Analyze Wireshark packet captures to detect malicious IPs by checking against URLhaus threat intelligence from abuse.ch.

URLhaus malware URL feed — real-time threat intel from abuse.ch. $0.02/query via x402.

Check if a domain is associated with malware distribution, botnet C2, or other malicious activity by querying URLhaus and abuse.ch threat feeds. Use this to assess whether a domain is safe to visit or interact with. For checking a specific URL (not just domain), use phishing_check instead. For file-based IOC lookups, use ioc_lookup. Returns JSON with fields: malware_urls (count of active malicious URLs), threat_tags, threat_status, and a summary assessment. Read-only threat feed query, no authentication required.

Enrich an Indicator of Compromise (IOC) by auto-detecting its type (IP, domain, URL, or file hash) and querying abuse.ch threat feeds: ThreatFox for malware indicators, URLhaus for malicious URLs, and Feodo for botnet C2 servers. Use this as the primary tool for threat hunting when you have a suspicious indicator but don't know its type. For malware-specific hash lookups with file metadata, use hash_lookup instead. For domain-only threat checks, use threat_intel. Returns JSON with fields: indicator, type (auto-detected), found (boolean), threat_type, malware_family, tags, confidence, source, and references. Read-only threat feed query, no authentication required.