{"id":26093,"url":"https://github.com/rootkit-io/awesome-malware-development","name":"awesome-malware-development","description":"Curated resources for malware dev, reverse engineering, and defensive security research.","projects_count":82,"last_synced_at":"2026-06-20T19:00:24.872Z","repository":{"id":37388901,"uuid":"481810301","full_name":"rootkit-io/awesome-malware-development","owner":"rootkit-io","description":"Curated resources for malware dev, reverse engineering, and defensive security research.","archived":false,"fork":false,"pushed_at":"2026-04-01T12:44:37.000Z","size":133,"stargazers_count":1738,"open_issues_count":0,"forks_count":193,"subscribers_count":26,"default_branch":"main","last_synced_at":"2026-06-04T01:02:36.433Z","etag":null,"topics":["malware","malware-development","malware-research"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rootkit-io.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-04-15T02:20:38.000Z","updated_at":"2026-06-02T15:03:07.000Z","dependencies_parsed_at":"2022-07-07T23:09:16.765Z","dependency_job_id":null,"html_url":"https://github.com/rootkit-io/awesome-malware-development","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/rootkit-io/awesome-malware-development","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rootkit-io%2Fawesome-malware-development","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rootkit-io%2Fawesome-malware-development/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rootkit-io%2Fawesome-malware-development/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rootkit-io%2Fawesome-malware-development/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rootkit-io","download_url":"https://codeload.github.com/rootkit-io/awesome-malware-development/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rootkit-io%2Fawesome-malware-development/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34581934,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-20T02:00:06.407Z","response_time":98,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"created_at":"2024-01-13T12:57:10.391Z","updated_at":"2026-06-20T19:00:24.873Z","primary_language":null,"list_of_lists":false,"displayable":true,"categories":["Essentials","Free books","Blogs","Articles \u0026 Writeups","Uncategorized","Books","Tools \u0026 Frameworks **(Updated 2026)**","Open-Source PoCs \u0026 Sample Projects","Modern Topics (2025–2026) **← FRESH \u0026 HIGHLY RECOMMENDED**","Talks","YouTube Channels","Courses"],"sub_categories":["C Programming","x86/x64 Assembly","Malware Development Fundamentals \u0026 Series","Uncategorized","Free Books / PDFs","Evasion \u0026 Obfuscation","Rootkits (Userland \u0026 Kernel)","Injection \u0026 Hooking Techniques","Specific Malware \u0026 APT Analysis","Linux Kernel \u0026 Rootkits","EDR Evasion \u0026 Modern Techniques","Rust / Nim / Go for Malware Development","UEFI Bootkits \u0026 Advanced Kernel"],"readme":"# Awesome Malware Development\n\n[![Awesome](https://awesome.re/badge.svg)](https://awesome.re)\n[![Stars](https://img.shields.io/github/stars/rootkit-io/awesome-malware-development)](https://github.com/rootkit-io/awesome-malware-development/stargazers)\n[![License](https://img.shields.io/github/license/rootkit-io/awesome-malware-development)](https://github.com/rootkit-io/awesome-malware-development/blob/main/LICENSE)\n\n**Curated collection of the best resources for malware development, rootkits, implants, evasion, and red-team tooling.**\n\n\u003e ⚠️ **Disclaimer**  \n\u003e This repository is for **educational, research, ethical hacking, and red-teaming purposes only**.  \n\u003e Any misuse may violate laws in your jurisdiction. The maintainer is not responsible for illegal activity.\n\n## Table of Contents\n\n- [Learning Path](#learning-path)\n- [Modern Topics (2025–2026)](#modern-topics-2025-2026)\n- [Essentials](#essentials)\n- [Tools \u0026 Frameworks](#tools--frameworks)\n- [Open-Source PoCs \u0026 Sample Projects](#open-source-pocs--sample-projects)\n- [Blogs](#blogs)\n- [Talks](#talks)\n- [YouTube Channels](#youtube-channels)\n- [Courses](#courses)\n- [Books](#books)\n- [Articles \u0026 Writeups](#articles--writeups)\n- [Contributing](#contributing)\n\n## Learning Path\n\n**Beginner → Advanced Roadmap**\n\n1. **Fundamentals** – C, Assembly, Windows internals  \n2. **Userland Malware** – Process injection, loaders, crypters  \n3. **Evasion** – AV/EDR bypass, obfuscation  \n4. **Kernel \u0026 Rootkits** – Drivers, hooks, DKOM  \n5. **Advanced** – UEFI bootkits, reflective loading, C2 implants  \n\n## Modern Topics (2025–2026) **← FRESH \u0026 HIGHLY RECOMMENDED**\n\n**The latest content the community is using right now:**\n\n### EDR Evasion \u0026 Modern Techniques\n- [Endpoint Evasion Techniques (2020–2025): The Evolution](https://windshock.github.io/en/post/2025-05-28-endpoint-security-evasion-techniques-20202025/) **(NEW 2025)**\n- [Bypassing Modern EDRs: Practical Evasion Techniques (2025 Edition)](https://medium.com/@atnoforcybersecurity/bypassing-modern-edrs-practical-evasion-techniques-2025-edition-0158fca683ed) **(NEW 2025)**\n- [EDR Evasion 101: 29 Ways Attackers Are Slipping Past Defenses](https://www.extrahop.com/resources/papers/edr-evasion-101-29-ways-attackers-are-slipping-past-defenses) **(NEW 2026)**\n- [Understanding EDR Evasion Tactics \u0026 Defense Methods](https://cymulate.com/blog/edr-bypass-part-2-techniques/) **(NEW 2026)**\n\n### Rust / Nim / Go for Malware Development\n- [Rust for Malware Development (Bishop Fox, 2025)](https://bishopfox.com/blog/rust-for-malware-development) **(NEW 2025)**\n- [NIM Malware Development — Introduction](https://medium.com/@edgarhuemac/malware-development-with-nim-introduction-bd11c49191e8) **(NEW 2025)**\n- [Rust and Go Malware: Cross-Platform Threats Evading Traditional Defenses](https://medium.com/@instatunnel/rust-and-go-malware-cross-platform-threats-evading-traditional-defenses-d7fddf127d32) **(NEW 2025)**\n\n### Linux Kernel \u0026 Rootkits\n- [Linux malware development 1: Intro to kernel hacking (2024)](https://cocomelonc.github.io/linux/2024/06/20/linux-kernel-hacking-1.html) **(NEW 2024)**\n- [Singularity: Deep Dive into a Modern Stealth Linux Kernel Rootkit](https://blog.kyntra.io/Singularity-A-final-boss-linux-kernel-rootkit) **(NEW 2025)**\n\n### UEFI Bootkits \u0026 Advanced Kernel\n- [Awesome Bootkits \u0026 Rootkits Development (curated list)](https://github.com/TheMalwareGuardian/Awesome-Bootkits-Rootkits-Development) **(NEW 2025)**\n- [Bootkits-Development-Starter-Pack](https://github.com/TheMalwareGuardian/Bootkits-Development-Starter-Pack) **(NEW 2025)**\n- [UEFI Bootkits and Kernel-Mode Rootkits Development](https://www.youtube.com/watch?v=oa2i7JsGOHo) **(NEW 2025)**\n\n## Essentials\n\nStrong C/C++ and x86/x64 assembly knowledge is highly recommended.\n\n### C Programming\n- [C for Everyone: Programming Fundamentals](https://www.coursera.org/learn/c-for-everyone)\n- [learn-c.org](https://www.learn-c.org/)\n- [C Cheatsheet](https://learnxinyminutes.com/docs/c/)\n\n### x86/x64 Assembly\n- [Architecture 1001: x86-64 Assembly](https://p.ost2.fyi/courses/course-v1:OpenSecurityTraining2+Arch1001_x86-64_Asm+2021_v1/about)\n- [Intro to x86 Assembly](https://opensecuritytraining.info/IntroX86.html)\n\n## Tools \u0026 Frameworks **(Updated 2026)**\n\n- [Havoc](https://github.com/HavocFramework/Havoc) **(NEW 2024–2026)** – Modern, malleable C2 framework with beautiful GUI\n- [Mythic](https://github.com/MythicAgents) – Highly modular cross-platform C2\n- [Sliver](https://github.com/BishopFox/sliver) – Cross-platform implant framework\n- [Donut](https://github.com/TheWover/donut) – Shellcode generator \u0026 loader\n- [SysWhispers](https://github.com/jthuraisamy/SysWhispers) – Syscall generator for evasion\n- [InlineWhispers](https://github.com/outflanknl/InlineWhispers) – Direct syscall evasion\n\n## Open-Source PoCs \u0026 Sample Projects\n\n- [TheMalwareGuardian/Awesome-Bootkits-Rootkits-Development](https://github.com/TheMalwareGuardian/Awesome-Bootkits-Rootkits-Development) **(NEW 2025)**\n- [TheMalwareGuardian/Bootkits-Development-Starter-Pack](https://github.com/TheMalwareGuardian/Bootkits-Development-Starter-Pack) **(NEW 2025)**\n- [chvancooten/maldev-for-dummies](https://github.com/chvancooten/maldev-for-dummies) **(NEW 2025)** – Beginner malware workshop\n- [cr-0w/maldev](https://github.com/cr-0w/maldev) – Malware development growth repo\n- [vxunderground/MalwareSourceCode](https://github.com/vxunderground/MalwareSourceCode) – Archived malware source (historical, research only)\n- [stephenfewer/ReflectiveDLLInjection](https://github.com/stephenfewer/ReflectiveDLLInjection)\n- [h0mbre/Learn-C-By-Creating-A-Rootkit](https://github.com/h0mbre/Learn-C-By-Creating-A-Rootkit)\n- [xcellerator/linux_kernel_rootkits](https://github.com/xcellerator/linux_kernel_rootkits)\n- [MatheuZSecurity/Singularity](https://github.com/MatheuZSecurity/Singularity) **(NEW 2025)** – Modern Linux kernel rootkit\n\n## Blogs\n\n- [Vitali Kremez](https://www.vkremez.com/) — Deep dive malware analysis\n- [0xPat](https://0xpat.github.io/) — Outstanding malware development series\n- [zerosum0x0](https://zerosum0x0.blogspot.com/) — deep technical posts\n- [Guitmz](https://www.guitmz.com/) — High-quality maldev content\n- [TheXcellerator](https://xcellerator.github.io/) — Amazing LKM rootkit series\n- [cocomelonc](https://cocomelonc.github.io/) **(NEW)** — Excellent Linux malware \u0026 kernel series\n- [captmeelo](https://captmeelo.com/) - Excellent writeups check this out!!!\n- [iRedTeam](https://www.ired.team/) - red team notes\n\n## Talks\n\n- [Horse Pill: A New Type of Linux Rootkit](https://www.youtube.com/watch?v=wyRRbow4-bc)\n- [LKM Rootkit Series (playlist)](https://www.youtube.com/playlist?list=PLrdeBRwgL0TrjHL0iHqRJD8Pz9t9FECHy)\n- [Creating and Countering the Next Generation of Linux Rootkits](https://www.youtube.com/watch?v=g6SKWT7sROQ)\n- [Kernel Mode Threats and Practical Defenses](https://www.youtube.com/watch?v=BBJgKuXzfwc)\n- [Alex Ionescu – Advancing the State of UEFI Bootkits](https://www.youtube.com/watch?v=dpG97TBR3Ys)\n- [BlueHat v18: Return of the kernel rootkit malware (Windows 10)](https://youtu.be/qVIxFfXpyNc)\n- [BlackAlps 2025: Level Up Your Malware – A Practical Journey Into EDR Evasion](https://www.youtube.com/watch?v=5HxV-A7VDUA) **(NEW 2025)**\n\n## YouTube Channels\n\n- [AGDC Services](https://www.youtube.com/channel/UCnpn999NpDMMPxZXW8sgZLA) — High-quality malware content\n- [TheSphinx](https://www.youtube.com/c/TheSphinx/) — Full RAT-from-scratch series\n- [Joey Abrams](https://www.youtube.com/channel/UCIjKM-9G9r2Og2E080Wfbvw) — Code-injection \u0026 Linux maldev\n- [w3w3w3](https://www.youtube.com/c/w3w3w3) — Solid LKM rootkit series\n\n## Courses\n\n- [RED TEAM Operator: Malware Development Essentials (Sektor7)](https://www.sektor7.net/institute/RTO-MalDev)\n- [RED TEAM Operator: Malware Development Intermediate (Sektor7)](https://www.sektor7.net/institute/RTO-MalDev2)\n- [RingZerø: Windows Kernel Rootkits](https://ringzer0.training/2019/windows-kernel-rootkits.html)\n- [CodeMachine: Windows Kernel Rootkits](https://www.codemachine.com/trainings/kerrkt.html)\n- [Maldev Academy – Malware Development Course](https://maldevacademy.com/) **(NEW 2025–2026)** — Continuously updated, 200+ modules, community favorite\n\n\n## Books\n\n- *The Art of Computer Virus Research and Defense*\n- *The Giant Black Book of Computer Viruses*\n- *Designing BSD Rootkits: An Introduction to Kernel Hacking*\n- *Rootkits and Bootkits*\n- *The Antivirus Hackers’ Handbook*\n\n### Free Books / PDFs\n- [Make your own first FUD crypter](https://www.docdroid.net/GrvkCtu/make-your-fud-crypter-pdf)\n\n## Articles \u0026 Writeups\n\n### Malware Development Fundamentals \u0026 Series\n- [Malware Development – Welcome to the Dark Side: Part 1](https://niiconsulting.com/checkmate/2018/02/malware-development-welcome-dark-side-part-1/)\n- [Art of Malware](https://danusminimus.github.io/2020/03/04/The-Art-of-Malware.html)\n- [Malware Development Part 1](https://0xpat.github.io/Malware_development_part_1/)\n- [Basic Ransomware guide](https://0x00sec.org/t/basic-ransomware-guide/28345)\n- [Master of RATs - How to create your own Tracker](https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848)\n- [Amazing article to read with some good resources (Personal Tale and the Road to Malware Development, Resources)](https://0x00sec.org/t/personal-tale-and-the-road-to-malware-development-resources/20369)\n- [Best series i will say if you wanna get into programming/malware dev recommended series to follow it will start with learn programming thats needed asm and stuff after that getting into maldev](https://0x00sec.org/t/programming-for-wannabes-part-i/1143)\n- [Filess malware](https://0x00sec.org/t/fileless-malware/26973)\n- [Examining the Morris Worm Source Code](https://0x00sec.org/t/examining-the-morris-worm-source-code-malware-series-0x02/685)\n- [IOT Malware](https://0x00sec.org/t/iot-malware-droppers-mirai-and-hajime/1966)\n- [Roadmap for Malware Development and Evasion](https://cyb0rgbytes.medium.com/roadmap-for-malware-development-and-evasion-ad55d79c5bbe) **(NEW 2026)**\n\n### Rootkits (Userland \u0026 Kernel)\n- [PT_NOTE -\u003e PT_LOAD x64 ELF virus written in Assembly](https://www.guitmz.com/linux-midrashim-elf-virus/)\n- [The magic of LD_PRELOAD for Userland Rootkits (good read if you wanna get into rootkits this blog is for userland rootkits)](https://fluxius.handgrep.se/2011/10/31/the-magic-of-ld_preload-for-userland-rootkits/)\n- [(Recommended Read) if you want to creat your first userland rootkit and you just know C you can go for this blog if you wanna start into rootkit development](https://h0mbre.github.io/Learn-C-By-Creating-A-Rootkit/#)\n- [Complete guide on LKM hacking](http://www.ouah.org/LKM_HACKING.html)\n- [Becoming-rat-your-system](https://devilinside.me/blogs/becoming-rat-your-system)\n- [Singularity: Deep Dive into a Modern Stealth Linux Kernel Rootkit](https://blog.kyntra.io/Singularity-A-final-boss-linux-kernel-rootkit) **(NEW 2025)**\n\n### Injection \u0026 Hooking Techniques\n- [Function Hooking Part I: Hooking Shared Library Function Calls in Linux](https://www.netspi.com/blog/technical/network-penetration-testing/function-hooking-part-i-hooking-shared-library-function-calls-in-linux/)\n- [Inline Hooking for Programmers (Part 1: Introduction)](https://www.malwaretech.com/2015/01/inline-hooking-for-programmers-part-1.html)\n- [Inline Hooking for Programmers (Part 2: Writing a Hooking Engine)](https://www.malwaretech.com/2015/01/inline-hooking-for-programmers-part-2.html)\n- [PE injection for beginners](https://www.malwaretech.com/2013/11/portable-executable-injection-for.html)\n\n### Evasion \u0026 Obfuscation\n- [Understanding TRITON and the Missing Final Stage of the Attack good read.](https://threatpost.com/understanding-triton-and-the-missing-final-stage-of-the-attack/134895/)\n- [Windows Defender antivirus bypass in 2025 - part 1](https://www.hackmosphere.fr/en/bypassing-windows-defender-antivirus-in-2025-evasion-techniques-using-direct-syscalls-and-xor-encryption-part-1/) **(NEW 2025)**\n\n### Specific Malware \u0026 APT Analysis\n- [DoublePulsar SMB backdoor analysis](https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html)\n- [Eset Turla Outlook backdoor report](https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf)\n\n## Contributing\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md)\n\n---\n\n**Made with ❤️ by the community** • **v2.0 – Full Merge + Massive 2025–2026 Expansion (April 2026)**\n\n---\n","projects_url":"https://awesome.ecosyste.ms/api/v1/lists/rootkit-io%2Fawesome-malware-development/projects"}