A command-line tool for interacting with the ThreatFox API.
Part of the abuse.ch CLI toolkit - This project is part of a collection of CLI tools for interacting with abuse.ch services:
- ✅ Uses only Go standard libraries
- 📝 JSON output for easy parsing
- ⚡️ Built-in rate limiting (10 req/s)
- 🐳 Docker, Podman, and Apple container support
brew install andpalmier/tap/tfoxgo install github.com/andpalmier/tfox@latest# Pull pre-built image
docker pull ghcr.io/andpalmier/tfox:latest
# Or build locally
docker build -t tfox .git clone https://github.com/andpalmier/tfox.git
cd tfox
make build-
Get your API key from abuse.ch Authentication Portal
-
Set your API key:
export ABUSECH_API_KEY="your_api_key_here"- Query recent IOCs:
tfox recent -days 3| Command | Description |
|---|---|
recent |
Query recent IOCs (max 7 days) |
query |
Query by IOC ID, tag, malware, or label |
search |
Search IOCs by term or file hash |
list |
List malware families, types, or tags |
version |
Show version information |
# IOCs from last 3 days
tfox recent -days 3
# IOCs from last 7 days
tfox recent -days 7# By tag
tfox query -tag Emotet -limit 10
# By malware family
tfox query -malware "Cobalt Strike" -limit 10
# Identify malware label
tfox query -label warzone -platform win# Search by IOC value (wildcard)
tfox search -ioc suspicious.com
# Exact match
tfox search -ioc evil.com -exact
# Search by file hash
tfox search -hash <md5_or_sha256_hash>tfox list -malware # Malware families
tfox list -types # IOC/threat types
tfox list -tags # Known tags# Run with Docker
docker run --rm -e ABUSECH_API_KEY="your_key" ghcr.io/andpalmier/tfox recent -days 3
# Run with Podman
podman run --rm -e ABUSECH_API_KEY="your_key" ghcr.io/andpalmier/tfox recent -days 3
# Run with Apple container
container run --rm -e ABUSECH_API_KEY="your_key" ghcr.io/andpalmier/tfox recent -days 3| Variable | Description |
|---|---|
ABUSECH_API_KEY |
Your abuse.ch API key (required) |
This project is licensed under the AGPLv3 License - see the LICENSE file for details.