Skip to main content
The known_dist() function tests your network’s ability to detect and block connections to active malware distribution sites. It uses the URLhaus API from abuse.ch, which tracks live malware distribution URLs in real-time.

Data Source

This module uses the URLhaus API to fetch live malware distribution URLs:
  • URLhaus API - https://urlhaus-api.abuse.ch/v1/urls/recent/limit/200/
This test connects to LIVE malware distribution sites. URLhaus is maintained by abuse.ch and provides real-time tracking of malware distribution URLs used by threat actors.

How It Works

1

Fetch Recent Malware URLs

Queries the URLhaus API to retrieve the 200 most recent malware distribution URLs.
baseURL = "https://urlhaus-api.abuse.ch/v1/urls/recent/limit/200/"
response = requests.get(baseURL)
json_response = response.json()
2

Filter Active URLs

Filters the API response to include only URLs with “online” status, ensuring tests target active malware infrastructure.
for _ in json_response["urls"]:
    status = json_response["urls"][counter]["url_status"]
    if status == "online":
        liveURL = json_response["urls"][counter]["url"]
        urlsIndex.append(liveURL)
    counter = counter + 1
3

Random Sampling

Randomly selects 20 URLs from the active malware distribution sites.
for _ in range(20):
    randomSample = random.choice(urlsIndex)
    randomUrlsIndex.append(randomSample)
4

HTTP Connection Testing

Attempts HTTP GET requests to each malware distribution URL with a 5-second timeout.
for x in randomUrlsIndex:
    try:
        downloader = requests.get(x, timeout=5)
        if downloader.status_code == 200:
            # Log successful connection
    except Exception as e:
        continue
5

Results Logging

Logs all connection attempts with timestamps to Malware_Results.txt.

Output Format

Results are saved to Malware_Results.txt with the following format: 
Timestamp:14:35:20 URL:http://malware-site.com/payload.exe test SUCCESFULL
Timestamp:14:35:25 URL:http://c2-server.xyz/download test FAILED
Timestamp:14:35:30 URL:https://compromised-site.org/malware test SUCCESFULL

def known_dist():
    print('Testing LIVE malware distribution URL, THANKS TO ABUSE.CH!!!')
    urlsIndex = []
    randomUrlsIndex = []
    baseURL = "https://urlhaus-api.abuse.ch/v1/urls/recent/limit/200/"
    response = requests.get(baseURL)
    json_response = response.json()
    counter = 0
    for _ in tqdm(json_response["urls"], desc="Getting samples list"):
        status = json_response["urls"][counter]["url_status"]
        if status == "online":
            liveURL = json_response["urls"][counter]["url"]
            urlsIndex.append(liveURL)
        counter = counter + 1
    for _ in range(20):
        randomSample = random.choice(urlsIndex)
        randomUrlsIndex.append(randomSample)
    myFile = open("Malware_Results.txt", mode="a+")
    for x in tqdm(randomUrlsIndex, desc="Testing samples, Results saved at Malware_Results.txt"):
        try:
            downloader = requests.get(x, timeout=5)
            if downloader.status_code == 200:
                current_time = time.strftime("%X")
                result = f"Timestamp:{str(current_time)} URL:{str(x)}" + " test SUCCESFULL\n"
            else:
                current_time = time.strftime("%X")
                result = f"Timestamp:{str(current_time)} URL:{str(x)}" + " test FAILED\n"
            myFile.write(result)
        except Exception as e:
            current_time = time.strftime("%X")
            result = f"Timestamp:{str(current_time)} URL:{str(x)}" + " test FAILED\n"
            myFile.write(result)
            continue

What to Monitor

Web Security Gateways

Should block HTTP requests to known malware distribution domains before downloads begin.

DNS Security

DNS filtering should prevent resolution of domains hosting malware.

Firewall Application Control

Next-generation firewalls should identify and block malware downloads based on URL categories.

Endpoint Protection

Endpoint security solutions should prevent execution even if downloads complete.

URLhaus Threat Intelligence

URLhaus tracks various types of malware distribution:
  • Banking Trojans - Emotet, Dridex, TrickBot
  • Ransomware - Ryuk, Sodinokibi, Maze
  • Remote Access Trojans - njRAT, AsyncRAT, NanoCore
  • Botnets - Mirai, Gafgyt
  • Loaders - Gootloader, BazarLoader
  • Information Stealers - AgentTesla, Formbook, RedLine
URLhaus is operated by abuse.ch, a trusted source for malware threat intelligence used by security researchers and organizations worldwide.

Testing Workflow

# Run Somnium and select option 4
python main.py
# Choose: #4 Test connection to live Malware distribution Urls

# Review results
cat Malware_Results.txt

# Check your security logs
# - Web proxy block logs
# - DNS security logs
# - Firewall threat prevention logs
# - Endpoint protection alerts
SUCCESSFUL connections indicate a critical security gap. Your network security controls should block all connections to known malware distribution sites.These are LIVE malware URLs that could deliver actual malicious payloads. Ensure this test runs in a controlled environment.

Critical Security Layers

Multiple security layers should prevent malware distribution:
1

DNS Layer

DNS security services should block domain resolution for known malware sites.
2

Network Layer

Firewall URL filtering should categorize and block malware distribution URLs.
3

Proxy Layer

Web security gateways should inspect and block malicious HTTP/HTTPS traffic.
4

Endpoint Layer

Endpoint protection should prevent execution even if malware reaches the device.

Integration with Security Tools

Validate these security controls:
  • Web Application Firewalls (WAF) - Block malware download attempts
  • Secure Web Gateways (SWG) - Categorize malware URLs and prevent access
  • DNS Filtering - Block DNS resolution of malware domains
  • Threat Intelligence Platforms - Correlate URLhaus data with other threat feeds
  • SIEM Systems - Generate alerts for malware distribution attempts
  • Sandbox Solutions - Detonate suspicious URLs in isolated environments
This test attempts connections to 20 random malware distribution URLs from the live feed. Some URLs may be taken offline or blocked at the infrastructure level, resulting in FAILED connections.

Build docs developers (and LLMs) love

Get started for freeTalk to us