Threat Intelligence Feed

Blacklist Malware Threats

OPSWAT's threat intelligence feed enables developers to leverage data collected from thousands of MetaDefender Cloud community users and customers. Developers, IT administrators, and organizations can easily integrate our up-to-date malware threat intelligence data into their existing tools or solutions to effectively protect their organization against threats.

Getting Started

The data feed contains the top searched malware hash signatures, including MD5, SHA1, and SHA256. Malicious hashes have been identified on the networks of our community users within the last 24 hours. Our feed is updated daily with top searched malware to provide actionable and timely threat intelligence. It can be delivered in four different formats: JSON, CSV, RSS, and Bro.

Integration example – consume our threat intelligence feed with cURL:

curl -X GET \
  '' \
  -H 'Authorization: apikey ${APIKEY}'

var request = require("request");

var options = { method: 'GET',   url: '',   qs: { page: '1', type: 'json' },   headers: {      Authorization: 'apikey ' + process.env.APIKEY   } };

request(options, function (error, response, body) {   if (error) throw new Error(error);

  console.log(body); });

import requests

import os

url = ""

querystring = {"page":"1","type":"json"}

headers = {'Authorization': "apikey " + os.environ["APIKEY"]}

response = requests.request("GET", url, headers=headers, params=querystring)


require 'uri' require 'net/http'

url = URI("")

http =, url.port)

request = request["Authorization"] = 'apikey ' + ENV['APIKEY']

response = http.request(request) puts response.read_body

package main

import ( "fmt" "net/http" "io/ioutil"     "os" )

func main() {

url := ""

req, _ := http.NewRequest("GET", url, nil)

req.Header.Add("Authorization", "apikey " + os.Getenv("APIKEY") )

res, _ := http.DefaultClient.Do(req)

defer res.Body.Close() body, _ := ioutil.ReadAll(res.Body)

fmt.Println(res) fmt.Println(string(body)) }

$uri = ''

$headers = @{}

$headers.Add('Authorization','apikey ' + $env:APIKEY) $result = Invoke-WebRequest -Uri $uri -Headers $headers -UseBasicParsing Write-Output $result.content

Command-line Parameters:

  • API key – Your MetaDefender Cloud API key
  • Type - Data format type
  • Page (optional) – The page of the feed to be retrieved. You can get 1,000 items per page. If omitted, the first page will be retrieved

Our threat intelligence feed is available for all new and existing OPSWAT users and customers. Register for a new OPSWAT Portal account or log in with an existing account to obtain your MetaDefender Cloud API key, which is required to access and download the feeds. We encourage you to become a contributor to our open source community. See how other developers are consuming our Threat Intelligence Feed on github at hslatman's threat resources and  rshipp's threat resources pages. 

For more developer options, please see the API documentation here.

Additionally, our feed can be consumed by using the CSIRT Gadgets Foundation's Collective Intelligence Framework (CIF), a cyber security threat intelligence management system.


Expanded Commercial Version

For access to hundreds of thousands of threats every day, we also offer a commercial version of our threat intelligence feed. It can easily integrate into your existing Security Information and Event Management (SIEM) system.

Leverage millions of data points from thousands of in-the-wild devices, and start consuming our threat intelligence feed to efficiently identify and block the latest malware threats.