Skip to main content
ClaudeWave
Skill15.5k repo starsupdated 12d ago

analyzing-malware-family-relationships-with-malpedia

# ClaudeWave: Analyzing Malware Family Relationships with Malpedia This skill enables security analysts to query the Malpedia API, which catalogs over 2,600 malware families with their aliases, YARA detection rules, threat actor associations, and relationships. Use it when investigating security incidents requiring malware classification, building threat hunting queries, extracting detection rules, or understanding how malware variants and threat groups connect across your security monitoring ecosystem.

View sourceRepository: Anthropic-Cybersecurity-Skills
Install in Claude Code
Copy
git clone --depth 1 https://github.com/mukul975/Anthropic-Cybersecurity-Skills /tmp/analyzing-malware-family-relationships-with-malpedia && cp -r /tmp/analyzing-malware-family-relationships-with-malpedia/skills/analyzing-malware-family-relationships-with-malpedia ~/.claude/skills/analyzing-malware-family-relationships-with-malpedia
Then start a new Claude Code session; the skill loads automatically.
Definition

SKILL.md

# Analyzing Malware Family Relationships with Malpedia

## Overview

Malpedia is a collaborative platform maintained by Fraunhofer FKIE that catalogs malware families with their aliases, YARA rules, threat actor associations, and reference reports. With over 2,600 malware families documented, it serves as the definitive resource for understanding malware lineages, tracking variant evolution, and linking malware to specific threat groups. This skill covers querying the Malpedia API, mapping malware family relationships, extracting YARA rules for detection, and building intelligence on malware ecosystems used by adversaries.


## When to Use

- When investigating security incidents that require analyzing malware family relationships with malpedia
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques

## Prerequisites

- Python 3.9+ with `requests`, `yara-python`, `stix2` libraries
- Malpedia API key (register at https://malpedia.caad.fkie.fraunhofer.de/)
- Understanding of malware classification and naming conventions
- Familiarity with YARA rule syntax for detection
- Access to malware samples for validation (optional)

## Key Concepts

### Malpedia Data Model

Malpedia organizes malware into Families (e.g., "win.cobalt_strike"), each containing: aliases (vendor-specific names like "Beacon", "CobaltStrike"), YARA rules (community and vendor-contributed), actor associations (threat groups using the family), reference reports (CTI reports documenting the family), and sample hashes (representative samples for each variant).

### Malware Family Naming

Malpedia uses the format `platform.family_name` (e.g., `win.emotet`, `elf.mirai`, `apk.flubot`). Platforms include win (Windows), elf (Linux), apk (Android), osx (macOS), and py (Python). This standardized naming resolves the "many names" problem where different vendors assign different names to the same malware.

### Family Relationships

Malware families have relationships including: parent-child (code reuse, forks), loader-payload (Emotet loads TrickBot loads Ryuk), shared authorship (same threat actor develops multiple tools), and infrastructure sharing (common C2 frameworks).

## Workflow

### Step 1: Query Malpedia API for Malware Families

```python
import requests
import json
from collections import defaultdict

class MalpediaClient:
    BASE_URL = "https://malpedia.caad.fkie.fraunhofer.de/api"

    def __init__(self, api_key):
        self.headers = {"Authorization": f"apitoken {api_key}"}

    def get_family_list(self):
        """Get list of all malware families."""
        resp = requests.get(f"{self.BASE_URL}/list/families",
                           headers=self.headers, timeout=30)
        if resp.status_code == 200:
            families = resp.json()
            print(f"[+] Malpedia: {len(families)} malware families")
            return families
        return {}

    def get_family_info(self, family_name):
        """Get detailed information about a malware family."""
        resp = requests.get(f"{self.BASE_URL}/get/family/{family_name}",
                           headers=self.headers, timeout=30)
        if resp.status_code == 200:
            info = resp.json()
            print(f"[+] Family: {family_name}")
            print(f"    Aliases: {info.get('alt_names', [])}")
            print(f"    Actors: {[a.get('value', '') for a in info.get('attribution', [])]}")
            print(f"    URLs: {len(info.get('urls', []))} references")
            return info
        print(f"[-] Family not found: {family_name}")
        return None

    def get_family_yara(self, family_name):
        """Get YARA rules for a malware family."""
        resp = requests.get(f"{self.BASE_URL}/get/yara/{family_name}",
                           headers=self.headers, timeout=30)
        if resp.status_code == 200:
            rules = resp.json()
            rule_count = sum(len(v) for v in rules.values()) if isinstance(rules, dict) else 0
            print(f"[+] YARA rules for {family_name}: {rule_count} rules")
            return rules
        return {}

    def get_actor_families(self, actor_name):
        """Get malware families associated with a threat actor."""
        resp = requests.get(f"{self.BASE_URL}/get/actor/{actor_name}",
                           headers=self.headers, timeout=30)
        if resp.status_code == 200:
            data = resp.json()
            families = data.get("families", {})
            print(f"[+] {actor_name}: {len(families)} malware families")
            return data
        return {}

    def search_families(self, keyword):
        """Search families by keyword."""
        all_families = self.get_family_list()
        matches = {
            name: info for name, info in all_families.items()
            if keyword.lower() in name.lower()
            or keyword.lower() in str(info.get("alt_names", [])).lower()
        }
        print(f"[+] Search '{keyword}': {len(matches)} matches")
        return matches

client = MalpediaClient("YOUR_MALPEDIA_API_KEY")
families = client.get_family_list()
emotet_info = client.get_family_info("win.emotet")
```

### Step 2: Map Malware Family Relationships

```python
class MalwareFamilyMapper:
    def __init__(self, malpedia_client):
        self.client = malpedia_client
        self.relationship_graph = defaultdict(list)

    def map_actor_ecosystem(self, actor_name):
        """Map the malware ecosystem used by a threat actor."""
        actor_data = self.client.get_actor_families(actor_name)
        families = actor_data.get("families", {})

        ecosystem = {
            "actor": actor_name,
            "families": [],
            "family_count": len(families),
        }

        for family_name in families:
            info = self.client.get_family_info(family_name)
            if info:
                ecosyst
More from this repository
Improve existing skillSkill
Add new skillSkill
acquiring-disk-image-with-dd-and-dcflddSkill

Create forensically sound bit-for-bit disk images using dd and dcfldd

analyzing-active-directory-acl-abuseSkill

Detect dangerous ACL misconfigurations in Active Directory using ldap3

analyzing-android-malware-with-apktoolSkill

Perform static analysis of Android APK malware samples using apktool

analyzing-api-gateway-access-logsSkill

Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect

analyzing-apt-group-with-mitre-navigatorSkill

Analyze advanced persistent threat (APT) group techniques using MITRE

analyzing-azure-activity-logs-for-threatsSkill

Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query