CRITICAL: Malware URL Report

DESCRIPTION LAST UPDATED: 2024-12-02

DEFAULT SEVERITY LEVEL: CRITICAL

This report identifies URLs that were observed in exploitation attempts in the last 24 hours. They are assumed to contain a malware payload or serve as C2 controllers. If a payload was successfully downloaded in the last 24 hours, it’s SHA256 hash will also be published. The data is primarily sourced from honeypots (in which case they will often be IoT related), but other sources are possible. As always, you only receive information on IPs found on your network/constituency or in the case of a National CSIRT, your country.

Please note it is possible false positives exist in this report if benign URLs were extracted from malicious payloads by our crawler. Please let us know if that was the case.

Track malware URL callbacks on our Dashboard.

You can learn more on the report in our Malware URL Report tutorial.

Severity levels are described here.

You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.

This report was enabled as part of the European Union HaDEA CEF VARIoT project.

Filename: malware_url


Fields

  • timestamp
    Timestamp of when the URL was seen (in the last 24 hours)
  • url
    URL that was extracted from an observed exploitation attempt, assumed to be carrying a malware payload
  • host
    Hostname of the URL location
  • ip
    IP of the of the URL
  • asn
    ASN where the IP resides
  • geo
    Country location of the IP
  • region
    Regional location of the IP in question
  • city
    City location of the IP in question
  • naics
    North American Industry Classification System Code
  • sector
    Sector of the IP in question
  • severity
    Severity level
  • port
    Port number
  • tag
    Array of tags associated with the URL if any. In this report typically it will be a CVE entry, for example CVE-2021-44228. This allows for better understanding of the URL context observed (ie. usage associated with a particular CVE).
  • source
    Source of information, if public
  • sha256
    SHA256 of associated (potentially malicious) payload, if downloaded from the URL
  • application
    Application layer protocol where occurrence of the URL was observed. Examples: http, https, ssh, telnet.

Sample

"timestamp","url","hostname","ip","asn","geo","region","city","naics","sector","severity","port","tag","source","sha256","application"
"2010-02-10 00:00:00",ldap://192.168.0.1/a,node01.example.com,192.168.0.1,64512,ZZ,Region,City,0,"Communications, Service Provider, and Hosting Service",critical,389,CVE-2021-44228,,38ce5b9df50b3c2cbd38ec284412f57f690991f1f5ff16a9c849de0ce1ed3bcb,http
"2010-02-10 00:00:01",ldap://192.168.0.2/a,node02.example.com,192.168.0.2,64512,ZZ,Region,City,0,"Communications, Service Provider, and Hosting Service",critical,389,CVE-2021-44228,,38ce5b9df50b3c2cbd38ec284412f57f690991f1f5ff16a9c849de0ce1ed3bcb,http
"2010-02-10 00:00:02",ldap://192.168.0.3/a,node03.example.com,192.168.0.3,64512,ZZ,Region,City,0,"Communications, Service Provider, and Hosting Service",critical,389,CVE-2021-44228,,38ce5b9df50b3c2cbd38ec284412f57f690991f1f5ff16a9c849de0ce1ed3bcb,http

Our 132 Report Types