Fed0gaT — Threat Intelligence Feed | Tağmaç - root@Tagoletta:~#

Fed0gaT — Threat Intelligence Feed

Exploit / Project Details

Python Tue May 26 2026

Fed0gaT is an automated threat intelligence aggregation system that collects, deduplicates, and publishes hourly feeds of malicious IPs, file hashes, and URLs from multiple open-source intelligence sources. Feeds are published to GitHub and available as plain-text for direct integration into SIEM, EDR, and firewall platforms.

Detailed Write-up

Project Overview

Fed0gaT is an open-source automated IOC (Indicators of Compromise) aggregation and publishing system built to provide the security community with free, structured threat intelligence.

The system continuously collects data from multiple open-source threat intelligence sources, normalizes and deduplicates the entries, then publishes them in three categories:

  • IP Addresses — Malicious or suspicious IPv4 addresses (C2 servers, botnet nodes, scanners)
  • File Hashes — Malware signatures across MD5, SHA1, and SHA256 formats
  • URLs — Phishing pages, malware delivery endpoints, and C2 panel addresses

Architecture

FED0GAT — DATA FLOW ARCHITECTURE OSINT SOURCES Abuse.ch / URLhaus MalwareBazaar ThreatFox / FeodoTracker Open Threat Exchange Blocklists / MISP + More Sources hourly FED0GAT ENGINE → Fetch & normalize → Deduplicate IOCs → Categorize by type → Write dated + latest → Update stats.json → Git commit & push GitHub Actions Cron ⏰ 0 * * * * (every hour) push GITHUB FEEDS latest-ip.txt latest-hash.txt latest-url.txt stats.json 2026-06-14-ip.txt … CONSUMERS SIEM / Splunk Firewall Blocklist IDS / IPS tagmachan.com/feeds Custom Scripts / API tagmachan.com / Fed0gaT

How It Works

1. Data Collection

The system is triggered by a GitHub Actions workflow running on an hourly cron schedule (0 * * * *). Each run fetches raw threat data from multiple open-source intelligence sources simultaneously.

2. Normalization & Deduplication

Collected data is processed through a pipeline that:

  • Normalizes entries across different source formats
  • Removes duplicate IOCs across all source feeds
  • Classifies each entry as IP, Hash, or URL

3. Publication

Each run produces two types of outputs:

  • latest-{type}.txt — Always current, full consolidated list
  • YYYY-MM-DD-{type}.txt — Timestamped snapshot for historical reference
  • stats.json — Running log of entry counts per run

4. Integration

All feeds are plain text with one entry per line and no headers — making them directly compatible with threat intelligence ingestion pipelines.

IOC Categories

IP ADDRESSES IPv4 format C2 servers Botnet nodes Active scanners ~44K avg entries / run FILE HASHES MD5 / SHA1 / SHA256 Malware signatures Ransomware payloads Trojans & droppers ~8K avg entries / run MALICIOUS URLs HTTP / HTTPS Phishing pages Malware delivery C2 panel endpoints ~76K avg entries / run

Feed URLs

Plain text, one entry per line, no headers. Hosted via tagmachan.com with 30-minute CDN cache:

Feed URL
IP Blocklist https://tagmachan.com/feeds/ip.txt
Hash Feed https://tagmachan.com/feeds/hash.txt
URL Blocklist https://tagmachan.com/feeds/url.txt

Also available directly from GitHub (no cache):

Feed GitHub Raw URL
Latest IPs https://raw.githubusercontent.com/Tagoletta/Fed0gaT/main/feeds/latest-ip.txt
Latest Hashes https://raw.githubusercontent.com/Tagoletta/Fed0gaT/main/feeds/latest-hash.txt
Latest URLs https://raw.githubusercontent.com/Tagoletta/Fed0gaT/main/feeds/latest-url.txt
Stats JSON https://raw.githubusercontent.com/Tagoletta/Fed0gaT/main/feeds/stats.json

GitHub Repository | Live Feeds Page