🛡️ Feodo Tracker C2 Scraper

🚀 Pull the live abuse.ch Feodo Tracker botnet C2 blocklist in one run. Get every command-and-control server with IP, port, online status, ASN, country, and malware family, ready for blocklisting and SOC enrichment.

🕒 Last updated: 2026-06-04 · 📊 12 fields per record · Emotet, QakBot, Dridex and more · Global ASN and country coverage

Feodo Tracker is a public threat-intelligence project run by abuse.ch that tracks the command-and-control (C2) infrastructure behind major banking trojans and loaders such as Emotet, QakBot, Dridex, TrickBot, BumbleBee and Pikabot. This Actor fetches the official Feodo Tracker IP blocklist and returns one clean row per C2 server so security teams can ingest fresh indicators of compromise (IOCs) without scraping HTML.

This is a defensive, public-data threat-intelligence tool. Every record comes straight from the abuse.ch public download feed. Use it to feed firewall and SIEM blocklists, enrich alerts in a SOC, hunt for malicious infrastructure, or back research into botnet hosting patterns.

🎯 Target Audience	💡 Primary Use Cases
SOC and blue-team analysts	Blocklist firewalls, proxies, and DNS
Threat intelligence teams	Enrich alerts with C2 context
Incident responders	Confirm whether an IP is a known C2
Detection engineers	Build and tune IOC detections
Security researchers	Study botnet hosting and ASN trends

📋 What the Feodo Tracker C2 Scraper does

• Fetches the official abuse.ch Feodo Tracker IP blocklist (full or recommended).
• Returns one row per C2 server with IP, port, status, ASN, country, and malware family.
• Filters by malware family (for example Emotet or QakBot), online status, and country.
• Caps the number of rows returned so you can pull a quick sample or the whole list.
• Uses only the public download feed, no login, no API key, no images.

🎬 Full Demo (🚧 Coming soon)

⚙️ Input

Field	Type	Description
listType	select	Which feed to fetch. full returns all tracked C2 servers, recommended returns the curated abuse.ch subset.
malware	text	Optional malware family filter, for example QakBot. Case insensitive, partial match.
status	select	any, online, or offline.
country	text	Optional two letter ISO country code, for example US.
maxItems	integer	Maximum rows to return. Free plan is capped at 10.

Example input, full blocklist sample:

{
  "listType": "full",
  "status": "any",
  "maxItems": 5
}

Example input, only online QakBot C2 servers hosted in the US:

{
  "listType": "full",
  "malware": "QakBot",
  "status": "online",
  "country": "US",
  "maxItems": 50
}

⚠️ Good to Know: Feodo Tracker is a focused, high-signal feed. The number of active C2 servers it tracks at any moment is small and changes as botnets are taken down or new infrastructure appears, so a run may return only a handful of rows. The hostname field is null when a C2 IP has no reverse DNS (PTR) record, which is common for fresh malicious hosts.

📊 Output

Each record has the following fields:

Field	Description
🌐 ipAddress	C2 server IP address
🔌 port	C2 communication port
📡 status	online or offline
🦠 malware	Malware family tied to this C2
🏷 hostname	Reverse DNS hostname, null when none exists
🔢 asNumber	Autonomous System number hosting the IP
🏢 asName	Autonomous System name
🌍 country	Two letter ISO country code
📅 firstSeen	When the C2 was first observed
⏳ lastOnline	When the C2 was last seen online
📋 listType	Which feed the row came from
🕒 scrapedAt	When this Actor fetched the record
❌ error	Null on data rows, set only when a run fails

Three real sample records from a run on 2026-06-04:

{
  "ipAddress": "162.243.103.246",
  "port": 8080,
  "status": "offline",
  "malware": "Emotet",
  "hostname": null,
  "asNumber": 14061,
  "asName": "DIGITALOCEAN-ASN",
  "country": "US",
  "firstSeen": "2022-06-04 21:24:53",
  "lastOnline": "2026-03-07",
  "listType": "full",
  "scrapedAt": "2026-06-04T19:49:37.201Z",
  "error": null
}

{
  "ipAddress": "50.16.16.211",
  "port": 443,
  "status": "online",
  "malware": "QakBot",
  "hostname": "ec2-50-16-16-211.compute-1.amazonaws.com",
  "asNumber": 14618,
  "asName": "AMAZON-AES",
  "country": "US",
  "firstSeen": "2025-12-30 13:56:31",
  "lastOnline": "2026-03-12",
  "listType": "full",
  "scrapedAt": "2026-06-04T19:49:37.255Z",
  "error": null
}

{
  "ipAddress": "178.62.3.223",
  "port": 443,
  "status": "offline",
  "malware": "QakBot",
  "hostname": "box.nautadb.com",
  "asNumber": 14061,
  "asName": "DIGITALOCEAN-ASN - DigitalOcean, LLC",
  "country": "GB",
  "firstSeen": "2026-02-17 05:41:23",
  "lastOnline": "2026-02-18",
  "listType": "full",
  "scrapedAt": "2026-06-04T19:49:37.310Z",
  "error": null
}

✨ Why choose this Actor

• Pulls straight from the official abuse.ch Feodo Tracker download, no third-party copy.
• Clean, flat rows that drop into a SIEM, firewall, or threat-intel platform.
• Filter by malware family, status, and country before the data ever leaves the run.
• No API key and no login required for this public feed.
• Honest schema, only fields the source actually returns, no padded always-null columns.

📈 How it compares to alternatives

Approach	Effort	Freshness	Structured output
This Actor	One run	Live feed	Yes, flat rows
Manual download and parse	Repeated by hand	Live feed	You build the parser
Copy-pasting the website table	Slow and error prone	Stale fast	No
Generic web scraper on the HTML page	Brittle setup	Breaks on layout change	Needs cleanup

🚀 How to use

1. Sign in or create a free Apify account using this sign-up link.
2. Open the Feodo Tracker C2 Scraper and pick the full or recommended blocklist.
3. Optionally set a malware family, status, or country filter.
4. Set maxItems and click Start.
5. When the run finishes, browse the dataset or pull it through the API into your tools.

💼 Business use cases

🔥 Firewall and proxy blocklisting

Feed live C2 IPs into firewall, proxy, and DNS blocklists so endpoints cannot reach known Emotet or QakBot infrastructure.

Need	How this helps
Block outbound C2 traffic	Push fresh IPs to perimeter controls
Reduce dwell time	Cut connections to active C2 early

🧭 SOC alert enrichment

When an alert fires on an outbound connection, check it against the blocklist to confirm whether the destination is a tracked C2.

Need	How this helps
Triage faster	Match IPs to malware family instantly
Prioritize alerts	Online C2 hits jump the queue

🕵️ Threat hunting

Hunt across logs for any host that ever talked to an IP on the list, even after the C2 has gone offline.

Need	How this helps
Find missed infections	Pivot on historical C2 IPs
Map campaigns	Group by malware family and ASN

📊 Infrastructure and ASN analysis

Study which hosting providers and countries repeatedly carry C2 servers to inform risk scoring and provider policy.

Need	How this helps
Score hosting risk	Aggregate by asName and country
Brief stakeholders	Back claims with real counts

🔌 Automating Feodo Tracker C2 Scraper

Connect runs to the rest of your stack:

• Make and Zapier: trigger a run on a schedule and route new C2 IPs to a webhook.
• Slack: post fresh online C2 servers to a security channel.
• Airbyte: load the dataset into your data warehouse for trend analysis.
• GitHub: commit periodic snapshots of the blocklist to a repo for change tracking.
• Google Drive: archive each run for an auditable history of the feed.

🌟 Beyond business use cases

• Research: study botnet hosting patterns, ASN abuse, and takedown timelines.
• Personal: block known C2 IPs on a home network or personal firewall.
• Non-profit: help small organizations without a security budget harden their perimeter.
• Experimentation: build and test detection rules against a real IOC feed.

🤖 Ask an AI assistant

Paste a run output into your assistant of choice and ask for analysis:

• ChatGPT
• Claude
• Perplexity
• Microsoft Copilot

Example prompt: "Group these C2 servers by malware family and country, and tell me which ASNs host the most online C2s."

❓ Frequently Asked Questions

Is this legal and safe to use? Yes. Feodo Tracker publishes this blocklist publicly for defensive use. This Actor only reads that public feed and returns it in a structured form.

Do I need an abuse.ch API key? No. The Feodo Tracker IP blocklist downloads used here are public and keyless. No login or token is required.

What is the difference between the full and recommended lists? The full list contains every C2 server Feodo Tracker is tracking. The recommended list is the curated subset abuse.ch advises for active blocking with a low false-positive risk.

Why did my run return only a few rows? Feodo Tracker is a focused, high-signal feed. The set of active C2 servers is small and shifts as botnets are taken down, so a run often returns a handful of rows rather than thousands.

Why is the hostname field sometimes null? Many C2 IPs have no reverse DNS (PTR) record, especially freshly deployed malicious hosts. When there is no hostname, the field is null rather than guessed.

What does online versus offline mean? Online means abuse.ch recently saw the C2 responding. Offline means the C2 was seen before but is not currently responding, for example after a sinkhole or takedown.

Which malware families are covered? Whatever Feodo Tracker is currently tracking, which has included Emotet, QakBot, Dridex, TrickBot, Heodo, BumbleBee, and Pikabot among others. Use the malware filter to narrow to one family.

How fresh is the data? Each run fetches the blocklist live at run time, so the data is as current as the abuse.ch feed itself.

Can I filter by country? Yes. Pass a two letter ISO country code such as US or GB to keep only C2 servers hosted there.

How many rows can I get on the free plan? Free runs are capped at 10 rows. A paid plan raises the cap so you can pull the entire list.

Can I schedule this to run automatically? Yes. Use Apify Schedules to run it hourly or daily and route new indicators to your tools through integrations or the API.

Does this replace a full threat-intel platform? No. It is a clean source of one specific, high-quality IOC feed that complements your existing tooling rather than replacing it.

🔌 Integrate with any app

Every run stores results in an Apify dataset you can pull through the REST API, the JavaScript and Python clients, or any of the no-code integrations above. Wire the output into a SIEM, a firewall management tool, a data warehouse, or a notification channel.

🔗 Recommended Actors

• URLhaus Malware URLs Scraper. Pull the abuse.ch URLhaus feed of malware distribution URLs.
• Vulnerability Security Intel Scraper. Collect structured vulnerability and security intelligence.
• GitHub Security Advisories Scraper. Track CVE-backed advisories across open source packages.
• IP Geolocation Scraper. Enrich any IP with country, ASN, and network details.
• RIPEstat Scraper. Query RIPE network and routing data for ASNs and prefixes.

💡 Pro Tip: browse the complete ParseForge collection.

🆘 Need Help? Open our contact form

⚠️ Disclaimer: This is an independent tool and is not affiliated with abuse.ch or the Feodo Tracker project. Only publicly available data is collected, and it is provided for defensive security and research purposes.