BlackWeb

BlackWeb is an open-source blocklist aggregator maintained on GitHub that compiles domains associated with malware distribution, phishing, advertising networks, trackers, and other malicious or unwanted infrastructure. It functions as a curated, machine-readable threat feed intended for use in DNS filtering, firewall rules, and network security monitoring.

For OSINT investigators and threat intelligence analysts, BlackWeb provides a consolidated reference for identifying domains that have been flagged by the security community as malicious or high-risk. When investigating a phishing campaign, malware distribution network, or suspicious infrastructure, cross-referencing observed domains against the BlackWeb lists can quickly establish whether a domain is already known to the community.

The blocklist is compiled from numerous upstream sources including community threat feeds, DNS-based blocklists, and manually curated entries. This multi-source aggregation means it tends to have broader coverage than any single upstream feed, though it also inherits the false positive rates of its source data.

Investigative applications include: validating whether domains found in phishing emails or malware samples are recognized as malicious, incorporating the blocklist into a network monitoring setup to flag traffic to known bad domains, and using the list as a negative lookup — domains NOT on the list may warrant further manual investigation.

For infrastructure analysis, analysts can search the BlackWeb repository for specific domains or patterns to determine if an observed indicator has been previously documented. The GitHub hosting also means the full commit history is available, allowing investigators to determine approximately when a specific domain was first added to the list.

Document which version or commit hash of the list was used when referencing it in investigation reports.