Catalyst / admin/SAynapse-Horizon 14.8 GB / 57.8 GB 40.0 GB free
Help Sign in

admin / SAynapse-Horizon

public

Self Hosted Cyber Threat Intelligence Hub

Code Issues Pull requests Pipelines Packages Security Insights Wiki Settings
SAynapse-Horizon / Synapse-Horizon / backend / src / sources / threatfox.js 2102 B · main
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
import { makeIoc, fetchWithTimeout, ok, unconfigured, clampConfidence, SEVERITY } from '../normalize.js'

// ThreatFox (abuse.ch) — recent IOCs (C2 nodes, payload infra). Auth-Key required.
const URL = 'https://threatfox-api.abuse.ch/api/v1/'
const LIMIT = 25
const RANSOMWARE = /lockbit|alphv|blackcat|akira|rhysida|medusa|play|clop|royal|black basta/i

export const meta = { key: 'threatfox', requiresKey: true }

export function configured() {
  return Boolean(process.env.ABUSE_CH_AUTH_KEY)
}

export async function fetchSource() {
  const key = process.env.ABUSE_CH_AUTH_KEY
  if (!key) return unconfigured('Set ABUSE_CH_AUTH_KEY (free abuse.ch account) to enable ThreatFox.')

  const res = await fetchWithTimeout(URL, {
    method: 'POST',
    headers: { 'Auth-Key': key, 'Content-Type': 'application/json' },
    body: JSON.stringify({ query: 'get_iocs', days: 1 }),
  })
  const data = await res.json()
  const rows = Array.isArray(data?.data) ? data.data : []

  const iocs = rows.slice(0, LIMIT).map((r) => {
    const malware = r.malware_printable || r.malware || 'unknown malware'
    const isC2 = /botnet_cc|c2/i.test(r.threat_type || '')
    const ransomware = RANSOMWARE.test(malware)
    return makeIoc('threatfox', {
      detectedAt: r.first_seen || r.first_seen_utc,
      severity: ransomware ? SEVERITY.CRITICAL : SEVERITY.HIGH,
      category: isC2 ? 'Malware Infrastructure' : 'Malware Indicator',
      indicator: r.ioc,
      indicatorType: r.ioc_type || 'ioc',
      target: malware,
      confidence: clampConfidence(r.confidence_level, 80),
      mitre: [{ id: 'T1583.004', name: 'Acquire Infrastructure: Server' }],
      headline: isC2
        ? `Malware Infrastructure: Active ${malware} C2 node identified on ${r.ioc} by ThreatFox`
        : `Malware Indicator: ${r.ioc} associated with ${malware} reported by ThreatFox`,
      raw: r,
      stix: {
        type: 'indicator',
        pattern: `[x-ioc:value = '${r.ioc}']`,
        pattern_type: 'stix',
        labels: [isC2 ? 'command-and-control' : 'malicious-activity'],
      },
    })
  })

  return ok(iocs)
}