Use Bulk Data feeds

Prev Next

Bulk Data feeds are unenriched feeds containing domains, URLs, and nameservers that are exportable as a TXT or CSV file, or as an API endpoint.

Feeds are categorized by data type and contain information on important changes and additions across the global IPv4/6 range, which organizations can use to inform their cyber defense operations, such as lists of new nameservers or country code top-level domains (ccTLDs).

Access Bulk Data feeds

  1. Log in to your Enterprise account.

  2. Navigate to Data Export > Bulk Data Exports

Export data with API endpoint

  1. Log in to your Enterprise account.

  2. Navigate to Data Export > Bulk Data Exports.

  3. Click the Automate Export button on the chosen feed.

  4. Select the required file type.

  5. Click the Copy API Endpoint button. The endpoint retrieves a time-limited URL (3 hours) that you can call to download the file.

  6. Click on the cURL, Python, or pHp tabs to copy code samples, and call it from another security tool.

Export data as a text file

  1. From the Silent Push menu, navigate to Data Exports > Archive Exports.

  2. Choose the Card or Table view, and click Download file.

  3. Select the required file type.

  4. Click Download file.

  5. Select the required file type.

List of Bulk Data feeds

Feed name

Description

Newly Registered Domains

A list of new domains, collected from daily ICANN zone file updates (exportable as a text file)

New ccTLD Domains

A list of new domains hosted on country code top-level domains (ccTLDs), first seen within the last 24 hours (exportable as a text file)

New Nameservers

A list of new nameservers, first seen within the last 24 hours. (exportable as a text file)

New Self-Named Nameservers

A list of new self-named nameservers, first seen within the last 24 hours (exportable as a text file)

All Name Server Changes

A list of Domains that have changed nameservers within the last 24 hours (exportable as a JSON)

Name Server Changes to a Self-Named Name Server

Domains that have changed to a self-named nameserver within the last 24 hours (exportable as a JSON)

New Mail Servers

New mail servers, seen within the last 24 hours (exportable as a text file)

Funnull CDN Domains

FUNNULL is a Chinese content delivery network (CDN) company involved in ongoing criminal campaigns, including investment scams, fake trading apps, and hosting online gambling networks. Over the past two years, Silent Push identified more than 200,000 unique hostnames being proxied through FUNNULL, with more than 95% appearing to have been created via domain generation algorithms (DGAs). A large portion of these FUNNULL-hosted domains are online gambling networks containing the logo and branding of Suncity Group, an organization accused of illegal betting and offshore operations, and allegedly supporting money laundering for Lazarus Group, according to a U.N. report. Additionally, FUNNULL’s modified Polyfill JavaScript library was recently used in a supply chain attack redirect that impacted more than 110,000 of the top websites on the internet (exportable as a CSV file)

IPFS Nodes IPv4

IPv4 addresses that have acted as IPFS nodes within the last 7 days (exportable as a text file)

IPFS Nodes IPv6

IPv6 addresses that have acted as IPFS nodes within the last 7 days (exportable as a text file)

ClickFix Weaponized WordPress Plugins - Infected IPs

IPs hosting WordPress websites running ClickFix weaponized plugins, in the past 30 days. This feed may contain legitimate IP infrastructure that was compromised by the threat actor, and is therefore provided here as bulk data feeds (BDFs) instead of IoFA feeds (exportable as a text file)

ClickFix Weaponized WordPress Plugins - Infected Domains

Domains hosting WordPress websites running ClickFix weaponized plugins, in the past 30 days. This feed may contain legitimate domain infrastructure that was compromised by the threat actor, and is therefore provided here as bulk data feeds (BDFs) instead of IoFA feeds. (exportable as a text file)

AstrillVPN IPs

AstrillVPN is a vpn commonly employed by North Korean threat actors to conduct malicious actions on the internet (exportable as a CSV file)

Lazarus Test Log IPs

This feed provides a list of IPs that were discovered within the sensitive files that were acquired from the Contagious Interview infrastructure (exportable as a CSV file)

Publicly Rentable Domains

These domains allow anyone to register and rent subdomains on them. Some originate from the Public Suffix List (PSL), dynamic DNS providers, and various third-party services that facilitate subdomain leasing (exportable as a CSV file)

Smishing Threat IPs

This feed contains threat actors who abuse Smishing tactics -- sending malicious phishing messages over SMS text messages. This feed also contains IOFAs from Smishing Triad, a specific threat group known to target 50+ countries with smishing messages that focus on mail delivery scams, toll road scams, and certain types of other government services scams (exportable as a CSV file)

Smishing Threat Domains

This feed contains threat actors who abuse Smishing tactics -- sending malicious phishing messages over SMS text messages. This feed also contains IOFAs from Smishing Triad, a specific threat group known to target 50+ countries with smishing messages that focus on mail delivery scams, toll road scams, and certain types of other government services scams (exportable as a CSV file)

Smishing Threat Archive Domains

This feed contains the archive of threat actors who abuse Smishing tactics -- sending malicious phishing messages over SMS text messages. This feed also contains IOFAs from Smishing Triad, a specific threat group known to target 50+ countries with smishing messages that focus on mail delivery scams, toll road scams, and certain types of other government services scams (exportable as a CSV file)

Smishing Threat Archive IPs

This feed contains the archive of threat actors who abuse Smishing tactics -- sending malicious phishing messages over SMS text messages. This feed also contains IOFAs from Smishing Triad, a specific threat group known to target 50+ countries with smishing messages that focus on mail delivery scams, toll road scams, and certain types of other government services scams (exportable as a CSV file)

FakeUpdates - merchantServices IPs

This FakeUpdates / SocGholish cluster is named merchantServices. The actor exploits vulnerable sites and uses them to deliver the malicious code to more victims (exportable as a CSV file)

FakeUpdates - merchantServices Domains

This FakeUpdates / SocGholish cluster is named merchantServices. The actor exploits vulnerable sites and uses them to deliver the malicious code to more victims (exportable as a CSV file)