Threat Intelligence Feed · STIX/TAXII IOCs · Fortgale
CTI · capability 02 · Threat Intelligence Feed

Intelligence feeds generated, not resold.

The Fortgale CTI feed is born from three converging sources: incidents handled by Fortgale's SOC and MDR services, active research on threat actors and criminal infrastructure, continuous analysis of offensive tools — Cobalt Strike (configurations and watermarks), infostealers, phishing kits, worms, APT tooling. Over 180 tools and actors tracked, indicators distributed via STIX/TAXII, REST API, and webhook, native integration with SIEM, EDR, firewall, IDS/IPS.

Request a feed sample Explore the 5 categories ↓
180+Tools & actors tracked
34 k+Weekly IOCs
STIX 2.1+ TAXII · API · Webhook
Standards · protocols
STIX 2.1
TAXII 2.1
MISP
OpenCTI
Standards · frameworks
MITRE ATT&CK
Sigma
YARA
Snort/Suricata
The problem

Commercial feeds: aggregation, not generation.

Most CTI vendors resell feeds aggregated from third-party sources (VirusTotal, Mandiant, Recorded Future). The added value is minimal, the same feed is sold to hundreds of customers simultaneously, and IOCs arrive after the attack is public.

01

Aggregation, not generation

Vendors resell third-party feeds · the same IOCs sold to hundreds of customers. Defensive competitive advantage: zero.

02

Latency · post-attack arrival

IOCs enter the feeds after the attack becomes public. They confirm the incident, not prevent it.

03

False positives and noise

Massive feeds without context · overloaded SOC · alert fatigue · automatic blocking controls often disabled because of too much noise.

The distinction that changes everything

Aggregated feed vs generated feed.

The difference is not one of "catalogue quality" — it is one of source. A feed generated from real incidents has context, timeliness, and accuracy that an aggregated feed cannot structurally have.

Aggregated feed · commercial
  • Indicators purchased from third parties
  • Same feed sold to hundreds of customers
  • High latency · post-public-attack
  • Little context, high false positives
  • Opaque confidence · no clear TTL
Industry standard
Fortgale feed · generated
  • Indicators from real SOC/MDR/IR incidents
  • Active research on threat actors and infrastructure
  • Continuous tracking of 180+ tools & actors
  • Explicit confidence score · TTL for every IOC
  • Internal validation · target FP <0.5%
Proprietary · actionable
The method · 4 steps

From incident to active SIEM rule.

A documentable technical pipeline that carries an artefact observed in a real incident all the way to an active rule in the customer's SIEM/EDR. Every step has verifiable outputs and measurable times.

  1. 01
    From real incident to validated IOC

    Extraction from SOC, MDR and IR incidents

    Every incident handled by Fortgale's SOC, MDR and Incident Response services produces artefacts: IPs observed as C2, delivery domains, hashes of executed payloads, malicious URLs, YARA rules for analysed samples. Real indicators, not simulated in an isolated sandbox.

    European SOC 24·7Fortgale MDRIncident ResponseEDR telemetry
  2. 02
    From operational landscape to indicators

    Active research on threat actors and infrastructure

    The CTI team conducts proactive research: deep & dark web hunting, OSINT on criminal forums, Telegram channel monitoring, registrar tracking, ASN profiling, certificate transparency log analysis. Infrastructures are identified before being activated against customers.

    Dark web huntingRegistrar trackingASN profilingCertificate transparency
  3. 03
    From sample to fingerprint

    Tool analysis · C2, malware, kits, worms, APT tooling

    Continuous analysis of Cobalt Strike (configuration parsing, watermarks, malleable profile), Sliver · Brute Ratel · Havoc · Mythic, infostealers (Lumma · RedLine · Vidar · StealC), phishing kits (Tycoon 2FA · EvilProxy · W3LL), worms (Raspberry Robin), loaders and APT group tooling.

    Cobalt Strike profilingSample reversingConfig trackingYARA authoring
  4. 04
    From validated indicator to active rule

    Validation, scoring, automatic distribution

    Each indicator receives a confidence score (high / medium / low) and a TTL (time-to-live) based on the actor's typical rotation. Automatic distribution via STIX/TAXII 2.1, REST API, webhook directly into the customer's security platforms. No delays from manual pipelines.

    Confidence scoringTTL rotationSTIX 2.1 / TAXII 2.1Automated distribution
Tracking categories

Five tool families · continuously tracked.

The Fortgale feed covers five main families of offensive tooling. For each, a specific tracking methodology and distinctive indicators.

Category 01

C2 framework tracking

Cobalt Strike · Sliver · Brute Ratel · Havoc · Mythic

Command & Control frameworks are the operational heart of almost every modern intrusion. Fortgale continuously tracks configurations, watermarks, certificate fingerprints, malleable profiles, and TLS signatures of the main C2 frameworks — both leaked commercial ones (Cobalt Strike, Brute Ratel) and open-source (Sliver, Havoc, Mythic).

  • Cobalt Strike config parsing Automatic extraction of sleep_time, jitter, spawn_to, malleable HTTP profile, watermark, server certificate. Identification of leaked versions (watermark 0) and cracked builders.
  • TLS / JA3 fingerprint Tracking of certificate thumbprints, JA3/JA3S signatures, custom CA patterns. Distinction between legitimate deployments (contracted red teams) and criminal infrastructure.
  • Sliver C2 indicators Implant configuration, beacon timing, transport (mTLS, HTTPS, DNS, WireGuard), staging URI pattern. Sliver is growing strongly in 2024-2026 as an open-source alternative.
  • Brute Ratel C4 Commercial tooling leaked in 2022, now widely abused. Tracking of license fingerprints, profile signatures, default URI patterns.
  • Havoc · Mythic · open-source C2 Profile fingerprinting, default port patterns, certificate generation patterns, agent configuration tracking.
Category 02

Infostealer tracking

Lumma · RedLine · Vidar · StealC · Raccoon · Atomic

Infostealers are the main source of stolen credentials in criminal marketplaces and the most frequent gateway to ransomware intrusions. Fortgale tracks campaigns, C2 panels, build versions, configurations, and distribution infrastructure.

  • Lumma Stealer (LummaC2) Top infostealer of 2024-2025, MaaS distributed via Telegram. Tracking of C2 panels, build IDs, exfiltration endpoints, seller Telegram channels, payload delivery patterns.
  • RedLine · Vidar · StealC Legacy families still active in 2025-2026. Tracking of C2 IPs, config decoders, encryption keys, mutex patterns, build ID series.
  • Atomic / macOS infostealer AMOS, Banshee, Cthulhu — the macOS ecosystem has grown rapidly. Tracking of delivery via fake installers (Homebrew, cracked apps, Sponsored Google Ads), C2 endpoints, exfiltration patterns.
  • Delivery infrastructure Fake CAPTCHA pages (ClickFix), SEO poisoning, malvertising via Google Ads, GitHub release abuse, YouTube description links.
  • Stolen log marketplace mapping Tracking of Russian Market, Genesis Market (post-takedown), Telegram log channels — correlation between infostealer builds and logs for sale.
Category 03

Phishing kit tracking

Tycoon · Mamba · EvilProxy · W3LL · Caffeine · Greatness

Modern AiTM phishing kits bypass MFA, intercept session cookies, and replicate Microsoft / Google flows. Fortgale tracks kits, delivery infrastructure, admin panels, and operators.

  • Tycoon 2FA Premier AiTM kit 2024-2026, targeting Microsoft 365 / Google Workspace. Tracking of landing page signatures, redirect chains, Cloudflare worker abuse, branded asset reuse.
  • Mamba 2FA · EvilProxy · W3LL Direct competitors of Tycoon. Distinct fingerprints across landing structure, session hijack flow, custom JavaScript injectors.
  • Caffeine · Greatness · NakedPages Older phishing-as-a-service kits still active. Tracking of templates, admin panel URL patterns, Telegram seller channels.
  • Delivery infrastructure Tracking of registrars of choice (Namesilo, Reg.ru), Cloudflare tunnel patterns, compromised WordPress hosting, fresh Let's Encrypt certificate issuance.
  • EU-targeted kits Kits with copy in native European languages (not machine translation), branded with European banks (Intesa, Unicredit, Poste, BPER, BNP, Deutsche Bank), national tax/social agencies, eID schemes.
Category 04

Worms, loaders, IAB tooling

Raspberry Robin · SystemBC · Matanbuchus · BumbleBee · IcedID

Worms, loaders, and Initial Access Broker tooling are the preferred entry vector for top ransomware groups (RansomHub, Akira, LockBit). Tracking them is equivalent to seeing an intrusion 7-30 days before it becomes ransomware.

  • Raspberry Robin USB worm → IAB. Tracking of msiexec abuse patterns, Tor onion C2, fodhelper.exe persistence, follow-on downloaders (FakeUpdates, IcedID, BumbleBee).
  • SystemBC SOCKS5 proxy malware. Frequent pairing with RansomHub, LockBit, Cl0p. Tracking of C2 IP rotation, configuration extraction, encryption keys.
  • Matanbuchus · BumbleBee · IcedID MaaS loaders — they distribute follow-ons (Cobalt Strike, ransomware). Tracking of packers, C2 protocol fingerprints, configuration server patterns.
  • PrivateLoader · SmokeLoader Commodity loaders still active in 2025-2026. Tracking of affiliate IDs, C2 panels, traffic distribution.
  • FakeUpdates / SocGholish Fake browser updates, massive entry vector. Tracking of compromised WordPress, payload URL patterns, post-exploitation persistence.
Category 05

APT tooling & state-affiliated

Tooling from state groups tracked against Europe

Tooling developed by or for state APT groups: custom backdoors, signed RATs, advanced persistence kits, lateral movement frameworks. Fortgale tracks the technical artefacts when observed in real incidents or published by the CERT/research community.

  • Russian-affiliated tooling GoldMax, GoldFinder, SombRAT, custom RATs with language artefacts. Tracking of builder signatures, C2 protocol, persistence patterns.
  • Chinese-affiliated tooling PlugX, ShadowPad, Korplug variants, custom DLL sideloading. Tracking of loader hashes, decryption key patterns, mutex naming.
  • Iranian-affiliated tooling DEV-0270, MuddyWater tooling, custom PowerShell framework. Tracking of obfuscation patterns, C2 endpoints.
  • North Korean-affiliated tooling Lazarus toolset (Manuscrypt, BeaverTail, AppleJeus), JS-based delivery, supply chain compromise via npm/PyPI.
  • EU-targeted custom tooling Tooling developed specifically for European targets — BrokerLoader (Nebula Broker), tooling from non-state operators with custom capability.
Among the most tracked

Seven tools the feed monitors continuously.

An excerpt of the 180+ tools and actors the CTI team tracks: from the most widespread C2 framework (Cobalt Strike) to the dominant infostealer of 2024-2026 (Lumma), from the most used AiTM kit in Europe (Tycoon 2FA) to the Initial Access Broker fuelling top ransomware (Raspberry Robin).

C2 Framework · 2012-active

Cobalt Strike

Cobalt Strike · commercial (leaked)
Type
Beacon C2 framework
Tracking
Config parsing · watermark · TLS fingerprint · malleable profile

The most tracked C2 framework in the world. Fortgale automatically parses Beacon configurations extracted from real samples and from internet scans (Shodan-style), tracks watermarks of leaked versions, fingerprints TLS of team servers, malleable C2 profile patterns. Indicator turnover: 100-500 new servers tracked / week.

Watermark trackingMalleable profileTLS fingerprintTop tracked
Tracking · Top Request the IOCs →
Infostealer · 2022-active · top 2025

Lumma Stealer

Lumma Stealer · MaaS
Type
Information stealer · credentials, cookies, crypto wallets
Tracking
C2 panel · build ID · Telegram channel · delivery URL

The dominant infostealer of 2024-2026. Distributed as MaaS via Telegram, with known builders and C2 panels. Fortgale tracks C2 panel hostname rotation, build ID series, seller Telegram channels, delivery URL patterns (ClickFix, SEO poisoning, malvertising).

MaaSTelegram-distributedClickFix deliveryTop stealer 2025
Tracking · Top Request the IOCs →
Phishing kit · 2023-active

Tycoon 2FA

Tycoon 2FA · AiTM phishing kit
Type
Adversary-in-the-Middle MFA bypass · Microsoft 365 · Google
Tracking
Landing page signature · Cloudflare worker · redirect chain · session hijack

Premier AiTM kit bypassing MFA on Microsoft 365 and Google Workspace. Tracking of landing page signatures, Cloudflare worker abuse for delivery, redirect chains via legitimate services (Google, YouTube), session cookie exfiltration patterns.

AiTM · MFA bypassM365 · GoogleCloudflare abuseEU-targeted
Tracking · Active Request the IOCs →
C2 Framework · 2019-active · growing

Sliver

Sliver · open-source C2 (BishopFox)
Type
Cross-platform C2 framework · Go-based
Tracking
Implant config · TLS cert · staging URI · transport pattern

Open-source alternative to Cobalt Strike growing strongly through 2024-2026 as criminal tooling. Fortgale tracks implant configuration, default certificate generation, staging URI patterns, transport (mTLS, HTTPS, DNS, WireGuard) fingerprints.

Open-sourceGo-basedGrowing 2025-26Cross-platform
Tracking · Active Request the IOCs →
Worm / IAB · 2021-active

Raspberry Robin

Raspberry Robin · DEV-0856 / Storm-0856
Type
USB worm → Initial Access Broker
Tracking
msiexec pattern · Tor C2 · persistence keys · follow-on downloader

USB worm that evolved into a top-tier Initial Access Broker for ransomware groups. Tracking of msiexec chained with regsvr32, fodhelper.exe persistence, Tor onion C2, follow-on downloaders (FakeUpdates, IcedID, BumbleBee, Matanbuchus).

IAB pre-ransomwareUSB wormTor C2Top EU 2025-26
Tracking · Top Request the IOCs →
Loader / Proxy · 2018-active

SystemBC

SystemBC · SOCKS5 proxy malware
Type
Proxy malware · ransomware pairing
Tracking
C2 IP rotation · config extraction · encryption key · mutex

SOCKS5 proxy malware with frequent pairing with top ransomware groups (RansomHub, LockBit, Cl0p). Tracking of C2 IP rotation patterns, automated config extraction, encryption keys by family, mutex naming convention.

Ransomware pairingSOCKS5 proxyLong-runningCross-family
Tracking · Top Request the IOCs →
Loader · 2021-active · MaaS

Matanbuchus

Matanbuchus · MaaS loader
Type
Loader-as-a-Service · pre-ransomware
Tracking
Packer · C2 protocol · configuration server · build ID

MaaS loader distributing follow-on Cobalt Strike, ransomware, infostealers. Tracking of packer fingerprints, HTTPS C2 protocol patterns, configuration server hostnames, build ID series. Often paired with high-conversion phishing campaigns.

MaaS loaderPre-Cobalt StrikePhishing-deliveredMaaS
Tracking · Active Request the IOCs →
Native integrations

Plugs into the stack you already have.

The Fortgale feed is designed to fit into existing SOC team processes without requiring platform migration. Open standards (STIX 2.1 / TAXII 2.1) and native connectors for major SIEMs, EDR/XDR, firewalls, IDS/IPS.

Standards & protocols
STIX 2.1TAXII 2.1MISPOpenCTIJSON / CSV dump
SIEM
SplunkElastic SecurityMicrosoft SentinelIBM QRadarSumo LogicGoogle Chronicle
EDR · XDR
CrowdStrike FalconSentinelOne SingularityMicrosoft Defender for EndpointPalo Alto Cortex XDRTrend Micro Vision OneSophos Intercept X
Firewall · NGFW
Palo Alto NetworksFortinet FortiGateCheck Point QuantumCisco Secure FirewallSophos XGS
IDS/IPS · NDR
SuricataSnortZeek (Bro)Vectra AIDarktraceCisco Stealthwatch
Delivery channel
TAXII 2.1 endpointREST API (OAuth2)Webhook (Slack · Teams · Discord)Email digestMISP federation

Typical onboarding effort · 2-5 business days for native connectors. Custom integrations evaluated case by case.

Quality · methodology

Explicit confidence score. False positives under control.

Every indicator in the feed receives a confidence score (high / medium / low / deprecated) and a TTL (time-to-live) based on the typical rotation of the actor or infrastructure. No generic "malicious" flag without context.

High

Multiple validation

Indicator validated by a real incident handled by Fortgale services (SOC/MDR/IR) or by multiple independent evidences on criminal infrastructure. Target false-positive rate <0.5%.

Medium

Single source, coherent context

Indicator observed in a single source with coherent contextual evidence, or in a reliable external source not yet internally verified. Suggested for alerting/triage, not automatic blocking.

Low

Candidate awaiting validation

Candidate indicator with a single overlap element, awaiting validation. Distributed separately for analysts who want early-stage visibility, not for automatic detection.

Deprecated

TTL expired · flagged

Indicator with expired TTL or invalidated by new evidence. Remains in the feed with an explicit flag to prevent accidental re-introduction and to support retro-analysis on historical logs.

The output

How the feed is delivered.

Four distribution channels, chosen based on the customer's technical stack and processes. Open standards for automatic integration, legacy formats for those without automation.

01

Dedicated TAXII 2.1 endpoint

TAXII 2.1 endpoint with dedicated per-customer credentials, configurable polling (15-60 minutes typical). STIX 2.1 bundles with indicator, malware, threat-actor, attack-pattern, course-of-action objects.

02

REST API · OAuth2

REST API with OAuth2 authentication, queries by type (IP / domain / hash / YARA / Sigma), by family, by TTL window. Complete OpenAPI 3.1 documentation for custom integration.

03

Real-time webhook

Immediate push of high-confidence indicators as soon as produced. Delivery via HTTP webhook, native integration with Slack, Microsoft Teams, Discord. SLA < 5 minutes from validation.

04

File dump · email digest

For legacy systems: CSV / JSON / MISP dump daily or weekly via SFTP/HTTPS. Weekly email digest for the CISO with statistical summary (volume, novel indicators, top actors, sectors hit).

Technical honesty

When activating a custom feed does not make sense.

A Custom Threat Intelligence feed only makes sense if the organisation has the technical capacity to consume it: a SIEM/EDR/firewall that supports TI integration via STIX/TAXII or API, and a SOC team with capacity to integrate and manage a new source.

Without one of those two elements, the feed only produces unused noise. In those cases, vertical sector advisories (capability 03) or a periodic Executive Briefing (capability 04) are more efficient — both consumable without technical integration.

Not sure if you need it? Let's talk. If you don't need it, Fortgale will say so.

Integration

The feed is part of a broader system.

The feed's IOCs feed the SOC/MDR detection, support Incident Response in real time, and combine with Threat Actor Profiling to produce contextual intelligence on customer incidents.

European SOC · 24·7·365

Detections powered by the feed

Every new IOC automatically enters Fortgale SOC rules. Detection is enriched in real time with the context of actors who generated the indicator.

Discover the SOC →
MDR · augmented detection

MDR with proprietary TI

The Fortgale MDR does not rely solely on EDR vendor rules: it enriches them with the proprietary feed, lifting detection rates and reducing false positives.

Discover MDR →
CTI · capability 01

Combined with TA Profiling

The feed answers "is this IOC malicious?". Threat Actor Profiling answers "who is behind this IOC?". Together they produce contextualised intelligence.

Discover TA Profiling →
CTI · sister capability

The other 6 CTI capabilities

Threat Actor Profiling · Vertical advisories · Executive Briefing · Deep & Dark Web · Attack Surface Management · Brand & Social Intelligence. The feed is capability 02 of 7.

See all capabilities →
Take to the Board

Three slides to justify the investment.

The CISO evaluates the feed technically. The Board asks about ROI, sources, integration. Fortgale prepares it · three essential slides.

01 · The investment

Cost of Custom Threat Intelligence vs generic commercial feeds · expected ROI in terms of detection rate increment and MTTR reduction.

02 · The source

Indicators produced from real incidents on Fortgale services and proactive research, not resold from aggregators shared with hundreds of other customers.

03 · The integration

Existing security stack · standard STIX/TAXII integration · typical onboarding effort 2-5 days · automatic rotation and validation.

The "3 Board slides" pack is included in feed onboarding · also available on demand.

FAQ

Frequently asked questions on the Threat Intelligence Feed.

Where do the IOCs in the Fortgale feed come from?

From three converging sources: ① real incidents handled daily by Fortgale's SOC, MDR and Incident Response services; ② active research by the CTI team on threat actors and criminal infrastructure; ③ continuous tracking of known offensive tools (Cobalt Strike, Sliver, infostealers, phishing kits, worms, APT tooling). These are internally produced indicators, not resold from aggregators shared with other customers.

How many tools and threat actors are tracked?

Over 180 offensive tools and threat actors profiled by the Fortgale CTI team. They include C2 frameworks (Cobalt Strike, Sliver, Brute Ratel, Havoc, Mythic), infostealers (Lumma, RedLine, Vidar, StealC, Raccoon, Atomic), phishing kits (Tycoon 2FA, Mamba 2FA, EvilProxy, W3LL, Caffeine), worms (Raspberry Robin), loaders (SystemBC, Matanbuchus, BumbleBee, IcedID) and tooling from state-affiliated APT groups and cybercrime.

Which formats and protocols does the feed support?

Standards: STIX 2.1 / TAXII 2.1. Channels: REST API with OAuth2, webhook (Slack, Teams, Discord), email digest, file dump (CSV, JSON, MISP). Custom Threat Intelligence integration on major MDR and SIEM platforms (Splunk, Elastic, Sentinel, QRadar, Sumo, Chronicle, CrowdStrike, SentinelOne, Defender for Endpoint, Cortex, Trend Micro Vision One).

How do confidence score and TTL work?

Every IOC has a confidence score (high/medium/low/deprecated) based on source and number of independent evidences, and a TTL (time-to-live) based on the actor's typical rotation. Example: a Cobalt Strike C2 IP validated by a real incident has high confidence and 14-30 day TTL; a malware hash has high confidence and persistent TTL; a newly registered phishing kit domain has medium confidence and 48-72 hour TTL.

Does the feed also integrate YARA, Sigma and Snort/Suricata rules?

Yes. In addition to atomic IOCs (IPs, domains, hashes, URLs), the feed includes YARA rules for filesystem malware detection, Sigma rules for behavioural detection on SIEM, Snort/Suricata rules for IDS/IPS. All developed internally by the CTI team based on real analysed samples.

Can I receive only specific indicator types (e.g. only ransomware C2)?

Yes. The feed is filterable by category: indicator type (IP, domain, hash, URL, YARA, Sigma), malware/kit/C2 family, actor group, sector victimology, geography, minimum confidence score. Configuration done during onboarding and modifiable via console or API.

When does it NOT make sense to activate a custom TI feed?

When the organisation does not have SIEM/EDR/firewall platforms that support Custom Threat Intelligence integration, or when the security team lacks the capacity to integrate a new feed. In those cases, it is more efficient to first activate vertical sector advisories (capability 03) or a periodic Executive Briefing (capability 04), which do not require technical integration.

Start with the feed

See immediately what would land in your stack.

Request a feed sample: 7 days of real-world indicators with confidence score, TTL, and attribution. Test it in your SIEM/EDR with no commitment · evaluate false positives, coverage, integration.

Response time: < 1 business day.