Infostealers

Find reviewed infostealer C2 infrastructure.

The Infostealers API returns reviewed C2 hosts that match the current infostealer family allowlist. Results include families, DNS status, resolved IPs, port samples, ASN context, DNS block hits, and CIRCL passive DNS counts.

GET /v1/infostealers

List hosts seen during a bounded time window. The response is paginated and sorted by latest sighting, newest first.

GET /v1/infostealers/{host}

Check one host. The host route accepts the same time-window parameters, but it always returns a single matching row or a 404.

Example request

curl --compressed \
  -H "Authorization: Bearer <api-key>" \
  "https://api.domainintelligence.uk/v1/infostealers?window_days=14&page=1&limit=100"

Query parameters

Name	Type	Default	Notes
`host`	string	none	Optional list filter. Lowercased and trimmed. A trailing dot is removed.
`window_days` or `windowDays`	integer	`14`	Positive integer, maximum `90`. Uses UTC midnight boundaries.
`start_at` or `startAt`	timestamp or date	none	Must be sent with `end_at`. Accepts RFC3339, RFC3339Nano, or `YYYY-MM-DD`.
`end_at` or `endAt`	timestamp or date	none	Must be after `start_at`. Custom periods are limited to 90 days.
`page`	integer	`1`	Positive page number.
`limit`	integer	`100`	Positive integer, maximum `5000`.

List response

{
  "rows": [
    {
      "feedType": "c2",
      "reviewStatus": "allow",
      "host": "example-c2.test",
      "families": ["remus_stealer"],
      "seenAt": "2026-06-19T23:29:02Z",
      "firstSeen": "2026-06-18T13:12:10Z",
      "lastSeen": "2026-06-19T23:29:02Z",
      "ports": [
        {
          "port": 443,
          "families": [
            {
              "family": "remus_stealer",
              "samples": [
                {
                  "sha256": "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
                  "firstSeen": "2026-06-18T13:12:10Z",
                  "lastSeen": "2026-06-19T23:29:02Z"
                }
              ]
            }
          ]
        }
      ],
      "dnsStatus": "blocked",
      "resolvedIps": ["203.0.113.10"],
      "country": "US",
      "asn": 64500,
      "asOrg": "Example Network",
      "infraType": "hosting",
      "quad9Hits": 52,
      "circlHits": 18
    }
  ],
  "pagination": {
    "page": 1,
    "limit": 100,
    "prev_page": 0,
    "next_page": 2,
    "has_prev": false,
    "has_next": true,
    "total_rows": 417,
    "total_pages": 5,
    "start_row": 1,
    "end_row": 100
  },
  "filters": {
    "windowDays": 14,
    "startAt": "2026-06-06T00:00:00Z",
    "endAt": "2026-06-20T00:00:00Z",
    "page": 1,
    "limit": 100
  }
}

Host lookup response

{
  "host": "example-c2.test",
  "found": true,
  "row": {
    "feedType": "c2",
    "reviewStatus": "allow",
    "host": "example-c2.test",
    "families": ["remus_stealer"],
    "seenAt": "2026-06-19T23:29:02Z",
    "ports": [],
    "resolvedIps": [],
    "quad9Hits": 0,
    "circlHits": 0
  },
  "filters": {
    "host": "example-c2.test",
    "windowDays": 14,
    "startAt": "2026-06-06T00:00:00Z",
    "endAt": "2026-06-20T00:00:00Z",
    "page": 1,
    "limit": 1
  }
}

Dataset boundaries

Results are reviewed C2 feed exports with at least one matching allowed infostealer family. The API is not a raw dump of every sighting. Port samples are grouped by host, port, family, and SHA-256.