Awesome Malware

A curated collection of awesome malware, botnets, and other post-exploitation tools.

Malware is software intentionally designed to cause damage or provide unauthorized access to a computer, server, or computer network. While not exclusive, this list is heavily biased towards Free Software projects. For pre-exploitation TTPs, see awesome-pentest. For defenses, see awesome-cybersecurity-blueteam.

Your contributions and suggestions are heartily♥ welcome. (✿◕‿◕). Please check the Contributing Guidelines for more details. This work is licensed under a Creative Commons Attribution 4.0 International License.

:warning: :memo: Please note that this compilation is intended for educational and demonstration purposes only.

Contents

• Analysis and reverse engineering
• Banking trojans
• Botnets
• Command and Control
• Credential Stuffing Account Checkers
• Data stealers
• Evasion
• Phishing kits
• Keyloggers
• RAM scrapers
• Ransomware
• Remote Administration Tools (RATs)
• Rootkits
• Web Shells

Analysis and reverse engineering

See awesome-malware-analysis.

• theZoo - Repository of live malwares for your own joy and pleasure, created to make the possibility of malware analysis open and available to the public.

Banking trojans

:construction: TK-TODO

Botnets

• Idisagree - Control remote computers using Discord bot and Python 3.

Command and Control

(Also known as C2 and C&C.)

• Browser Exploitation Framework (BeEF) - Command and control server for delivering exploits to commandeered Web browsers.
• Merlin - Cross-platform post-exploitation HTTP/2 command and control server and agent written in golang.
• SILENTTRINITY - Asynchronous, collaborative post-exploitation agent powered by Python and .NET's DLR.

Credential Stuffing Account Checkers

Also known as Account Takeover (ATO) or account cracking.

• Black Bullet - Single-threaded account checker with captcha bypass features and Selenium WebDriver support, sold for about $30 to $50. (Reference)
• Private Keeper - Russian language account checker and takeover tool, sold at prices starting from approximately $1 USD.
• SNIPR - Windows toolkit for credential stuffing across Web (HTTP/S) and email (IMAP) attack surfaces with the ability to encrypt and re-sell ATO configurations, sold for about $20.
• STORM - Flexible account checker with Cloudflare protection bypass features written in C#. (Reference)
• Sentry MBA - Among the oldest and longest in-use account checkers, using OCR for captcha bypass but unable to pass JavaScript anti-bot challenges, sold for between $5 and $20 per configuration file. (Reference)
• Woxy - Email account checker with built-in support for automating password reset and searching email content for valuable information, now cracked and available free of charge. (Reference)

Data stealers

:construction: TK-TODO

Evasion

• CheckPlease - Sandbox evasion modules written in PowerShell, Python, Go, Ruby, C, C#, Perl, and Rust.

Keyloggers

• TechNowLogger - Windows/Linux keylogger generator which sends key-logs via email with other juicy target info.

Phishing kits

(Also known as phishkits, one word.)

• ActorExpose/PhishKits - Collection of phishing kits provided to the public to make the Internet a safer environment.

RAM scrapers

:construction:

See RamScraper for now.

Ransomware

:construction: TK-TODO

Remote Administration Tools (RATs)

Some Command and Control tools also overlap with RAT software.

(Also known as Remote Access Trojan or post-exploitation agent.)

• Bella - Pure Python post-exploitation data mining and remote administration tool for macOS.
• Empire - Pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture.
• EvilOSX - Modular RAT that uses numerous evasion and exfiltration techniques out-of-the-box.
• Pupy - Low-footprint, cross-platform (Windows, Linux, macOS, Android) RAT featuring all-in-memory execution guideline written in Python.
• RedPeanut - Small RAT developed in .Net Core 2 and its agent in .Net 3.5/4.0, weaponized with several additional utilities.
• Slackor - Golang implant that uses Slack as a command and control server.
• Twittor - Stealthy Python based backdoor that uses Twitter (Direct Messages) as a command and control server.

Rootkits

• Adore-NG - Rootkit adapted for the 2.6 and 3.x Linux kernels.
• AdoreForAndroid - Adore rootkit ported to Android.
• Diamorphine - LKM rootkit for Linux Kernels 2.6.x, 3.x, and 4.x.
• Masochist - Framework for creating XNU based rootkits useful in OS X and iOS security research.
• Vector-EDK - Commercial UEFI rootkit illegally sold by Hacking Team to numerous governments, leaked by hacker Phineas Phisher in 2015, and the basis of the MosaicRegressor rootkit.
• vlany - Linux LD_PRELOAD rootkit.

Web Shells

(Also known as webshells, one word.)

• BlackArch Webshells Collection - Various webshells that can be installed as a package on BlackArch Linux.
• DAws - Advanced Web shell.
• PHP-backdoors - Collection of PHP backdoors, for educational and/or testing purposes only.
• PHP Exploit Scripts - Collection of PHP exploit scripts (often but not necessarily always backdoors or web shells), found when investigating hacked servers.
• PHP WebShells collection - Repository of common PHP Web shells, somewhat dated.
• PhpSploit - Remote control framework, aiming to provide a stealth interactive shell-like connection over HTTP between client and web server.
• SharPyShell - Tiny and obfuscated ASP.NET webshell for C# web applications.
• SecLists Web Shells - Examples of core Web shell functionality in PHP, JSP, ASP(X), ColdFusion, and more.
• Weevely - Extensible PHP Web shell with numerous out-of-the-box modules.

License

This work is licensed under a Creative Commons Attribution 4.0 International License.