Schemas
Response fields use exact API casing.
Infostealer data fields use camelCase. Pagination fields use snake_case because they are shared with other DIAPI list endpoints.
InfostealerRow
| Field | Type | Notes |
|---|---|---|
feedType | string | Currently c2. |
reviewStatus | string | Reviewed status, normally allow or auto_allow. |
host | string | Domain or IP host. |
families | string array | Normalized family names. |
seenAt | timestamp | Latest triage sighting in the row. |
firstSeen | timestamp, optional | First triage sighting for the host. |
lastSeen | timestamp, optional | Last triage sighting for the host. |
ports | InfostealerPort array | Port-level samples grouped by family. |
dnsStatus | string, optional | Current DNS disposition. |
resolvedIps | string array | Resolved IP addresses known for the host. |
country | string, optional | Country from review metadata or IPinfo ASN data. |
asn | integer, optional | ASN number when known. |
asOrg | string, optional | ASN organization when known. |
infraType | string, optional | IPinfo infrastructure type when known. |
quad9Hits | integer | 30-day DNS block count. |
circlHits | integer | CIRCL passive DNS total count. |
Nested port sample schemas
InfostealerPort {
"port": 443,
"families": [InfostealerPortFamily]
}
InfostealerPortFamily {
"family": "remus_stealer",
"samples": [InfostealerSample]
}
InfostealerSample {
"sha256": "0123456789abcdef...",
"firstSeen": "2026-06-18T13:12:10Z",
"lastSeen": "2026-06-19T23:29:02Z"
}Pagination
{
"page": 1,
"limit": 100,
"prev_page": 0,
"next_page": 2,
"has_prev": false,
"has_next": true,
"total_rows": 417,
"total_pages": 5,
"start_row": 1,
"end_row": 100
}