abuse.ch is one of the most well-regarded specialists of malware and botnet command and controller (C&Cs) data. Its primary goal is to collect, track, and share data signals to fight the good fight against these most disruptive cybercrime tactics. And with Spamhaus working for over 25 years to improve trust and safety on the internet, recognized as the authority on IP and domain reputation data, the value in providing these datasets together, via a single source, was an obvious move. From today, abuse.ch’s URLhaus data is available as a beta version for Spamhaus Intelligence API (SIA) users, and indeed free to Developer License users - learn more in this blog post.

Get acquainted with URLhaus malware intelligence

If you’re active in the cyber threat intelligence (CTI) industry, it’s likely you’re familiar with abuse.ch, and indeed, URLhaus data. Highly regarded among security vendors and analysts, network administrators, and researchers, URLhaus provides an expansive community-driven hub for individual experts to share and consume intelligence on malicious URLs that are being used for malware distribution.

Malicious URLs form the literal link between users and a malicious payload. It is crucial for businesses and end users to understand if the link they are clicking on, or a link that has been obfuscated, is a link that leads to an attempt at malicious behavior, be it a malicious payload or a phishing website.

Critically, URLhaus data is constantly tested to identify which URLs are active, and which URLs have been taken down, meaning it remains up to date and relevant. From our abuse.ch partnership, Spamhaus has now begun to surface URLhaus data via the Spamhaus Intelligence API (SIA). Security professionals can utilize this to support the identification and exploration of malicious URLs and domains, and delve deep to understand further connections.

The URLhaus data you’ll uncover

URLhaus data via SIA will highlight, and provide details on, various internet identifiers – URLs, domains, malware families, IPv4 addresses, ASNs and hashes (SHA256 or MD5). Some of the values you’ll gain visibility of are:

  • Online/offline: with URLs frequently re-evaluated, understand if a malicious endpoint is still reachable or not.
  • Tags: community generated identifiers typically associated with every entry, tags will return details such as activity type, associated malware family, payload file type etc.
  • Payload details: including MIME type, file format, file size, file name, sha256 hash output, and malware family associated. 
  • Reporter: as you analyze, you can uncover if there are trends in the data contributed by a specific reporter, to pay particular attention to.

More information on the data can be found in our technical documentation here.

Where URLhaus data will add value via SIA

In essence, the URLhaus data via SIA will provide a comprehensive source of malware intelligence. Confirm malicious URLs and their payloads, in addition to high-confidence indicators of IP and domain reputation, all from a single source. At a high-level, the data will support with:

Threat hunting: Correlate business IT IOCs, and malicious resources used, when performing internal threat hunting activities. Observe signals related to IOCs to provide actionable proactive insight on threats. Improve prioritization on where remediation and defensive measures need to be implemented or enhanced. For more details on this use case, read here.

Automation: For organizations that have automated consumption pipelines and mature tooling, for example, those with Threat Intelligence Platforms, this data and ingestion mechanism can be configured to meet requirements for your specific and mature needs. Get reputational data on internet identifiers, and also drill down into malicious methods being used to harm users, from one API. For more details on this use case, read here.

Incident Response: Significant time can be spent on searching for details and additional context of IOCs to optimize remediation. URLhaus, IP, and domain reputation data offer a comprehensive, reliable source of information to discern how you can act more tactfully and efficiently when time is of the essence.

Pairing URLhaus with Spamhaus’ Intelligence

When using URLhaus data via SIA, you not only gain valuable malware-specific intelligence, but also rich and expansive IP and domain reputation data. Pivot between numerous, contextually-rich metadata points including exploited and exploiting IPs, botnet command and controller IPs, email traffic with poor reputation, and all domains observed by Spamhaus .

From a broad perspective, Spamhaus Intelligence API users can:

  • Enrich current threat intelligence sources
  • Establish more comprehensive insights
  • Provide confidence in investigative prioritization

Consume and/or pivot to different different data types, covering varying internet identifiers from a single, reputable source.

Access the data – for free!

The URLhaus data via SIA is released as a beta version. Why in beta? To give you an opportunity to influence ongoing product enhancements before a production-ready release. You can gain a long-term commercial license here – but to test out the data and share your feedback, sign up to the Developer License program here.

The Developer License is offered free for six months. Happy hunting!

Related Products

Spamhaus Intelligence API (SIA)

Spamhaus Intelligence API (SIA) contains context-rich metadata relating to IP and domain reputation. Integrate this data with your applications to enhance existing data feeds, or consume as an independent data source.

In this easy-to-consume format, SIA can be used for threat detection and investigation, risk scoring, customer vetting, validation and much more.

  • Save valuable time investigating and reporting
  • Simple and quick to access
  • Data you can trust in


Using abuse.ch’s URLhaus data for manual investigations and automation with Spamhaus’ Intelligence API

6 June 2024


With our abuse.ch partnership, Spamhaus is now beginning to release abuse.ch’s data via the Spamhaus Intelligence API. This has started with URLhaus, as a beta release. Utilize the data alongside rich IP and Domain reputation metadata signals - explore how with some example use cases here.

Welcome to the Spamhaus Developer License

23 March 2021


We're aware that it can take time to find the right use case and build the right application to meet its needs. So, we've created a license to give developers access to the data without the 30-day time limit attached to a trial. The developer license runs for six-month periods.

PRESS RELEASE | Spamhaus announces release of free Intelligence API for security developers

2 December 2020


Today, Spamhaus Technology Ltd, the trusted authority on IP and domain reputation, releases its Intelligence API [BETA]. This is the first time Spamhaus has released its extensive threat intelligence via API, providing enriched data relating to IP addresses exhibiting compromised behavior.