├── .gitignore
├── .travis.yml
├── CONTRIBUTING.md
└── README.md


/.gitignore:
--------------------------------------------------------------------------------
1 | ab-results*
2 | 


--------------------------------------------------------------------------------
/.travis.yml:
--------------------------------------------------------------------------------
 1 | language: ruby
 2 | dist: trusty
 3 | rvm:
 4 |   - 2.2
 5 | before_script:
 6 |   - gem install awesome_bot
 7 |   - wget 'https://mkcert.org/generate/' -O bundle.pem
 8 |   - wget 'http://cdp.pca.dfn.de/global-root-ca/pub/cacert/cacert.pem' -O dfn.pem
 9 |   - wget 'http://cdp.pca.dfn.de/uni-potsdam-ca/pub/cacert/cacert.pem' -O potsdam.pem
10 |   - cat bundle.pem dfn.pem potsdam.pem > /tmp/bundle.pem
11 | script:
12 |   - SSL_CERT_FILE="/tmp/bundle.pem" awesome_bot README.md --allow-redirect
13 | 


--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | # Contribution Guidelines
 2 | 
 3 | **Your pull request should have a useful title. Please carefully read everything in [Adding to this list](#adding-to-this-list).**
 4 | 
 5 | ## Table of Contents
 6 | 
 7 | * [Adding to this list](#adding-to-this-list)
 8 | * [Creating your own awesome list](#creating-your-own-awesome-list)
 9 | * [Adding something to an awesome list](#adding-something-to-an-awesome-list)
10 | * [Updating your Pull Request](#updating-your-pull-request)
11 | 
12 | ## Adding to this list
13 | 
14 | Please ensure your pull request adheres to the following guidelines:
15 | 
16 | * Search previous suggestions before making a new one, as yours may be a duplicate.
17 | * Make sure the item you are adding is useful (and, you know, awesome) before submitting.
18 | * Make an individual pull request for each suggestion.
19 | * Use [title-casing](http://titlecapitalization.com) (AP style).
20 | * Use the following format: `[Item Name](link)`
21 | * Link additions should be added to the bottom of the relevant category.
22 | * New categories or improvements to the existing categorization are welcome.
23 | * Check your spelling and grammar.
24 | * Make sure your text editor is set to remove trailing whitespace.
25 | * The pull request and commit should have a useful title.
26 | * The body of your commit message should contain a link to the repository.
27 | 
28 | Thank you for your suggestions!
29 | 
30 | ## Adding something to an awesome list
31 | 
32 | If you have something awesome to contribute to an awesome list, this is how you do it.
33 | 
34 | You'll need a [GitHub account](https://github.com/join)!
35 | 
36 | 1. Access the awesome list's GitHub page. For example: https://github.com/sindresorhus/awesome
37 | 2. Click on the `readme.md` file: ![Step 2 Click on Readme.md](https://cloud.githubusercontent.com/assets/170270/9402920/53a7e3ea-480c-11e5-9d81-aecf64be55eb.png)
38 | 3. Now click on the edit icon. ![Step 3 - Click on Edit](https://cloud.githubusercontent.com/assets/170270/9402927/6506af22-480c-11e5-8c18-7ea823530099.png)
39 | 4. You can start editing the text of the file in the in-browser editor. Make sure you follow guidelines above. You can use [GitHub Flavored Markdown](https://help.github.com/articles/github-flavored-markdown/). ![Step 4 - Edit the file](https://cloud.githubusercontent.com/assets/170270/9402932/7301c3a0-480c-11e5-81f5-7e343b71674f.png)
40 | 5. Say why you're proposing the changes, and then click on "Propose file change". ![Step 5 - Propose Changes](https://cloud.githubusercontent.com/assets/170270/9402937/7dd0652a-480c-11e5-9138-bd14244593d5.png)
41 | 6. Submit the [pull request](https://help.github.com/articles/using-pull-requests/)!
42 | 
43 | ## Updating your Pull Request
44 | 
45 | Sometimes, a maintainer of this list will ask you to edit your Pull Request before it is included. This is normally due to spelling errors or because your PR didn't match the awesome-\* list guidelines.
46 | 
47 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Awesome Malware [![Awesome](https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg)](https://github.com/sindresorhus/awesome)
  2 | 
  3 | > A curated collection of awesome malware, botnets, and other post-exploitation tools.
  4 | 
  5 | [Malware](https://en.wikipedia.org/wiki/Malware) is software intentionally designed to cause damage or provide unauthorized access to a computer, server, or computer network. While not exclusive, this list is heavily biased towards [Free Software](https://www.gnu.org/philosophy/free-sw.html) projects. For pre-exploitation TTPs, see [awesome-pentest](https://github.com/fabacab/awesome-pentest). For defenses, see [awesome-cybersecurity-blueteam](https://github.com/fabacab/awesome-cybersecurity-blueteam).
  6 | 
  7 | Your contributions and suggestions are heartily♥ welcome. (✿◕‿◕). Please check the [Contributing Guidelines](CONTRIBUTING.md) for more details. This work is licensed under a [Creative Commons Attribution 4.0 International License](http://creativecommons.org/licenses/by/4.0/).
  8 | 
  9 | > :warning: :memo: **Please note** that this compilation is intended for educational and demonstration purposes only.
 10 | 
 11 | # Contents
 12 | 
 13 | - [Analysis and reverse engineering](#analysis-and-reverse-engineering)
 14 | - [Banking trojans](#banking-trojans)
 15 | - [Botnets](#botnets)
 16 | - [Command and Control](#command-and-control)
 17 | - [Credential Stuffing Account Checkers](#credential-stuffing-account-checkers)
 18 | - [Data stealers](#data-stealers)
 19 | - [Evasion](#evasion)
 20 | - [Phishing kits](#phishing-kits)
 21 | - [Keyloggers](#keyloggers)
 22 | - [RAM scrapers](#ram-scrapers)
 23 | - [Ransomware](#ransomware)
 24 | - [Remote Administration Tools (RATs)](#remote-administration-tools-rats)
 25 | - [Rootkits](#rootkits)
 26 | - [Web Shells](#web-shells)
 27 | 
 28 | # Analysis and reverse engineering
 29 | 
 30 | See [awesome-malware-analysis](https://github.com/rshipp/awesome-malware-analysis).
 31 | 
 32 | - [theZoo](https://thezoo.morirt.com/) - Repository of live malwares for your own joy and pleasure, created to make the possibility of malware analysis open and available to the public.
 33 | 
 34 | # Banking trojans
 35 | 
 36 | > :construction: TK-TODO
 37 | 
 38 | # Botnets
 39 | 
 40 | - [Idisagree](https://github.com/UndeadSec/Idisagree) - Control remote computers using Discord bot and Python 3.
 41 | 
 42 | # Command and Control
 43 | 
 44 | (Also known as *C2* and *C&C*.)
 45 | 
 46 | - [Browser Exploitation Framework (BeEF)](https://github.com/beefproject/beef) - Command and control server for delivering exploits to commandeered Web browsers.
 47 | - [Merlin](https://github.com/Ne0nd0g/merlin) - Cross-platform post-exploitation HTTP/2 command and control server and agent written in golang.
 48 | - [SILENTTRINITY](https://github.com/byt3bl33d3r/SILENTTRINITY) - Asynchronous, collaborative post-exploitation agent powered by Python and .NET's DLR.
 49 | 
 50 | # Credential Stuffing Account Checkers
 51 | 
 52 | Also known as *Account Takeover (ATO)* or *account cracking*.
 53 | 
 54 | * Black Bullet - Single-threaded account checker with captcha bypass features and Selenium WebDriver support, sold for about $30 to $50. ([Reference](https://www.recordedfuture.com/credential-stuffing-attacks/#black-bullet))
 55 | * [Private Keeper](https://www.deival909.ru/) - Russian language account checker and takeover tool, sold at prices starting from approximately $1 USD.
 56 | * [SNIPR](https://snipr.gg/) - Windows toolkit for credential stuffing across Web (HTTP/S) and email (IMAP) attack surfaces with the ability to encrypt and re-sell ATO configurations, sold for about $20.
 57 | * STORM - Flexible account checker with Cloudflare protection bypass features written in C#. ([Reference](https://www.netacea.com/blog/storm-cracker-tool))
 58 | * [Sentry MBA](https://sentry.mba/) - Among the oldest and longest in-use account checkers, using OCR for captcha bypass but unable to pass JavaScript anti-bot challenges, sold for between $5 and $20 per configuration file. ([Reference](https://www.recordedfuture.com/credential-stuffing-attacks/#sentry-mba))
 59 | * Woxy - Email account checker with built-in support for automating password reset and searching email content for valuable information, now cracked and available free of charge. ([Reference](https://www.recordedfuture.com/credential-stuffing-attacks/#woxy))
 60 | 
 61 | # Data stealers
 62 | 
 63 | > :construction: TK-TODO
 64 | 
 65 | # Evasion
 66 | 
 67 | - [CheckPlease](https://github.com/Arvanaghi/CheckPlease) - Sandbox evasion modules written in PowerShell, Python, Go, Ruby, C, C#, Perl, and Rust.
 68 | 
 69 | # Keyloggers
 70 | 
 71 | * [TechNowLogger](https://github.com/Technowlogy-Pushpender/technowlogger) - Windows/Linux keylogger generator which sends key-logs via email with other juicy target info.
 72 | 
 73 | # Phishing kits
 74 | 
 75 | (Also known as *phishkits*, one word.)
 76 | 
 77 | * [ActorExpose/PhishKits](https://github.com/ActorExpose/PhishKits) - Collection of phishing kits provided to the public to make the Internet a safer environment.
 78 | 
 79 | # RAM scrapers
 80 | 
 81 | > :construction:
 82 | >
 83 | > See [RamScraper](https://github.com/joren485/RamScraper) for now.
 84 | 
 85 | # Ransomware
 86 | 
 87 | > :construction: TK-TODO
 88 | 
 89 | # Remote Administration Tools (RATs)
 90 | 
 91 | Some [Command and Control](#command-and-control) tools also overlap with RAT software.
 92 | 
 93 | (Also known as *Remote Access Trojan* or *post-exploitation agent*.)
 94 | 
 95 | - [Bella](https://github.com/kdaoudieh/Bella) - Pure Python post-exploitation data mining and remote administration tool for macOS.
 96 | - [Empire](https://www.powershellempire.com/) - Pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture.
 97 | - [EvilOSX](https://github.com/Marten4n6/EvilOSX) - Modular RAT that uses numerous evasion and exfiltration techniques out-of-the-box.
 98 | - [Pupy](https://github.com/n1nj4sec/pupy) - Low-footprint, cross-platform (Windows, Linux, macOS, Android) RAT featuring all-in-memory execution guideline written in Python.
 99 | - [RedPeanut](https://github.com/b4rtik/RedPeanut) - Small RAT developed in .Net Core 2 and its agent in .Net 3.5/4.0, weaponized with several additional utilities.
100 | - [Slackor](https://github.com/Coalfire-Research/Slackor) - Golang implant that uses Slack as a command and control server.
101 | - [Twittor](https://github.com/PaulSec/twittor) - Stealthy Python based backdoor that uses Twitter (Direct Messages) as a command and control server.
102 | 
103 | # Rootkits
104 | 
105 | - [Adore-NG](https://github.com/trimpsyw/adore-ng) - Rootkit adapted for the 2.6 and 3.x Linux kernels.
106 | - [AdoreForAndroid](https://github.com/juxing/AdoreForAndroid) - Adore rootkit ported to Android.
107 | - [Diamorphine](https://github.com/m0nad/Diamorphine) - LKM rootkit for Linux Kernels 2.6.x, 3.x, and 4.x.
108 | - [Masochist](https://github.com/squiffy/Masochist) - Framework for creating XNU based rootkits useful in OS X and iOS security research.
109 | - [Vector-EDK](https://github.com/hackedteam/vector-edk) - Commercial UEFI rootkit illegally sold by Hacking Team to numerous governments, leaked by hacker Phineas Phisher in 2015, and the basis of the [MosaicRegressor rootkit](https://securelist.com/mosaicregressor/98849/).
110 | - [vlany](https://github.com/mempodippy/vlany) - Linux `LD_PRELOAD` rootkit.
111 | 
112 | # Web Shells
113 | 
114 | (Also known as *webshells*, one word.)
115 | 
116 | - [BlackArch Webshells Collection](https://github.com/BlackArch/webshells) - Various webshells that can be installed as a package on BlackArch Linux.
117 | - [DAws](https://github.com/dotcppfile/DAws) - Advanced Web shell.
118 | - [PHP-backdoors](https://github.com/bartblaze/PHP-backdoors) - Collection of PHP backdoors, for educational and/or testing purposes only. 
119 | - [PHP Exploit Scripts](https://github.com/mattiasgeniar/php-exploit-scripts) - Collection of PHP exploit scripts (often but not necessarily always backdoors or web shells), found when investigating hacked servers.
120 | - [PHP WebShells collection](https://github.com/JohnTroony/php-webshells) - Repository of common PHP Web shells, somewhat dated.
121 | - [PhpSploit](https://github.com/nil0x42/phpsploit) - Remote control framework, aiming to provide a stealth interactive shell-like connection over HTTP between client and web server.
122 | - [SharPyShell](https://github.com/antonioCoco/SharPyShell) - Tiny and obfuscated ASP.NET webshell for C# web applications.
123 | - [SecLists Web Shells](https://github.com/danielmiessler/SecLists/tree/master/Web-Shells) - Examples of core Web shell functionality in PHP, JSP, ASP(X), ColdFusion, and more.
124 | - [Weevely](https://github.com/epinna/weevely3) - Extensible PHP Web shell with numerous out-of-the-box modules.
125 | 
126 | # License
127 | 
128 | [![CC-BY](https://mirrors.creativecommons.org/presskit/buttons/88x31/svg/by.svg)](https://creativecommons.org/licenses/by/4.0/)
129 | 
130 | This work is licensed under a [Creative Commons Attribution 4.0 International License](https://creativecommons.org/licenses/by/4.0/).
131 | 


--------------------------------------------------------------------------------