diff --git a/iocs.csv b/iocs.csv
new file mode 100644
index 0000000..2107e8e
--- /dev/null
+++ b/iocs.csv
@@ -0,0 +1,19 @@
+type,value,first_seen,confidence,notes
+domain,github.stormbreaker.pro,2025-12-07,High,Repeatedly observed as C2 candidate in analyzed telemetry
+domain,stormbreaker.pro,2025-12-07,High,Variant of primary C2
+domain,kaylees.site,2025-12-09,High,Secondary C2 / proxy domain observed
+domain,pir.kaylees.site,2025-12-09,High,Relay/variant observed
+domain,spple.cf,2025-12-09,Medium,Typosquat / possible phishing domain
+domain,apple.cf,2025-12-09,Medium,Typosquat / impersonation risk
+domain,pstack.cf,2025-12-09,High,DNS queries observed in telemetry
+domain,e.zip,2025-12-09,High,Download host / payload reference observed
+domain,com.apple.pro,2025-12-09,Medium,Impersonation-like domain
+domain,com.apple.online,2025-12-09,Medium,Impersonation-like domain
+domain,modes.ga,2025-12-09,Medium,Observed in related telemetry
+domain,quikit.ru,2025-12-09,Medium,Possible typosquat
+domain,cs.cf,2025-12-09,Medium,Suspicious free-TLD domain
+domain,authoriz.gq,2025-12-09,Medium,Suspect domain
+uuid,A124B30D-1DA8-4A28-9086-C7F485678DCB,2025-12-09,High,System-proxy/tunnel UUID observed in telemetry (high-value pivot)
+process,sshd,2025-12-09,High,SSH daemon referenced in multiple artifacts — investigate SSH-related logs
+process,/bin/bash,2025-12-09,High,Shell invocation / command execution patterns observed
+string,"payload 10567617091775419207",2025-12-09,High,Unique payload identifier observed in artifacts
\ No newline at end of file