Monitoring offensive infrastructure
Continuous scanning of newly registered domains, anomalous SSL certificates, open ports with known C2 fingerprints. We identify infrastructure before it is deployed in attack.
Fortgale produces its own Intelligence Feed on phishing domains, C2 servers, malware and ransomware, entirely produced and validated by the analyst team before each publication. 287 tools and actors monitored in real time.
Where other vendors resell third-party feeds (VirusTotal, Recorded Future, Mandiant), Fortgale produces original intelligence from its own analysis.
Continuous scanning of newly registered domains, anomalous SSL certificates, open ports with known C2 fingerprints. We identify infrastructure before it is deployed in attack.
Every IoC is validated by the analyst team before publication: malicious-nature verification, deduplication, confidence scoring, contextualisation with campaign or threat actor.
The feed updates in real time: every newly validated IoC is published immediately, shrinking the window between identification and defensive application.
Phishing domains, Evilginx/Modlishka/Muraena/W3LL Panel/Greatness kits, AiTM infrastructure. Real-time updates.
CobaltStrike, BruteRatel, Havoc, Sliver, Nighthawk, Metasploit servers. Watermark, beacon config, JARM fingerprint.
Lumma, RedLine, Vidar, Raccoon, MetaStealer, RisePro, Stealc, loaders (Matanbuchus, GuLoader, PrivateLoader, IcedID), RATs (AsyncRAT, Remcos, NjRAT, XWorm).
IoCs and infrastructure for LockBit, BlackCat/ALPHV, RansomHub, Cl0p, Akira, Black Basta, Play, Qilin, Medusa. Leak site monitoring.
The Feed is available in three standard formats. Compatible with the major security operations stacks.
De-facto standard format for sharing threat intelligence. Periodic pull or real-time push. OpenCTI native.
REST endpoint with token authentication. Filters by type, severity, sector, period. Ideal for custom integration into SIEM/SOAR.
CSV export for offline ingestion. MISP-compatible for organisations using the open threat-sharing platform.
Continuous scanning of newly registered domains, anomalous SSL certificates, open ports with fingerprints of known C2s to identify infrastructure before it is operationally used.
Analytical pipeline with automatic enrichment: linking domains, IPs, certificates and hashes to known campaigns. Infrastructure overlaps across groups.
Every IoC is validated by the analyst team before publication: malicious-nature verification, deduplication, confidence scoring, contextualisation.
The feed updates in real time: every newly validated IoC is published immediately, shrinking the window between identification and defensive application.
Every IoC is enriched with MITRE ATT&CK TTPs, associated threat actor, target sector, observation period. More than an IoC: a unit of intelligence.
Auto-applied to Fortgale SOC customers as Custom Threat Intelligence. For standalone customers, distributed via STIX/TAXII/REST API into their own stack.
Structured profiles of 287 tools and actors, active campaigns, vertical advisories, dark web monitoring.
Discover CTI →Deep dive on tracking CobaltStrike, BruteRatel, Havoc, Metasploit servers: watermark, config, attribution.
Discover C2 tracking →The SOC's detection rules are powered by the Feed. Every validated IoC is applied in real time.
Discover MDR →Through continuous in-house analysis of offensive infrastructure: analysis of phishing domains, known C2s (CobaltStrike, BruteRatel, Matanbuchus, Lumma), ransomware campaigns and phishing kits. Every IoC is validated pre-publication for high fidelity.
Over 34,000 per week (~18k phishing + ~16k malware/C2). Volume varies with the activity of ongoing campaigns.
287 tools and actors: C2 frameworks (CobaltStrike, BruteRatel, Sliver, Havoc, Nighthawk), infostealers (Lumma, RedLine, Vidar, Raccoon, MetaStealer, RisePro, Stealc), ransomware (LockBit, BlackCat/ALPHV, Clop, RansomHub, Akira, Black Basta, Play, Qilin), loaders (Matanbuchus, GuLoader, PrivateLoader, DBatLoader, IcedID), phishing kits (W3LL Panel, Greatness, Evilginx).
STIX/TAXII 2.1, JSON over REST API, CSV. Compatible with Microsoft Sentinel, Splunk, IBM QRadar, CrowdStrike Falcon, SentinelOne, Palo Alto, Fortinet, Check Point. Continuous updates, automatically applicable to detection rules.
Both. Component of the Fortgale SOC/MDR (auto-applied) or standalone for teams that already operate their own security platform.
Indicators come from real analysis: Operation Storming Tide (Matanbuchus 3.0, Astarion RAT, SystemBC) and Nebula Broker (BrokerLoader). Hashes, domains and C2 published in our analyses.
Read an analysis →Analysis of 800 domains of the Kali365 PhaaS platform (OAuth Device Code Flow abuse): 85.8% hosted on Cloudflare Workers.
Read the analysis →Over 100 published analyses. Attributions corroborated by third parties such as Mandiant (Google), Amazon, SentinelOne and Huntress. European SOC, 24·7·365.
Why a proprietary intelligence feed →
The Fortgale Intelligence Feed brings into your security stack the intelligence on phishing, C2, malware, ransomware and infostealers that an internal team cannot produce on its own, validated, updated in real time, ready to apply.
No nurturing sequences, no auto-replies. One of our analysts calls you back within one business day.
The full Report (executive summary · operational IoCs · technical runbook) is restricted. Share two details and one of our analysts contacts you with access and a short technical briefing.
Response in 30 minutes, containment in 1–4 hours. Even if you are not a Fortgale customer.