HTTP(s) malware: download papers and files

A collection for everyone which is interested in HTTP(s) based malware analysis. This collection holds papers, pcaps and files which will assist you in getting a better understanding of the HTTP(s) malware landscape and methods which are used to detect HTTP(s) based malware.

Lots of good content to read.



A collection of papers which take a deep dive into HTTP(s) based malware.

How to identify malicious HTTP Requests

HTTP header heuristics for malware detection

The Ghost In The Browser
Analysis of Web-based Malware

Detecting Malware-Infected Devices Using the HTTP Header

Controlling malware HTTP communications in dynamic analysis system using search engine

Detecting Adaptive Data Exfiltration in HTTP Traffic


There is a big chance that you are in need of HTTP(s) malware pcaps. In the collection below, you will find resources where you can download PCAPs of known malware samples. One of them is for example the Loki Botnet.

Loki Botnet HTTP behavior

Loki Botnet HTTP behavior (v2)

Netresec PCAPs

Indicators of compromise

Once you have an indicator of compromise, you might want to look into these communities to check if more information is available. You can also do it in reverse, utilize these communities to find malware, papers, reports and PCAP’s.


IBM X-force


Blacklists can be used in many ways, it can help you to identify unwanted connections and it can assist you in finding PCAPs or environments that will lead you to HTTP(s) malware. To help you forward, there is a huge collection of public blacklist services which you can utilize, and we have noted them down for you.

SSL IP blacklist

Artists Against 419

ATLAS from Arbor Networks

Blackweb Project

CLEAN-MX Realtime Database

CriticalStack Intel Marketplace

CYMRU Bogon List

DShield Blocklist

FireHOL IP Lists

Google Safe Browsing API

Malc0de Database

Malware Domain Blocklist Hosts List

Malware Patrol’s Malware Block Lists

MalwareURL List


PhishTank Phish Archive

Project Honey Pot’s Directory of Malicious IPs

Risk Discovery


Shadowserver IP and URL Reports


Share this information