Blocklist

Feodo Tracker offers various blocklist in different formats for different purposes. The blacklists are documented below.

Botnet C2 IP Blocklist Suricata Botnet C2 IP Ruleset Malware hashes Terms of Services

Botnet C2 IP Blocklist


Dridex, Heodo (aka Emotet) and TrickBot botnet command&control servers (C&Cs) reside on compromised servers and servers that have been rent and setup by the botnet herder itself for the sole purpose of botnet hosting. Feodo Tracker offers a blocklist of IP addresses that are associated with such botnet C&Cs that can be used to detect and block botnet C2 traffic from infected machines towards the internet. An IP address will only get added to the blocklist if it responds with a valid botnet C2 response. However, a botnet C2 may become offline later. The Botnet C2 IP Blocklist is available in different formats documented below.

The Botnet C2 IP Blocklist gets generated every 5 minutes. Please do not fetch it more often than every 5 minutes.

The CSV is useful if you want to process the IP blocklist further, e.g. loading them into your SIEM. The CSV contains the following values:

Download CSV

In addition to the CSV and the recommended IP blocklist above, there is an IPs only list available for download below. This is handy if you want to use botnet C&Cs tracked by Feodo Tracker as a list of Indicator Of Compromise (IOC).

Download IPs only

If you want to fetch a comprehensive list of all botnet C2s Feodo Tracker has ever seen (and no matter if they have ever been seen being active/online or not), please use the CSV provided below.

Download CSV (Aggressive)

In addition, there is an IPs only list available for download below. This is handy if you want to use botnet C&Cs tracked by Feodo Tracker as a list of Indicator Of Compromise (IOC).

Download IPs only (Aggressive)

Suricata Botnet C2 IP Ruleset


The Suricata Botnet C2 IP Ruleset contains Dridex and Emotet/Heodo botnet command&control servers (C&Cs) tracked by Feodo Tracker and can be used for both, Suricata and Snort open source IDS/IPS. If you are running Suricata or Snort, you can use this ruleset to detect and/or block network connections towards hostline servers (IP address:port combination).

The Suricata Botnet C2 IP Ruleset gets generated every 5 minutes. Please do not fetch it more often than every 5 minutes.

Download IDS Ruleset (Suricata and Snort)

Download IDS Ruleset (Suricata and Snort) - tar.gz

If you want to fetch a comprehensive list of all botnet C2s Feodo Tracker has ever seen (and no matter if they have ever been seen being active/online or not), please use the CSV provided below.

Download IDS Ruleset (Aggressive)

Download IDS Ruleset (Aggressive) - tar.gr

Malware Hashes


Feodo Tracker publishes a list of hashes (MD5) associated with Dridex and Emotet/Heodo malware samples.

The list of Malware Hashes gets generated every 5 minutes. Please do not fetch it more often than every 5 minutes.

The CSV is useful if you want to process these malware hashes further, e.g. loading them into your SIEM. The CSV contains the following values:

Download CSV

In addition, there is an hashes only list available for download below. This is handy if you want to use these hashes as a list of Indicator Of Compromise (IOC) and e.g. watch out for those or block them on your network perimeter (such as mail gateway or firewall) or on your client machines.

Download hashes only

Terms of Services (ToS)


By using the website of Feodo Tracker, or any of the services / datasets referenced above, you agree that: