The cybersecurity threat intelligence (CTI) ecosystem lacks interoperable representation and sharing mechanisms for disinformation threats. Method: This paper introduces DISINFOX—the first open-source, interoperable framework tailored for disinformation. It formally integrates disinformation attack patterns into the CTI paradigm; models their tactics, techniques, and procedures (TTPs) using the DISARM framework; and establishes semantic mappings to the STIX 2.1 standard. A lightweight microservice architecture with RESTful APIs supports cross-organizational event modeling, exchange, and consumption. Contribution/Results: Evaluated on over 100 real-world disinformation incidents, DISINFOX demonstrates end-to-end feasibility in standardized representation, cross-platform sharing, and scalability. It achieves interoperability across heterogeneous systems and fills a critical gap in CTI by enabling structured, machine-processable modeling of cognitive-domain threats.

A key countermeasure in cybersecurity has been the development of standardized computational protocols for modeling and sharing cyber threat intelligence (CTI) between organizations, enabling a shared understanding of threats and coordinated global responses. However, while the cybersecurity domain benefits from mature threat exchange frameworks, there has been little progress in the automatic and interoperable sharing of knowledge about disinformation campaigns. This paper proposes an open-source disinformation threat intelligence framework for sharing interoperable disinformation incidents. This approach relies on i) the modeling of disinformation incidents with the DISARM framework (MITRE ATT&CK-based TTP modeling of disinformation attacks), ii) a custom mapping to STIX2 standard representation (computational data format), and iii) an exchange architecture (called DISINFOX) capable of using the proposed mapping with a centralized platform to store and manage disinformation incidents and CTI clients which consume the gathered incidents. The microservice-based implementation validates the framework with more than 100 real-world disinformation incidents modeled, stored, shared, and consumed successfully. To the best of our knowledge, this work is the first academic and technical effort to integrate disinformation threats in the CTI ecosystem.