Domain Security & Reputation Scanner

Scan any domain for active threats in real time — malware hosting, phishing, botnet command-and-control, and security vendor blacklisting — using multiple open threat intelligence sources in parallel. No API keys required for the core scan. Optionally add VirusTotal (90+ engines) and Google Safe Browsing for deeper coverage.

Designed for security teams, researchers, and sysadmins who need a quick, comprehensive threat assessment of any domain without signing up for paid threat intelligence platforms.

---

What it checks

URLHaus (abuse.ch) — active malware URLs

URLHaus is maintained by the abuse.ch community and tracks URLs currently serving malware. The actor checks for URLs on the domain that are live right now — not historical records. If a domain has active malware URLs, it is an immediate threat signal.

ThreatFox (abuse.ch) — recent IOCs (last 30 days)

ThreatFox tracks Indicators of Compromise across 50+ malware families. The actor filters to IOCs observed in the last 30 days only — giving you the current threat picture rather than years of historical data. Covers botnet C2 servers, malware payload delivery, phishing infrastructure, and more.

PhishTank — community-verified phishing

PhishTank is a free, open database of phishing URLs submitted and verified by the security community. If the domain appears in PhishTank and has been community-verified, it is actively being used to steal credentials or financial data.

Sucuri SiteCheck

Sucuri's public malware scanner checks the domain against multiple security vendor blacklists simultaneously — including Google Safe Browsing, McAfee SiteAdvisor, Yandex Safe Browsing, Norton SafeWeb, and others. It also attempts to detect malware injected into the page itself. A single Sucuri scan covers what would otherwise require querying several separate services.

DNS Blacklists — 8 lists via DNS queries (no API key)

Domain-based (5 lists):

List	Focus
SURBL Multi	Aggregated spam URL intelligence
URIBL Multi	Broad-coverage spam domain list
MSRBL Phishing	Phishing-specific domains
MSRBL Botnet	Botnet C2-specific domains
MSRBL Combined	Combined threat list

IP-based (3 lists):

List	Focus
abuse.ch DNSBL	Malware and abuse IPs from abuse.ch
Blocklist.de	Brute-force, spam, and abuse reports
CI Army	Suspicious and malicious IP intelligence

VirusTotal (optional — free API key)

Aggregates results from 90+ security engines including Avast, Kaspersky, ESET, Sophos, Bitdefender, and more. Get a free key at virustotal.com — no credit card required. The free tier supports 4 lookups per minute.

Google Safe Browsing (optional — free API key)

Google's own threat detection, used by Chrome, Firefox, and Safari to warn users about dangerous sites. Get a free key at console.cloud.google.com. The free tier supports 10,000 requests per day.

---

How it works

The actor runs all checks in parallel for each domain:

1. URLHaus API → filters to url_status: online — active threats only
2. ThreatFox API → filters to IOCs observed in the last 30 days
3. PhishTank API → queries the community phishing database
4. Sucuri SiteCheck API → public endpoint, no key required
5. 5 domain DNS queries → DNSBL lookups via Node's built-in DNS resolver
6. IP resolution + 3 IP DNS queries → resolves domain to IPs, then queries each IP against IP-based lists
7. VirusTotal API (if key provided) → domain reputation report across 90+ engines
8. Google Safe Browsing API (if key provided) → threat match lookup

All sources complete within seconds. A 5-second timeout per external call prevents any single unresponsive source from blocking the run. A full scan of 10 domains completes in under 30 seconds.

---

Output fields

Field	Description
domain	The domain scanned
isClean	true if no active threats detected across all sources
totalFlagged	Total number of threat signals detected
resolvedIps	IP addresses the domain resolves to
urlhausActive	true if active malware URLs are live right now
urlhausActiveCount	Number of active malware URLs
urlhausActiveUrls	Malware URL details (up to 10)
threatFoxActive	true if recent IOCs found in the last 30 days
threatFoxRecentCount	Number of recent IOC records
threatFoxIocs	IOC details (up to 5)
phishTankFound	true if domain is in PhishTank database
phishTankVerified	true if the phishing report was community-verified
sucuriClean	true if Sucuri found no malware or blacklisting
sucuriMalware	true if Sucuri detected malware
sucuriBlacklisted	true if any security vendor has it blacklisted
sucuriFlaggedBy	List of vendors that blacklisted this domain
domainBlacklists	Per-list DNS blacklist results
domainBlacklistCount	Domain-based blacklist hits
ipBlacklists	Per-IP, per-list DNS blacklist results
ipBlacklistCount	IP-based blacklist hits
vtMalicious	(optional) VirusTotal malicious engine count
vtEngines	(optional) Total VirusTotal engines scanned
vtCategories	(optional) Category labels from VirusTotal vendors
safeBrowsingFlagged	(optional) true if Google Safe Browsing flagged this domain
safeBrowsingThreats	(optional) Threat types from Google Safe Browsing

---

How to use

1. Add one or more domains to Domains to Scan
2. Optionally add a VirusTotal API Key and/or Google Safe Browsing API Key for enhanced coverage
3. Click Start — results appear within seconds
4. Export as JSON, CSV, or Excel

---

Use cases

Vendor and supplier domain vetting

Before integrating with a third-party vendor, supplier, or API partner, scan their domain. A vendor domain flagged in ThreatFox or PhishTank is an immediate red flag regardless of how legitimate the business appears on the surface.

Incident response triage

When investigating a security incident, quickly check whether domains found in logs, phishing emails, or endpoint telemetry are known threats. The actor returns results from URLHaus, ThreatFox, and PhishTank in seconds — without requiring access to premium threat intelligence platforms.

Phishing email investigation

Paste the sending domain from a suspicious email into the actor. A PhishTank hit or a Sucuri blacklist result is strong confirmation that the email is malicious.

Pre-click link verification

Before visiting an unfamiliar URL from a document, email, or chat message, scan the domain. If URLHaus shows active malware or Sucuri returns a blacklist flag, do not visit it.

Continuous domain monitoring

Schedule the actor against your own domain and key assets on a regular cadence. Early detection of a Sucuri blacklisting or a PhishTank submission means you can investigate a compromise or file a false-positive dispute before it impacts your users.

Malware infrastructure research

Researchers can use this actor to quickly check whether a domain is associated with known malware campaigns via ThreatFox IOC lookups, then pivot to related infrastructure using the malware family and confidence tags returned in each record.

---

Difference from Domain History Checker

	Domain History Checker	Domain Security Scanner
Focus	Past — was this domain ever bad?	Present — is this domain bad right now?
Best for	Buying expired domains, SEO due diligence	Security monitoring, incident response, vendor vetting
URLHaus	All historical entries (online + offline)	Active URLs only
ThreatFox	All IOC records ever	Last 30 days only
RDAP / Wayback	✓	✗
PhishTank / Sucuri	✗	✓
VirusTotal / Safe Browsing	✗	✓ (optional)

For a complete picture, run both — Domain History Checker for the domain's full past, and Domain Security Scanner for its current threat status.

---

Frequently asked questions

What does isClean: true actually mean?

It means no flags were returned from any of the sources checked at the time of the scan. It is not a guarantee that the domain is safe — new threats appear daily and may not be indexed immediately. Use the VirusTotal integration for broader coverage across 90+ engines.

Does this actor visit the domain?

No for most checks. The actor queries threat intelligence APIs and performs DNS lookups. The Sucuri SiteCheck integration performs a lightweight public check, but the actor itself does not send HTTP requests directly to the scanned domain.

What malware families does ThreatFox cover?

ThreatFox covers 50+ malware families including Cobalt Strike, RedLineStealer, AgentTesla, Emotet, QBot, IcedID, AsyncRAT, NanoCore, njRAT, and many others. IOC types include C2 domains, payload delivery URLs, and phishing infrastructure.

How often is URLHaus updated?

URLHaus is updated continuously in real time by the abuse.ch community. New malware URLs are submitted and verified around the clock. The active malware list reflects the state at the time of the scan.

Can I use VirusTotal without an API key?

No. VirusTotal requires an API key even for the free tier. The free tier is available at virustotal.com with no credit card required and allows 4 domain lookups per minute.

Is Google Safe Browsing the same as what Chrome uses?

Yes. The same threat data that powers Chrome's "dangerous site" warnings is available via the Safe Browsing API. The free tier covers 10,000 requests per day.

---

Related actors

• Domain History Checker — full historical footprint: RDAP registration data, Wayback Machine history, URLHaus and ThreatFox malware/IOC records (all time), 6 DNS blacklists, and risk scoring
• Email Domain Blacklist Checker — 15 email blacklist checks (Spamhaus, SURBL, SpamCop, Barracuda) plus SPF, DMARC, MX, and PTR validation

---

Changelog

2026-03-05 — v0.1.4

• Removed Spamhaus DBL and Spamhaus ZEN — both return positive results for all domains from unauthorized datacenter IPs, causing every domain to appear flagged
• Now checks 8 DNS blacklists (5 domain-based, 3 IP-based) — all verified to work correctly without paid authorization

2026-03-05 — v0.1.0

• Initial release
• URLHaus active malware check (real-time)
• ThreatFox recent IOC check (last 30 days)
• PhishTank community phishing database check
• Sucuri SiteCheck multi-vendor malware and blacklist scan
• 6 domain-based + 4 IP-based DNS blacklist checks
• Optional VirusTotal integration (90+ security engines)
• Optional Google Safe Browsing integration