CRITICAL: Malware URL Report

DESCRIPTION LAST UPDATED: 2023-12-07

DEFAULT SEVERITY LEVEL: CRITICAL

This report identifies URLs that were observed in exploitation attempts in the last 24 hours. They are assumed to contain a malware payload or serve as C2 controllers. If a payload was successfully downloaded in the last 24 hours, it’s SHA256 hash will also be published. The data is primarily sourced from honeypots (in which case they will often be IoT related), but other sources are possible. As always, you only receive information on IPs found on your network/constituency or in the case of a National CSIRT, your country.

Please note it is possible false positives exist in this report if benign URLs were extracted from malicious payloads by our crawler. Please let us know if that was the case.

Track malware URL callbacks on our Dashboard.

You can learn more on the report in our Malware URL Report tutorial.

Severity levels are described here.

You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.

This report was enabled as part of the European Union HaDEA CEF VARIoT project.

Filename: malware_url 







Fields



    

  • 

    timestamp
    

    Timestamp of when the URL was seen (in the last 24 hours)
    

    • 

  • 

    url
    

    URL that was extracted from an observed exploitation attempt, assumed to be carrying a malware payload
    

    • 

  • 

    host
    

    Hostname of the URL location
    

    • 

  • 

    ip
    

    IP of the of the URL
    

    • 

  • 

    asn
    

    ASN where the IP resides
    

    • 

  • 

    geo
    

    Country location of the IP
    

    • 

  • 

    region
    

    Regional location of the IP in question
    

    • 

  • 

    city
    

    City location of the IP in question
    

    • 

  • 

    naics
    

    North American Industry Classification System Code
    

    • 

  • 

    sector
    

    Sector of the IP in question
    

    • 

  • 

    severity
    

    Severity level
    

    • 

  • 

    tag
    

    Array of tags associated with the URL if any. In this report typically it will be a CVE entry, for example CVE-2021-44228. This allows for better understanding of the URL context observed (ie. usage associated with a particular CVE).
    

    • 

  • 

    source
    

    Source of information, if public
    

    • 

  • 

    sha256
    

    SHA256 of associated (potentially malicious) payload, if downloaded from the URL
    

    • 

  • 

    application
    

    Application layer protocol where occurrence of the URL was observed. Examples: http, https, ssh, telnet. 
    

    • 








Sample




"timestamp","url","hostname","ip","asn","geo","region","city","naics","sector","severity","port","tag","source","sha256","application"
"2010-02-10 00:00:00",ldap://192.168.0.1/a,node01.example.com,192.168.0.1,64512,ZZ,Region,City,0,"Communications, Service Provider, and Hosting Service",critical,389,CVE-2021-44228,,38ce5b9df50b3c2cbd38ec284412f57f690991f1f5ff16a9c849de0ce1ed3bcb,http
"2010-02-10 00:00:01",ldap://192.168.0.2/a,node02.example.com,192.168.0.2,64512,ZZ,Region,City,0,"Communications, Service Provider, and Hosting Service",critical,389,CVE-2021-44228,,38ce5b9df50b3c2cbd38ec284412f57f690991f1f5ff16a9c849de0ce1ed3bcb,http
"2010-02-10 00:00:02",ldap://192.168.0.3/a,node03.example.com,192.168.0.3,64512,ZZ,Region,City,0,"Communications, Service Provider, and Hosting Service",critical,389,CVE-2021-44228,,38ce5b9df50b3c2cbd38ec284412f57f690991f1f5ff16a9c849de0ce1ed3bcb,http
















Our 131 Report Types















« Back to Network Reporting