Blocklist

Feodo Tracker offers various blocklist in different formats for different purposes. The blacklists are documented below.

Botnet C2 IP Blocklist Botnet C2 Indicators Of Compromise (IOCs) Suricata Botnet C2 IP Ruleset Terms of Services

Botnet C2 IP Blocklist

Dridex, Heodo (aka Emotet), TrickBot, QakBot (aka QuakBot / Qbot) and BazarLoader (aka BazarBackdoor) botnet command&control servers (C2s) usually reside on compromised servers and such that have been rented and setup by the threat actor itself for the sole purpose of botnet hosting. Feodo Tracker offers a blocklist of IP addresses that are associated with such botnet C2s. It can be used to block botnet C2 traffic from infected machines towards hostline servers on the internet that are under the control of cybercriminals.

To keep the false positive rate as low as possible, an IP address will only get added to the blocklist if it responds with a valid botnet C2 response

The Botnet C2 IP Blocklist gets generated every 5 minutes and is available in the plain-text and JSON format. We recommend you to update the list at least every 15 minutes (or even better: every 5 minutes) to receive the best protection against Dridex, Emotet, TrickBot, QakBot and BazarLoader.

We also have custom formats of the blocklist available for McAfee Web Gateway and Palo Alto Firewall:

McAfee McAfee Web Gateway Palo Alto Palo Alto Firewall

Botnet C2 Indicators Of Compromise (IOCs)

If you have a SIEM (Security Information and Event Management) product, you can enrich it with data from Feodo Tracker to get alerted about potential botnet C2 traffic leaving your network. Unlike the IP blocklist above, these datasets do not only contain additional information on tracked botnet C2s but also IP addresses that were acting as a botnet C2 within the past 30 days.

Download CSV Download JSON Download IPs only


In case you want to get a comprehensive list of all botnet C2s Feodo Tracker has ever seen, you may use the IoC list below. However, as IP addresses are being re-used/recycled, the false positive of this dataset is much higher.

Download CSV (Aggressive) Download IPs only (Aggressive)

Suricata Botnet C2 IP Ruleset

The Suricata Botnet C2 IP Ruleset contains botnet C2s tracked by Feodo Tracker and can be used for both, Suricata and Snort open source IDS/IPS. If you are running Suricata or Snort, you can use this ruleset to detect and/or block network connections towards hostline servers (IP address:port combination).

The ruleset gets generated every 5 minutes. We recommend you to update the IDS ruleset at least every 15 minutes (or even better: every 5 minutes) to receive the best protection against Dridex, Emotet, TrickBot, QakBot and BazarLoader.

Download IDS Ruleset (Suricata and Snort)

Download IDS Ruleset (Suricata and Snort) - tar.gz


In case you want to get a comprehensive list of all botnet C2s Feodo Tracker has ever seen, you may use the IDS ruleset below. However, as IP addresses are being re-used/recycled, the false positive of this dataset is much higher.

Download IDS Ruleset (Aggressive)

Download IDS Ruleset (Aggressive) - tar.gr

Terms of Services (ToS)

By using the website of Feodo Tracker, or any of the services / datasets referenced above, you agree that: