{"id":13622893,"url":"https://github.com/fabacab/awesome-malware","last_synced_at":"2025-04-15T10:31:48.206Z","repository":{"id":45626530,"uuid":"143768386","full_name":"fabacab/awesome-malware","owner":"fabacab","description":":computer::warning: A curated collection of awesome malware, botnets, and other post-exploitation tools.","archived":false,"fork":false,"pushed_at":"2021-03-14T18:12:07.000Z","size":27,"stargazers_count":254,"open_issues_count":1,"forks_count":33,"subscribers_count":20,"default_branch":"master","last_synced_at":"2025-04-10T09:08:46.031Z","etag":null,"topics":["awesome","awesome-list","computer-security","cybersecurity","malware","post-exploitation"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fabacab.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-08-06T18:38:27.000Z","updated_at":"2025-03-29T21:09:25.000Z","dependencies_parsed_at":"2022-09-24T15:44:46.223Z","dependency_job_id":null,"html_url":"https://github.com/fabacab/awesome-malware","commit_stats":null,"previous_names":["meitar/awesome-malware"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fabacab%2Fawesome-malware","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fabacab%2Fawesome-malware/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fabacab%2Fawesome-malware/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fabacab%2Fawesome-malware/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fabacab","download_url":"https://codeload.github.com/fabacab/awesome-malware/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249051648,"owners_count":21204860,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["awesome","awesome-list","computer-security","cybersecurity","malware","post-exploitation"],"created_at":"2024-08-01T21:01:25.406Z","updated_at":"2025-04-15T10:31:47.990Z","avatar_url":"https://github.com/fabacab.png","language":null,"funding_links":[],"categories":["Others","Useful Resources","Online Resources"],"sub_categories":["Security Awesome Lists","Other Lists Online"],"readme":"# Awesome Malware [![Awesome](https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg)](https://github.com/sindresorhus/awesome)\n\n\u003e A curated collection of awesome malware, botnets, and other post-exploitation tools.\n\n[Malware](https://en.wikipedia.org/wiki/Malware) is software intentionally designed to cause damage or provide unauthorized access to a computer, server, or computer network. While not exclusive, this list is heavily biased towards [Free Software](https://www.gnu.org/philosophy/free-sw.html) projects. For pre-exploitation TTPs, see [awesome-pentest](https://github.com/fabacab/awesome-pentest). For defenses, see [awesome-cybersecurity-blueteam](https://github.com/fabacab/awesome-cybersecurity-blueteam).\n\nYour contributions and suggestions are heartily♥ welcome. (✿◕‿◕). Please check the [Contributing Guidelines](CONTRIBUTING.md) for more details. This work is licensed under a [Creative Commons Attribution 4.0 International License](http://creativecommons.org/licenses/by/4.0/).\n\n\u003e :warning: :memo: **Please note** that this compilation is intended for educational and demonstration purposes only.\n\n# Contents\n\n- [Analysis and reverse engineering](#analysis-and-reverse-engineering)\n- [Banking trojans](#banking-trojans)\n- [Botnets](#botnets)\n- [Command and Control](#command-and-control)\n- [Credential Stuffing Account Checkers](#credential-stuffing-account-checkers)\n- [Data stealers](#data-stealers)\n- [Evasion](#evasion)\n- [Phishing kits](#phishing-kits)\n- [Keyloggers](#keyloggers)\n- [RAM scrapers](#ram-scrapers)\n- [Ransomware](#ransomware)\n- [Remote Administration Tools (RATs)](#remote-administration-tools-rats)\n- [Rootkits](#rootkits)\n- [Web Shells](#web-shells)\n\n# Analysis and reverse engineering\n\nSee [awesome-malware-analysis](https://github.com/rshipp/awesome-malware-analysis).\n\n- [theZoo](https://thezoo.morirt.com/) - Repository of live malwares for your own joy and pleasure, created to make the possibility of malware analysis open and available to the public.\n\n# Banking trojans\n\n\u003e :construction: TK-TODO\n\n# Botnets\n\n- [Idisagree](https://github.com/UndeadSec/Idisagree) - Control remote computers using Discord bot and Python 3.\n\n# Command and Control\n\n(Also known as *C2* and *C\u0026C*.)\n\n- [Browser Exploitation Framework (BeEF)](https://github.com/beefproject/beef) - Command and control server for delivering exploits to commandeered Web browsers.\n- [Merlin](https://github.com/Ne0nd0g/merlin) - Cross-platform post-exploitation HTTP/2 command and control server and agent written in golang.\n- [SILENTTRINITY](https://github.com/byt3bl33d3r/SILENTTRINITY) - Asynchronous, collaborative post-exploitation agent powered by Python and .NET's DLR.\n\n# Credential Stuffing Account Checkers\n\nAlso known as *Account Takeover (ATO)* or *account cracking*.\n\n* Black Bullet - Single-threaded account checker with captcha bypass features and Selenium WebDriver support, sold for about $30 to $50. ([Reference](https://www.recordedfuture.com/credential-stuffing-attacks/#black-bullet))\n* [Private Keeper](https://www.deival909.ru/) - Russian language account checker and takeover tool, sold at prices starting from approximately $1 USD.\n* [SNIPR](https://snipr.gg/) - Windows toolkit for credential stuffing across Web (HTTP/S) and email (IMAP) attack surfaces with the ability to encrypt and re-sell ATO configurations, sold for about $20.\n* STORM - Flexible account checker with Cloudflare protection bypass features written in C#. ([Reference](https://www.netacea.com/blog/storm-cracker-tool))\n* [Sentry MBA](https://sentry.mba/) - Among the oldest and longest in-use account checkers, using OCR for captcha bypass but unable to pass JavaScript anti-bot challenges, sold for between $5 and $20 per configuration file. ([Reference](https://www.recordedfuture.com/credential-stuffing-attacks/#sentry-mba))\n* Woxy - Email account checker with built-in support for automating password reset and searching email content for valuable information, now cracked and available free of charge. ([Reference](https://www.recordedfuture.com/credential-stuffing-attacks/#woxy))\n\n# Data stealers\n\n\u003e :construction: TK-TODO\n\n# Evasion\n\n- [CheckPlease](https://github.com/Arvanaghi/CheckPlease) - Sandbox evasion modules written in PowerShell, Python, Go, Ruby, C, C#, Perl, and Rust.\n\n# Keyloggers\n\n* [TechNowLogger](https://github.com/Technowlogy-Pushpender/technowlogger) - Windows/Linux keylogger generator which sends key-logs via email with other juicy target info.\n\n# Phishing kits\n\n(Also known as *phishkits*, one word.)\n\n* [ActorExpose/PhishKits](https://github.com/ActorExpose/PhishKits) - Collection of phishing kits provided to the public to make the Internet a safer environment.\n\n# RAM scrapers\n\n\u003e :construction:\n\u003e\n\u003e See [RamScraper](https://github.com/joren485/RamScraper) for now.\n\n# Ransomware\n\n\u003e :construction: TK-TODO\n\n# Remote Administration Tools (RATs)\n\nSome [Command and Control](#command-and-control) tools also overlap with RAT software.\n\n(Also known as *Remote Access Trojan* or *post-exploitation agent*.)\n\n- [Bella](https://github.com/kdaoudieh/Bella) - Pure Python post-exploitation data mining and remote administration tool for macOS.\n- [Empire](https://www.powershellempire.com/) - Pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture.\n- [EvilOSX](https://github.com/Marten4n6/EvilOSX) - Modular RAT that uses numerous evasion and exfiltration techniques out-of-the-box.\n- [Pupy](https://github.com/n1nj4sec/pupy) - Low-footprint, cross-platform (Windows, Linux, macOS, Android) RAT featuring all-in-memory execution guideline written in Python.\n- [RedPeanut](https://github.com/b4rtik/RedPeanut) - Small RAT developed in .Net Core 2 and its agent in .Net 3.5/4.0, weaponized with several additional utilities.\n- [Slackor](https://github.com/Coalfire-Research/Slackor) - Golang implant that uses Slack as a command and control server.\n- [Twittor](https://github.com/PaulSec/twittor) - Stealthy Python based backdoor that uses Twitter (Direct Messages) as a command and control server.\n\n# Rootkits\n\n- [Adore-NG](https://github.com/trimpsyw/adore-ng) - Rootkit adapted for the 2.6 and 3.x Linux kernels.\n- [AdoreForAndroid](https://github.com/juxing/AdoreForAndroid) - Adore rootkit ported to Android.\n- [Diamorphine](https://github.com/m0nad/Diamorphine) - LKM rootkit for Linux Kernels 2.6.x, 3.x, and 4.x.\n- [Masochist](https://github.com/squiffy/Masochist) - Framework for creating XNU based rootkits useful in OS X and iOS security research.\n- [Vector-EDK](https://github.com/hackedteam/vector-edk) - Commercial UEFI rootkit illegally sold by Hacking Team to numerous governments, leaked by hacker Phineas Phisher in 2015, and the basis of the [MosaicRegressor rootkit](https://securelist.com/mosaicregressor/98849/).\n- [vlany](https://github.com/mempodippy/vlany) - Linux `LD_PRELOAD` rootkit.\n\n# Web Shells\n\n(Also known as *webshells*, one word.)\n\n- [BlackArch Webshells Collection](https://github.com/BlackArch/webshells) - Various webshells that can be installed as a package on BlackArch Linux.\n- [DAws](https://github.com/dotcppfile/DAws) - Advanced Web shell.\n- [PHP-backdoors](https://github.com/bartblaze/PHP-backdoors) - Collection of PHP backdoors, for educational and/or testing purposes only. \n- [PHP Exploit Scripts](https://github.com/mattiasgeniar/php-exploit-scripts) - Collection of PHP exploit scripts (often but not necessarily always backdoors or web shells), found when investigating hacked servers.\n- [PHP WebShells collection](https://github.com/JohnTroony/php-webshells) - Repository of common PHP Web shells, somewhat dated.\n- [PhpSploit](https://github.com/nil0x42/phpsploit) - Remote control framework, aiming to provide a stealth interactive shell-like connection over HTTP between client and web server.\n- [SharPyShell](https://github.com/antonioCoco/SharPyShell) - Tiny and obfuscated ASP.NET webshell for C# web applications.\n- [SecLists Web Shells](https://github.com/danielmiessler/SecLists/tree/master/Web-Shells) - Examples of core Web shell functionality in PHP, JSP, ASP(X), ColdFusion, and more.\n- [Weevely](https://github.com/epinna/weevely3) - Extensible PHP Web shell with numerous out-of-the-box modules.\n\n# License\n\n[![CC-BY](https://mirrors.creativecommons.org/presskit/buttons/88x31/svg/by.svg)](https://creativecommons.org/licenses/by/4.0/)\n\nThis work is licensed under a [Creative Commons Attribution 4.0 International License](https://creativecommons.org/licenses/by/4.0/).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffabacab%2Fawesome-malware","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffabacab%2Fawesome-malware","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffabacab%2Fawesome-malware/lists"}