for putting an artifact in context: search a hash or domain and learn which malware family or campaign it has been associated with.
API key required
Why it’s useful & how it works
Same free abuse.ch Auth-Key (2026). JSON hash/IOC lookups. Reachable both ways.
What’s inside
Millions of IOCs.
API access
POST https://threatfox-api.abuse.ch/api/v1/ (query=search_ioc/search_hash); header Auth-Key
An API key is required — usually free; see the endpoints above for where to get one.
Access
Programmatic API access (a key may be required — see the API tag).