IOC Hunter Feed Documentation

Access our IOC Hunter feed through our API endpoint.

This document describes the JSON structure of the IOC Hunter feed, which provides threat intelligence data, including indicators of compromise (IOCs) and associated threat actor information. This feed helps enhance cyber threat analysis by integrating publication details with enriched metadata.


How to Access This Feed

  1. Open Your Terminal or Command Prompt: This is where you'll type the curl command. On Windows, you can search for "cmd" to open the Command Prompt. On macOS or Linux, you can open the Terminal.

  2. Prepare Your API Key: Before running the command, ensure you have your API key ready. This should be a string of characters you obtained when you created your API key in the previous step. Be sure that API > Access Instructions is set to Allow All. (This is set to Allow All by default)

  3. Construct the Curl Command: Type the following command, but replace <API_TOKEN_GOES_HERE> with your actual API key.

    1. curl -o ioc-hunter.json.gz 'https://api.hunt.io/v1/feeds/ioc-hunter' -H 'token: <API_TOKEN_GOES_HERE>'
      
    2. Ensure you remove <API_TOKEN_GOES_HERE> and replace it with your API key without the angle brackets.
  4. Execute the Command: After typing the command with your API key, press Enter to execute it. This sends a request to the specified URL with your API token for authentication.

  5. Review the Response: The server's response to your request will be in a file named ioc-hunter.json.gz. This contains the data you're requesting from the API—in this case, the IOC Hunter Feed.

    1. Note: Please be aware that the dataset is provided in a compressed format ioc-hunter.json.gz. For decompression, utilize a native system utility or opt for a verified external tool designed for this purpose.

Optional Query Parameters

You can customize the IOC Hunter Feed results using the following optional query parameters:

ParameterTypeDescription
daysintLimits the results to IOCs published within the last N days. Allowed values are: 1, 7, 30, 60, 90, 180, 360, and 720. Useful for narrowing down the feed to recent or extended historical data.
publication_domainstringFilters results to a specific publication apex domain (e.g., example.com). This filter is case-insensitive. Useful when analyzing IOCs from a specific trusted source.

Example Usage

curl -o ioc-hunter.json.gz \
  'https://api.hunt.io/v1/feeds/ioc-hunter?days=30&publication_domain=example.com' \
  -H 'token: <API_TOKEN_GOES_HERE>'

Returned Data

The IOC Hunter feed API returns the following fields when queried. Details on accessing the IOC Hunter feed API can be found here.

FieldTypeDescOptional
ioc_hunter_metadataarrayAn array containing one or more entries of enriched IOC data.True
publication_titlestringThe title of the publication or article from which the IOC data is derived.True
publication_namestringThe apex domain of the website or source that published the article.True
publication_urlstringThe full URL where the publication can be accessed.True
published_atfloat (Timestamp)The timestamp marking when the publication was released or captured.True
threat_actorobjectAn object containing detailed threat actor information associated with the publication.True
idintA numeric identifier for the threat actor.True
uuidstringA unique identifier for the threat actor (UUID format), as available.True
originstringThe attribution to identify the threat actor.True
synonymsarrayA detailed narrative of the threat actor’s activities, targets and motivations.True
descriptionstringA detailed narrative of the threat actor’s activities, targets and motivations.True
metaobjectContains additional contextual data such as sponsor, victims, and incidents.True
sponsorstringNation state sponsoring threat actor, where available.True
victimsarrayCountries targeted by the threat actor.True
categoryarrayThe sectors or industries that are typically targeted by threat actors.True
incidentarrayKey motivations for threat actor’s attack.True
ransomware_groupbooleanIndicates whether the threat actor is associated with ransomware activities.True
country_codestringThe country code representing the threat actor's geographical association.True
countrystringThe name of the country linked to the threat actor.True
descriptionstringShort description of the original publication or context in which the IOC was reported.True
malware_nameStringName of the malware linked to the IOC.True
{
  "value": "d9e52663715902e9ec51a7dd2fea5241c9714976e9541c02df66d1a42a3a7d2a",
  "ioc_type": "ioc_sha256",
  "publication_name": "medium.com",
  "publication_title": "Shamoon Malware. Shamoon Malware is a wiper that spread...",
  "publication_url": "https://medium.com/@cyberecht/shamoon-malware-e24823501b10",
  "published_at": "2025-02-28T18:33:00",
  "threat_actor": {
    "id": 46,
    "uuid": "4f69ec6d-cb6b-42af-b8e2-920a2aa4be10",
    "name": "APT33",
    "origin": "APT33",
    "synonyms": "APT 33, Elfin, MAGNALLIUM, Refined Kitten, HOLMIUM, COBALT TRINITY, G0064, ATK35, Peach Sandstorm, TA451",
    "description": "Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess APT33 works at the behest of the Iranian government.",
    "meta": {
      "sponsor": "Iran (Islamic Republic of)",
      "victims": [
        "United States",
        "Saudi Arabia",
        "South Korea"
      ],
      "category": [
        "Private sector"
      ],
      "incident": [
        "Espionage"
      ]
    },
    "ransomware_group": false,
    "country_code": "IR",
    "country": "Iran",
  },
  "description": "The post discusses Shamoon malware, a wiper that targets devices on a shared network to erase operating systems. It details four waves of attacks since its emergence on August 15, 2012, primarily against Saudi organizations. Shamoon, also known as Disttrack and other aliases, is linked to the APT33 actor group and affects various Windows operating systems. The malware operates by overwriting the Master Boot Record (MBR), rendering systems inoperable. Notable victims include Saudi Aramco and Saipem, with Aramco suffering damage to 30,000 computers. The post lists several hashes associated with Shamoon's components, such as Spreader.exe and Trojan.Filerase.",
  "malware_name": "Shamoon"
}