01 ·
Monitoring offensive infrastructure
Continuous scanning of newly registered domains, anomalous SSL certificates, open ports with known C2 fingerprints. We identify infrastructure before it is deployed in attack.
34 000 indicateurs chaque semaine. Immédiatement applicables.
Fortgale produit son propre Flux Intelligence sur domaines phishing, serveurs C2, malware et ransomware — entièrement produit et validé par l'équipe d'analystes avant chaque publication. Plus de 200 entités surveillées en temps réel.
Fortgale · ioc-feed.sh
Live stream
10:42:18PHISHINGlogin-acme[.]365-secure[.]netVALID
10:42:09C2 · CSupdate-cdn[.]global · WM 1580103824VALID
10:41:54STEALERLumma · EU-cluster-047VALID
10:41:32RANSOMLockBit · leak.lockbit[.]onionVALID
10:41:18PHISHINGm1cr0s0ft-verify[.]net · EvilginxVALID
10:41:02C2 · BRapi-status[.]xyz · BruteRatelVALID
10:40:48LOADERMatanbuchus 3.0 · EU campaignVALID
10:40:31PHISHINGworkspace-recovery[.]xyz · GreatnessVALID
Compliance
NIS2 ready
DORA
ISO 27001
GDPR
Exchange standards
STIX/TAXII 2.1
JSON / REST API
CSV
MISP-compatible
What sets the Feed apart
Intelligence produced, not aggregated.
Where other vendors resell third-party feeds (VirusTotal, Recorded Future, Mandiant), Fortgale produces original intelligence from its own analysis.
02 ·
High-fidelity validation
Every IoC is validated by l'équipe d'analystes before publication: malicious-nature verification, deduplication, confidence scoring, contextualisation with campaign or threat actor.
03 ·
Continuous updates, not in batches
The feed updates en temps réel: every newly validated IoC is published immediately, shrinking the window between identification and defensive application.
Proof · Feed scale
Four numbers that hold the Feed up.
34,000
IoCs per week
validated and published
validated and published
200+
Entities monitored
(threat actors, malware, kits)
(threat actors, malware, kits)
~18k
Phishing domains
per week
per week
~16k
C2 and malware IoCs
per week
per week
Feed categories
Four categories · one pipeline.
Phishing kits · ~18k
Phishing & kits
Phishing domains, Evilginx/Modlishka/Muraena/W3LL Panel/Greatness kits, AiTM infrastructure. Temps réel updates.
C2 · ~16k
C2 & infrastructure
CobaltStrike, BruteRatel, Havoc, Sliver, Nighthawk, Metasploit servers. Watermark, beacon config, JARM fingerprint.
Stealer · loader
Infostealers & malware
Lumma, RedLine, Vidar, Raccoon, MetaStealer, RisePro, Stealc, loaders (Matanbuchus, GuLoader, PrivateLoader, IcedID), RATs (AsyncRAT, Remcos, NjRAT, XWorm).
Ransomware
Ransomware & leak
IoCs and infrastructure for LockBit, BlackCat/ALPHV, RansomHub, Cl0p, Akira, Black Basta, Play, Qilin, Medusa. Leak site monitoring.
Formats and integrations
Vendor-agnostic distribution.
The Feed is available in three standard formats. Compatible with the major security operations stacks.
CTI standard
STIX/TAXII 2.1
De-facto standard format for sharing threat intelligence. Periodic pull or temps réel push. OpenCTI native.
REST API
JSON · REST
REST endpoint with token authentication. Filters by type, severity, sector, period. Ideal for custom integration into SIEM/SOAR.
Bulk
CSV · MISP
CSV export for offline ingestion. MISP-compatible for organisations using the open threat-sharing platform.
Native integrations
Microsoft SentinelSplunk ESIBM QRadarCrowdStrike FalconSentinelOnePalo Alto XSOARMISPFortinet FortiSIEMCheck Point
How the Feed is produced
Six steps · from global scan to IoCs in the customer's stack.
01
Offensive infrastructure monitoring
Continuous scanning of newly registered domains, anomalous SSL certificates, open ports with fingerprints of known C2s to identify infrastructure before it is operationally used.
02
Correlation & attribution
Analytical pipeline with automatic enrichment: linking domains, IPs, certificates and hashes to known campaigns. Infrastructure overlaps across groups.
03
High-fidelity validation
Every IoC is validated by l'équipe d'analystes before publication: malicious-nature verification, deduplication, confidence scoring, contextualisation.
04
Temps réel updates
The feed updates en temps réel: every newly validated IoC is published immediately, shrinking the window between identification and defensive application.
05
MITRE contextualisation
Every IoC is enriched with MITRE ATT&CK TTPs, associated threat actor, target sector, observation period. More than an IoC: a unit of intelligence.
06
Automatic defensive application
Auto-applied to Fortgale SOC customers as Custom Threat Intelligence. For standalone customers, distributed via STIX/TAXII/REST API into their own stack.
Integrated defence
The Feed powers the entire stack.
Strategic
Cyber Threat Intelligence
Structured profiles of 180+ adversaries, active campaigns, vertical advisories, dark web monitoring.
Discover CTI →C2 deep dive
C2 Tracking
Deep dive on tracking CobaltStrike, BruteRatel, Havoc, Metasploit servers: watermark, config, attribution.
Discover C2 tracking →Operational · SOC
Managed Detection & Response
The SOC's detection rules are powered by the Feed. Every validated IoC is applied en temps réel.
Discover MDR →FAQ
Everything to know before requesting the Feed.
How are the IoCs in the Fortgale Feed generated?
Through continuous in-house analysis of offensive infrastructure: analysis of phishing domains, known C2s (CobaltStrike, BruteRatel, Matanbuchus, Lumma), ransomware campaigns and phishing kits. Every IoC is validated pre-publication for high fidelity.
How many indicators do you publish per week?
Over 34,000 per week (~18k phishing + ~16k malware/C2). Volume varies with the activity of ongoing campaigns.
Which threat actors and malware do you monitor?
Over 200 entities: C2 frameworks (CobaltStrike, BruteRatel, Sliver, Havoc, Nighthawk), infostealers (Lumma, RedLine, Vidar, Raccoon, MetaStealer, RisePro, Stealc), ransomware (LockBit, BlackCat/ALPHV, Clop, RansomHub, Akira, Black Basta, Play, Qilin), loaders (Matanbuchus, GuLoader, PrivateLoader, DBatLoader, IcedID), phishing kits (W3LL Panel, Greatness, Evilginx).
How does it integrate with security systems?
STIX/TAXII 2.1, JSON over REST API, CSV. Compatible with Microsoft Sentinel, Splunk, IBM QRadar, CrowdStrike Falcon, SentinelOne, Palo Alto, Fortinet, Check Point. Continuous updates, automatically applicable to detection rules.
Available standalone or only with the Fortgale SOC?
Both. Component of the Fortgale SOC/MDR (auto-applied) or standalone for teams that already operate their own security platform.
Feed access
34,000 indicators last week. How many did you apply?
The Fortgale Intelligence Feed brings into your security stack the intelligence on phishing, C2, malware, ransomware and infostealers that an internal team cannot produce on its own — validated, updated en temps réel, ready to apply.