Block Vulnetix Malscan campaign infrastructure at the edge with AWS WAF: extract IPs from the free STIX 2.1 feeds and keep a WAFv2 IP set current with update-ip-set, referenced by a block rule in your web ACLs.
The feeds
Free STIX 2.1 bundles at https://vulnetix.com/malscan-stix/{ecosystem}/{dns|urls}.stix.json — ecosystems generic, npm, pypi, go, cargo, rubygems, maven, packagist and nuget. DNS carries malicious domains and IPs; URLs carries C2 and exfiltration endpoints. Refreshed every 15 minutes, each bundle ships a .sha256 sidecar, index.json manifests the set, and a DNS TXT record per ecosystem carries the live locator. Licensed AGPL-3.0 — free to use and redistribute.
Wire the feeds into AWS WAF
WAFv2 IP sets want CIDR notation (the script suffixes /32), and update-ip-set replaces the whole set under a lock token, which makes the refresh idempotent. Reference the set from a block rule in each web ACL once.
IP set refresh (cron every 15 minutes)
#!/bin/sh
curl -fsSL https://vulnetix.com/malscan-stix/generic/dns.stix.json \
| jq -r '.objects[] | select(.type == "indicator") | .pattern' \
| grep -oP "ipv4-addr:value = '\K[^']+" | sort -u > vulnetix-ips.txt
ADDRESSES=$(sed 's|$|/32|' vulnetix-ips.txt | jq -R -s -c 'split("\n") | map(select(length > 0))')
LOCK_TOKEN=$(aws wafv2 get-ip-set --scope REGIONAL \
--name VulnetixMalscan --id $IP_SET_ID --query LockToken --output text)
aws wafv2 update-ip-set --scope REGIONAL \
--name VulnetixMalscan --id $IP_SET_ID \
--lock-token "$LOCK_TOKEN" \
--addresses "$ADDRESSES"
Verify before you ingest
curl -fsSLO https://vulnetix.com/malscan-stix/generic/dns.stix.json REMOTE=$(curl -fsSL https://vulnetix.com/malscan-stix/generic/dns.stix.json.sha256 | cut -d' ' -f1) LOCAL=$(sha256sum dns.stix.json | cut -d' ' -f1) [ "$REMOTE" = "$LOCAL" ] && echo "verified" || echo "CHECKSUM MISMATCH: do not ingest"
Where the indicators come from
Every feed entry traces to a supply-chain malware campaign Vulnetix tracks. The Malscan engine matches the same indicators against dependencies already installed on disk; the Package Firewall blocks the packages that carry them at install time.
All STIX feed integrations → · The campaigns behind the feeds →