Dataset and methodology
Threat intelligence data sets generated by TroyanosYVirus from in-house telemetry and enriched public feeds.
TroyanosYVirus maintains an operational threat intelligence dataset built since December 25, 2025. Data comes mostly from direct observation: a proprietary network of T-Pot honeypots deployed across four continents (Asia, Canada, France, Poland) that captures every connection, credential attempt, command and malware sample thrown at the sensors.
On top of that telemetry we layer verifiable public enrichments: NIST National Vulnerability Database CVE catalog, CISA Known Exploited Vulnerabilities, abuse.ch URLhaus malicious URLs, OpenPhish Community Feed phishing domains, Tor Project exit nodes, Shodan InternetDB context and GreyNoise Community classification.
This page describes the available datasets, scope, privacy decisions and access paths. We do not publish full credentials, downloadable binaries or content that would facilitate attacks. Operational access to the raw API and datasets is reviewed case by case for defensive, academic or research purposes.
Datasets
Honeypot threat events
60M+ events directly observed by the sensors. Each event includes timestamp, honeypot type involved (cowrie, dionaea, conpot, etc.), source IP, country, ASN and derived metadata according to interaction type.
Malicious IPs
210K+ unique attacker IPs with their observed history, ASN, country, risk score, honeypot types interacted with, and Tor / GreyNoise / Shodan / ThreatFox / URLhaus enrichment.
Malware hashes
75K+ distinct SHA-256 hashes captured in situ by the honeypots, with their source IPs, first and last sightings. Hashes with identified family or MalwareBazaar-confirmed signature get a detail page.
SSH/Telnet credential attempts
3.4M+ credential attempts logged on SSH/Telnet honeypots. Only aggregated rankings are published (top usernames, top weak passwords); full user/password pairs are not exposed in the frontend.
Phishing domains
Domains flagged by OpenPhish and, where applicable, correlated with malicious URLs observed in URLhaus.
Malicious URLs
Active URLs with threat classification from URLhaus and proprietary enrichment of relations with observed IPs and domains.
CVE & KEV enrichment
Full NIST NVD CVE catalog with CVSS v3.1 scoring, CISA Known Exploited Vulnerabilities tagging, and where applicable links to observed malware or IPs.
IOC correlation graph
Relationship graph between IOC types with two edge classes: internal observation (own telemetry) and external enrichment (public feeds).
Access
The public frontend (this site) offers free consultation of the datasets in curated and aggregated form.
For programmatic defensive or research access to the REST API contact the team. The API exposes search, detail and aggregation endpoints, all cached and not requiring authentication for reasonable read use.
We do not publish bulk binary downloads or full credential dumps. Malware samples are referenced by hash; obtaining the binary is the responsibility of authorized external sources (MalwareBazaar, VirusTotal).
Time scope
Active capture from December 25, 2025 to today.
No major known ingest gaps beyond documented maintenance windows.
External enrichment is refreshed by the feed collector on cycles: URLhaus 30 min, KEV 12 h, NVD 2 h, OpenPhish 6 h, Tor 1 h, Shodan 15 min, GreyNoise daily.
Privacy and ethics
Published data refers to activity detected against our own honeypot infrastructure; we do not collect information from legitimate website visitors beyond what is described in the privacy policy.
IPs published in this dataset are source IPs of observed malicious activity, not victim IPs. Any person or organization that believes their IP was incorrectly attributed can request review via contact.
We do not publish doxxing, we do not publish personal credentials, we do not facilitate exfiltration of sensitive data, and we do not provide downloadable executable malware.