Use bulk data feeds

Updated
  • Updated on Apr 14, 2025
  • Published on Jan 10, 2024
  • 5 minute(s) read

'Bulk Data' feeds are unenriched feeds containing domains, URLs, and nameservers that are exportable as a TXT or CSV file, or as an API endpoint.

Feeds are categorized by data type, and contain information on important changes and additions across the global IPv4/6 range that organizations can use to inform their cyber defense operations - e.g. a list of new nameservers, or a list of new country code top level domains (ccTLDS).

To access Bulk Data Feeds:

  1. Login to your Enterprise account

  2. Navigate to Data Export > Bulk Data Export

To export the data using an API endpoint:

  1. Login to your Enterprise account

  2. Navigate to Data Export > Bulk Data Export

  3. Click the Automate Export button on your chosen feed

  4. Select the required file type

  5. Click the Copy API Endpoint button

  6. The endpoint will retrieve a time-limited URL (3h) that you can call to download the file

  7. Click on the cURL, Python or pHp tabs to copy code samples and call it from another security tool

To export the data as a text file:

  1. Login to your Enterprise account

  2. Navigate to Data Export > Bulk Data Export

  3. Click the Automate Export button on your chosen feed

  4. Select the file type required

  5. Click the Download File button

List of Bulk Data Feeds

Feed name Description
Newly Registered Domains A list of new domains, collected from daily ICANN zone file updates (exportable as a text file)
New ccTLD Domains A list of new domains hosted on country code top level domains (ccTLDS), first seen within the last 24 hours (exportable as a text file)
New Nameservers A list of new nameservers, first seen within the last 24 hours. (exportable as a text file)
New Self-Named Nameservers A list of new self-named nameservers, first seen within the last 24 hours (exportable as a text file)
All Name Server Changes A list of Domains that have changed nameservers within the last 24 hours (exportable as a JSON)
Name Server Changes to a Self-Named Name Server Domains that have changed to a self-named nameserver within the last 24 hours (exportable as a JSON)
New Mail Servers New mail servers, seen within the last 24 hours (exportable as a text file)
Funnull CDN Domains FUNNULL, is a Chinese content delivery network (CDN) company involved in ongoing criminal campaigns, including investment scams, fake trading apps, and hosting online gambling networks. Over the past two years. Silent Push identified more than 200,000 unique hostnames being proxied through FUNNULL, with more than 95% appearing to have been created via domain generation algorithms (DGAs). A large portion of these FUNNULL-hosted domains are online gambling networks containing the logo and branding of Suncity Group, an organization accused of illegal betting and offshore operations, and allegedly supporting money laundering for Lazarus Group, according to a U.N. report. Additionally, FUNNULL’s modified Polyfill JavaScript library was recently used in a supply chain attack redirect that impacted more than 110,000 of the top websites on the internet (exportable as a CSV file)
IPFS Nodes IPv4 IPv4 addresses that have acted as IPFS nodes within the last 7 days (exportable as a text file)
IPFS Nodes IPv6 IPv6 addresses that have acted as IPFS nodes within the last 7 days (exportable as a text file)
ClickFix Weaponized Wordpress Plugins - Infected IPs IPs hosting Wordpress websites running ClickFix weaponized plugins, in the past 30 days. This feed may contain legitimate IP infrastructure that was compromised by the threat actor, and are therefore provided here as bulk data feeds (BDFs) instead of IoFA feeds (exportable as a text file)
ClickFix Weaponized Wordpress Plugins - Infected Domains Domains hosting Wordpress websites running ClickFix weaponized plugins, in the past 30 days. This feed may contain legitimate domain infrastructure that was compromised by the threat actor, and are therefore provided here as bulk data feeds (BDFs) instead of IoFA feeds. (exportable as a text file)
AstrillVPN IPs AstrillVPN is a vpn comonly employed by North Korean threat actors to conduct malicious actions on the internet (exportable as a CSV file)
Lazarus Test Log IPs This feed provides a list of IPs that were discovered within the sensitive files that were acquired of the Contagious Interview infrastructure (exportable as a CSV file)
Publicly Rentable Domains These domains allow anyone to register and rent subdomains on them. Some originate from the Public Suffix List (PSL), dynamic DNS providers, and various third-party services that facilitate subdomain leasing (exportable as a CSV file)
Smishing Threat IPs This feed contains threat actors who abuse "Smishing" tactics -- sending malicious phishing messages over SMS text messages. This feed also contains IOFAs from Smishing Triad, a specific threat group known to target 50+ countries with smishing messages that focus on mail delivery scams, toll road scams, and certain types of other government services scams (exportable as a CSV file)
Smishing Threat Domains This feed contains threat actors who abuse "Smishing" tactics -- sending malicious phishing messages over SMS text messages. This feed also contains IOFAs from Smishing Triad, a specific threat group known to target 50+ countries with smishing messages that focus on mail delivery scams, toll road scams, and certain types of other government services scams (exportable as a CSV file)
Smishing Threat Archive Domains This feed contains the archive of threat actors who abuse "Smishing" tactics -- sending malicious phishing messages over SMS text messages. This feed also contains IOFAs from Smishing Triad, a specific threat group known to target 50+ countries with smishing messages that focus on mail delivery scams, toll road scams, and certain types of other government services scams (exportable as a CSV file)
Smishing Threat Archive IPs This feed contains the archive of threat actors who abuse "Smishing" tactics -- sending malicious phishing messages over SMS text messages. This feed also contains IOFAs from Smishing Triad, a specific threat group known to target 50+ countries with smishing messages that focus on mail delivery scams, toll road scams, and certain types of other government services scams (exportable as a CSV file)
FakeUpdates - merchantServices IPs This FakeUpdates / SocGholish cluster is named merchantServices. The actor exploits vulnerable sites and use them to deliver the malicious code to more victims (exportable as a CSV file)
FakeUpdates - merchantServices Domains This FakeUpdates / SocGholish cluster is named merchantServices. The actor exploits vulnerable sites and use them to deliver the malicious code to more victims (exportable as a CSV file)