top of page
Leveraging IP Reputation Feed for Enhanced Cybersecurity

Botnet Analysis
and Reporting (BARS)

40+ malware families.

Key Features:

Provides a holistic view of adversarial campaigns.

Offers correlation across Command and Controls (C2s), victim IP addresses, malware targets, and DDoS attack instructions.

Includes geolocation and victimology information, complete campaign history of malware used, and covers tracked malware families.

Key Advantages:

In-depth analysis tracking and history of malware families that utilize unique control protocols and possibly encryption mechanisms.

Updated every 60 minutes for near-real-time global Internet visibility.

Provides fast insights into C2 and DDoS attacks without processing efforts.

Use Cases:

Cybersecurity teams in large corporations can monitor and mitigate sophisticated malware attacks targeting their network.

Government agencies can use the feed for national security purposes, tracking cyber espionage campaigns.

Financial institutions can protect their infrastructure from DDoS attacks and complex malware.

Our Botnet Analysis & Reporting Service (BARS) provides in-depth analysis, tracking, and history of 40+ malware families that utilize unique control protocols and possibly encryption mechanisms.

Our BARS cyber threat intelligence includes IP, BGP and GeoIP information related to each bot. We automatically track botnet infrastructure, and we have a team of malware analysts dedicated to investigating new malware families and/or variants. We are continually developing specialized code to track and report on new threats as they arise.

XML Files

Bot XML File

This file contains information related to hosts infected with malware (bots), including the IP, BGP and GeoIP information related to each Bot. Each infected host is also categorized with the type of malware it is infected with, including additional elements.​

Command and Control XML File

This file contains information related to command and control servers, including the type of botnet, details about the host(s) being used to control the botnet, and when available, SHA1/MD5 hashes for malware observed connecting to the botnet.

We list three different types of botnets: IRC (Internet Relay Chat), HTTP, and P2P (Peer to Peer), each with additional elements. For example, the XML entry for an IRC based botnet may include the IPs, ports, channels and passwords of multiple servers being used to control the botnet.


The DDoS file contains information related to distributed denial of service (DDoS) attacks. Each DDoS element represents a separate attack recorded by our monitoring systems. The target of each attack is provided, along with attack details, such as the location of the victim, the time of the attack, the duration, and (when available) details on the nature and strength of the attack.

Subset of Controller Feed Entries Include (as of July 2022)

  • Amadey

  • CobaltStrike

  • Emotet

  • Lokibot

  • Mirai

  • Nanocore

  • Qakbot

  • Raccoonstealer

  • Redline

  • Xorddos

Example Attack Categories

  • TCP: TCP-based traffic attack

  • UDP: UDP-based traffic attack

  • ICMP: ICMP-based traffic attack

  • SYN: TCP Syn flood attack

  • HTTP: HTTP/HTTPS-based resource attack

  • DNSamp: DNSamplification attacks (DNS recursion)

bottom of page