Documentation

ThreatHash.io provides free, machine-readable threat intelligence feeds in plain text format. Every feed is a simple text file with one entry per line — no JSON to parse, no API keys to manage, no rate limits.

Available Feeds

Basic Usage

Download any feed with a simple HTTP GET. No authentication required.

curl

curl -s https://www.threathash.io/ccServers.txt

wget

wget -q https://www.threathash.io/ccServers.txt -O ccServers.txt

Download all feeds at once

#!/bin/bash
FEEDS=("ccServers.txt" "torREN.txt" "comDomains.txt" "comIPs.txt")
BASE="https://www.threathash.io"

for feed in "${FEEDS[@]}"; do
  curl -s "$BASE/$feed" -o "$feed"
  echo "Downloaded $feed ($(wc -l < $feed) entries)"
done

FortiGate Integration

FortiGate supports external threat feeds via the Threat Feed connector. You can point it at any ThreatHash feed URL to automatically block matching traffic.

External IP Block List

config system external-resource
  edit "ThreatHash-C2"
    set type address
    set resource "https://www.threathash.io/ccServers.txt"
    set refresh-rate 60
  next
  edit "ThreatHash-TOR"
    set type address
    set resource "https://www.threathash.io/torREN.txt"
    set refresh-rate 60
  next
end

Apply in Firewall Policy

config firewall policy
  edit 0
    set name "Block-ThreatHash-C2"
    set srcintf "any"
    set dstintf "any"
    set srcaddr "all"
    set dstaddr "ThreatHash-C2"
    set action deny
    set schedule "always"
    set service "ALL"
    set logtraffic all
  next
end

External Domain Block List

config system external-resource
  edit "ThreatHash-Domains"
    set type domain
    set resource "https://www.threathash.io/comDomains.txt"
    set refresh-rate 60
  next
end

In the GUI: Go to Security Fabric > External Connectors > Create New > Threat Feeds > IP Address and paste the feed URL. Set refresh rate to 60 minutes.

pfSense / OPNsense

Use the pfBlockerNG package to subscribe to ThreatHash feeds.

pfBlockerNG Setup

1. Navigate to Firewall > pfBlockerNG > DNSBL > DNSBL Groups
2. Add a new group, enter the feed URL under DNSBL Source
3. Set header/format to Auto
4. Set update frequency to your preference
5. Apply and force reload

# pfBlockerNG feed URLs
https://www.threathash.io/comDomains.txt
https://www.threathash.io/ccServers.txt
https://www.threathash.io/torREN.txt

Pi-hole / AdGuard Home

ThreatHash domain feeds work as block lists in Pi-hole and AdGuard Home. IP-based feeds (C2, TOR) are not supported by DNS-level blockers — use a firewall for those.

Pi-hole

1. Go to Settings > Blocklists
2. Add: https://www.threathash.io/comDomains.txt
3. Click Save and Update

AdGuard Home

1. Go to Filters > DNS Blocklists > Add blocklist > Custom
2. Paste the feed URL and name it
3. Set update interval

SIEM Integration

Pull feeds into your SIEM (Splunk, Elastic, Wazuh, etc.) for enrichment and alerting.

Splunk — Scheduled Search

| inputlookup threathash_c2.csv
| lookup dnslookup clientip AS ip
| where isnotnull(ip)
| stats count by src_ip, dest_ip

Schedule a scripted input or cron job to download feeds to your Splunk lookup directory.

Elastic / OpenSearch

# Download feed and index as threat indicators
curl -s https://www.threathash.io/ccServers.txt | \
  while read ip; do
    curl -s -X POST "localhost:9200/threat-intel/_doc" \
      -H "Content-Type: application/json" \
      -d "{\"ip\": \"$ip\", \"source\": \"threathash\", \"type\": \"c2\", \"timestamp\": \"$(date -Iseconds)\"}"
  done

PowerShell

For Windows environments, use PowerShell to fetch and process feeds.

# Download all threat feeds
$feeds = @("ccServers.txt", "torREN.txt", "comDomains.txt", "comIPs.txt")
$base  = "https://www.threathash.io"

foreach ($feed in $feeds) {
    $data = Invoke-RestMethod -Uri "$base/$feed"
    $entries = $data -split "`n" | Where-Object { $_ -ne "" }
    Write-Host "$feed : $($entries.Count) entries"
    $data | Out-File -FilePath ".\$feed" -Encoding UTF8
}

# Block IPs via Windows Firewall
$c2 = (Invoke-RestMethod "https://www.threathash.io/ccServers.txt") -split "`n" | Where-Object { $_ }
New-NetFirewallRule -DisplayName "Block ThreatHash C2" `
    -Direction Outbound -Action Block `
    -RemoteAddress $c2

Python

import requests

def get_feed(name: str) -> list[str]:
    """Fetch a ThreatHash feed and return as a list of entries."""
    url = f"https://www.threathash.io/{name}"
    response = requests.get(url, timeout=30)
    response.raise_for_status()
    return [line.strip() for line in response.text.splitlines() if line.strip()]

# Usage
c2_servers = get_feed("ccServers.txt")
tor_nodes  = get_feed("torREN.txt")

print(f"C2 servers: {len(c2_servers)}")
print(f"TOR exits:  {len(tor_nodes)}")

# Check if an IP is in a threat feed
suspect = "137.184.9.29"
if suspect in c2_servers:
    print(f"ALERT: {suspect} found in C2 feed!")

Cron / Automation

Schedule automatic feed updates using cron.

# Update threat feeds every hour
0 * * * * /usr/bin/curl -s https://www.threathash.io/ccServers.txt -o /opt/threat-feeds/ccServers.txt
0 * * * * /usr/bin/curl -s https://www.threathash.io/torREN.txt -o /opt/threat-feeds/torREN.txt
0 * * * * /usr/bin/curl -s https://www.threathash.io/comDomains.txt -o /opt/threat-feeds/comDomains.txt
0 * * * * /usr/bin/curl -s https://www.threathash.io/comIPs.txt -o /opt/threat-feeds/comIPs.txt

For more complex automation, wrap the download in a script that logs results and sends alerts on failure.

Feed Format

All feeds follow a simple, consistent format:

• Plain UTF-8 text file
• One entry per line (IP address or domain)
• No comments, no headers, no metadata
• Blank lines may exist and should be filtered
• IPs are IPv4 in dotted notation (e.g., 192.168.1.1)
• Domains are bare FQDNs — no protocol, no trailing slash (e.g., example.com)

This format is compatible with virtually every firewall, SIEM, DNS blocker, and scripting language without any parsing overhead.