Threat-intelligence feed

MalwareBazaar Recent

Malware DistributionLast verified 2026-05-09Page fetched Wed, 20 May 2026 13:43:09 GMT

MalwareBazaar Recent is a malware distribution threat-intelligence feed tracked by WhisperGraph as a FEED_SOURCE node. The Whisper Internet Directory publishes this page so security analysts and LLM agents can link to it as a stable record for MalwareBazaar Recent.

What is MalwareBazaar Recent

MalwareBazaar Recent is the rolling-window malware-distribution feed published by abuse.ch as part of the MalwareBazaar project. It enumerates domains and URLs observed serving malware payloads — droppers, loaders, second-stage executables, and packed binaries — sourced from sandbox runs, partner submissions, and direct VirusTotal pivots. Each entry carries a sample SHA256, a malware family tag, and a first-seen timestamp; the recent view rolls older entries off so the list reflects currently-live distribution infrastructure rather than archival material. It is indexed here because MalwareBazaar is one of the most widely-cited free malware-IOC repositories in 2026 incident reports.

Feed metadata

Display name: MalwareBazaar Recent
URL slug: malwarebazaar-recent
Graph identifier: abuse-ch-malwarebazaar
Category: Malware Distribution
Refresh cadence: hourly
Source: bazaar.abuse.ch

Live graph data

FEED_SOURCE node confirmed. WhisperGraph carries this feed under the same category (Malware Distribution) as the editorial entry above. The graph identifier abuse-ch-malwarebazaar matches the live f.id property.

Indicators currently listed

Live indicator listings: not yet available. WhisperGraph's LISTED_INedge is virtual and not enumerable from the feed side — there is no query-tractable way today to fetch the IPs and hostnames listed in this feed without first visiting every candidate indicator. Indicator-anchored queries work in the opposite direction (see the Cypher snippet below) and the directory's individual IP and host pages surface their feed memberships individually. Per-feed enumeration (an indicator count and sample of representative indicators) is on the roadmap.

Cypher and MCP

Look up which threat feeds list a given IP — the indicator-anchored query that powers the threat card:

MATCH (ip:IPV4 {name: $ip})-[:LISTED_IN]->(f:FEED_SOURCE)
WHERE f.name = "MalwareBazaar Recent"
WITH f
MATCH (f)-[:BELONGS_TO]->(c:CATEGORY)
RETURN f.name AS feed, c.name AS category

Verify the feed's graph-side identity directly:

MATCH (f:FEED_SOURCE {name: "MalwareBazaar Recent"})
OPTIONAL MATCH (f)-[:BELONGS_TO]->(c:CATEGORY)
RETURN f.id AS id, f.name AS name, c.name AS category

Or query Whisper from your own LLM workflow via the Whisper MCP server.

Pivot from MalwareBazaar Recent into adjacent entities.

What is MalwareBazaar Recent

Indicators currently listed

Cypher and MCP

Look up which threat feeds list a given IP — the indicator-anchored query that powers the threat card:

MATCH (ip:IPV4 {name: $ip})-[:LISTED_IN]->(f:FEED_SOURCE) WHERE f.name = "MalwareBazaar Recent" WITH f MATCH (f)-[:BELONGS_TO]->(c:CATEGORY) RETURN f.name AS feed, c.name AS category

Verify the feed's graph-side identity directly:

MATCH (f:FEED_SOURCE {name: "MalwareBazaar Recent"}) OPTIONAL MATCH (f)-[:BELONGS_TO]->(c:CATEGORY) RETURN f.id AS id, f.name AS name, c.name AS category

Or query Whisper from your own LLM workflow via the Whisper MCP server.

MalwareBazaar Recent

What is MalwareBazaar Recent

Feed metadata

Live graph data

Indicators currently listed

Cypher and MCP

Related pages

MalwareBazaar Recent

What is MalwareBazaar Recent

Feed metadata

Live graph data

Indicators currently listed

Cypher and MCP

Related pages