@pipeworx/threatfox

Connect: https://gateway.pipeworx.io/threatfox/mcp · Install: one-click buttons

Tools: 4

ThreatFox (abuse.ch) MCP — community IOC feed.

Tools

  • search_ioc(indicator, exact_match?)
  • recent_iocs(days?)
  • search_hash(hash)
  • search_malware(malware, limit?)

Auth

  • Platform key: gateway env PLATFORM_ABUSECH_KEY (shared with malwarebazaar).
  • BYO: ?_apiKey=<key> after registering at https://auth.abuse.ch.

Data source

https://threatfox-api.abuse.ch/api/v1/ — header Auth-Key, POST with JSON body.

Tools

  • search_ioc — Look up a specific indicator of compromise (IP, domain, URL, hash, etc.). Returns matching IOCs with malware family, confidence, threat-type, first/last seen, tags, references.
  • recent_iocs — IOCs added to ThreatFox in the last N days. Useful for daily threat-intel ingestion.
  • search_hash — IOCs associated with a file hash (md5 / sha1 / sha256).
  • search_malware — IOCs tagged to a malware family (e.g., “Cobalt Strike”, “Emotet”, “QakBot”).

Tools

  • recent_iocs — IOCs added to ThreatFox in the last N days. Useful for daily threat-intel ingestion.
  • search_hash — IOCs associated with a file hash (md5 / sha1 / sha256).
  • search_ioc — Look up a specific indicator of compromise (IP, domain, URL, hash, etc.). Returns matching IOCs with malware family, confidence, threat-type, first/last seen, tags, references.
  • search_malware — IOCs tagged to a malware family (e.g., Cobalt Strike , Emotet , QakBot ).

Regenerated from source · build May 21, 2026