killvxk/analyzing-malware-family-relationships-with-malpedia
skills/analyzing-malware-family-relationships-with-malpedia/SKILL.md
使用 Malpedia 平台和 API 研究恶意软件家族关系、追踪变体演化、将家族关联到威胁行为者,并整合 YARA 规则用于跨恶意软件谱系的检测。
$ install --global
skillsauthnpx skillsauth add killvxk/cybersecurity-skills-zh analyzing-malware-family-relationships-with-malpediaInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 10:48 PM8.2s3 files scanned
SKILL.md
- name:
- analyzing-malware-family-relationships-with-malpedia
- description:
- 使用 Malpedia 平台和 API 研究恶意软件家族关系、追踪变体演化、将家族关联到威胁行为者,并整合 YARA 规则用于跨恶意软件谱系的检测。
- domain:
- cybersecurity
- subdomain:
- threat-intelligence
- tags:
- [malpedia, malware-family, yara, threat-actor, malware-tracking, threat-intelligence, variant-analysis, malware-intelligence]
- version:
- 1.0
- author:
- mahipal
- license:
- Apache-2.0
使用 Malpedia 分析恶意软件家族关系
概述
Malpedia 是由弗劳恩霍夫 FKIE 维护的协作平台,收录了恶意软件家族的别名、YARA 规则、威胁行为者关联和参考报告。收录超过 2,600 个恶意软件家族,是了解恶意软件谱系、追踪变体演化以及将恶意软件关联到特定威胁组织的权威资源。本技能涵盖查询 Malpedia API、映射恶意软件家族关系、提取 YARA 规则用于检测,以及构建对手所用恶意软件生态系统的情报。
前置条件
- Python 3.9+,安装
requests、yara-python、stix2库 - Malpedia API 密钥(在 https://malpedia.caad.fkie.fraunhofer.de/ 注册)
- 了解恶意软件分类和命名规范
- 熟悉用于检测的 YARA 规则语法
- 访问恶意软件样本进行验证(可选)
核心概念
Malpedia 数据模型
Malpedia 将恶意软件组织为家族(如"win.cobalt_strike"),每个家族包含:别名(厂商特定名称,如"Beacon"、"CobaltStrike")、YARA 规则(社区和厂商贡献)、行为者关联(使用该家族的威胁组织)、参考报告(记录该家族的 CTI 报告)和样本哈希(每个变体的代表性样本)。
恶意软件家族命名
Malpedia 使用 平台.家族名称 格式(如 win.emotet、elf.mirai、apk.flubot)。平台包括 win(Windows)、elf(Linux)、apk(Android)、osx(macOS)和 py(Python)。这种标准化命名解决了不同厂商对同一恶意软件使用不同名称的"多名问题"。
家族关系
恶意软件家族之间存在以下关系:父子关系(代码复用、分叉)、加载器-载荷关系(Emotet 加载 TrickBot 加载 Ryuk)、共同作者关系(同一威胁行为者开发多种工具)以及基础设施共享(共同 C2 框架)。
实践步骤
步骤 1:查询 Malpedia API 获取恶意软件家族
import requests
import json
from collections import defaultdict
class MalpediaClient:
BASE_URL = "https://malpedia.caad.fkie.fraunhofer.de/api"
def __init__(self, api_key):
self.headers = {"Authorization": f"apitoken {api_key}"}
def get_family_list(self):
"""获取所有恶意软件家族列表。"""
resp = requests.get(f"{self.BASE_URL}/list/families",
headers=self.headers, timeout=30)
if resp.status_code == 200:
families = resp.json()
print(f"[+] Malpedia: {len(families)} malware families")
return families
return {}
def get_family_info(self, family_name):
"""获取恶意软件家族的详细信息。"""
resp = requests.get(f"{self.BASE_URL}/get/family/{family_name}",
headers=self.headers, timeout=30)
if resp.status_code == 200:
info = resp.json()
print(f"[+] Family: {family_name}")
print(f" Aliases: {info.get('alt_names', [])}")
print(f" Actors: {[a.get('value', '') for a in info.get('attribution', [])]}")
print(f" URLs: {len(info.get('urls', []))} references")
return info
print(f"[-] Family not found: {family_name}")
return None
def get_family_yara(self, family_name):
"""获取恶意软件家族的 YARA 规则。"""
resp = requests.get(f"{self.BASE_URL}/get/yara/{family_name}",
headers=self.headers, timeout=30)
if resp.status_code == 200:
rules = resp.json()
rule_count = sum(len(v) for v in rules.values()) if isinstance(rules, dict) else 0
print(f"[+] YARA rules for {family_name}: {rule_count} rules")
return rules
return {}
def get_actor_families(self, actor_name):
"""获取与威胁行为者关联的恶意软件家族。"""
resp = requests.get(f"{self.BASE_URL}/get/actor/{actor_name}",
headers=self.headers, timeout=30)
if resp.status_code == 200:
data = resp.json()
families = data.get("families", {})
print(f"[+] {actor_name}: {len(families)} malware families")
return data
return {}
def search_families(self, keyword):
"""按关键词搜索家族。"""
all_families = self.get_family_list()
matches = {
name: info for name, info in all_families.items()
if keyword.lower() in name.lower()
or keyword.lower() in str(info.get("alt_names", [])).lower()
}
print(f"[+] Search '{keyword}': {len(matches)} matches")
return matches
client = MalpediaClient("YOUR_MALPEDIA_API_KEY")
families = client.get_family_list()
emotet_info = client.get_family_info("win.emotet")
步骤 2:映射恶意软件家族关系
class MalwareFamilyMapper:
def __init__(self, malpedia_client):
self.client = malpedia_client
self.relationship_graph = defaultdict(list)
def map_actor_ecosystem(self, actor_name):
"""映射威胁行为者使用的恶意软件生态系统。"""
actor_data = self.client.get_actor_families(actor_name)
families = actor_data.get("families", {})
ecosystem = {
"actor": actor_name,
"families": [],
"family_count": len(families),
}
for family_name in families:
info = self.client.get_family_info(family_name)
if info:
ecosystem["families"].append({
"name": family_name,
"aliases": info.get("alt_names", []),
"description": info.get("description", "")[:200],
"shared_actors": [
a.get("value", "")
for a in info.get("attribution", [])
],
"reference_count": len(info.get("urls", [])),
})
print(f"\n=== {actor_name} 恶意软件生态系统 ===")
for fam in ecosystem["families"]:
shared = [a for a in fam["shared_actors"] if a != actor_name]
print(f" {fam['name']}")
print(f" 别名: {fam['aliases'][:5]}")
if shared:
print(f" 同时被以下使用: {shared}")
return ecosystem
def find_shared_tooling(self, actor_names):
"""发现威胁行为者之间共享的恶意软件家族。"""
actor_families = {}
for actor in actor_names:
data = self.client.get_actor_families(actor)
actor_families[actor] = set(data.get("families", {}).keys())
# 发现重叠
shared = {}
for i, actor1 in enumerate(actor_names):
for actor2 in actor_names[i+1:]:
common = actor_families[actor1] & actor_families[actor2]
if common:
shared[f"{actor1} <-> {actor2}"] = sorted(common)
print(f"\n=== 共享工具分析 ===")
for pair, families in shared.items():
print(f" {pair}: {len(families)} 个共享家族")
for f in families[:5]:
print(f" - {f}")
return shared
def build_loader_payload_chain(self, family_name):
"""构建家族的加载器-载荷投递链。"""
info = self.client.get_family_info(family_name)
if not info:
return {}
chain = {
"family": family_name,
"description": info.get("description", ""),
"known_loaders": [],
"known_payloads": [],
}
# 已知投递链
known_chains = {
"win.emotet": {"loaders": ["email/macro"], "payloads": ["win.trickbot", "win.qakbot", "win.cobalt_strike"]},
"win.trickbot": {"loaders": ["win.emotet"], "payloads": ["win.ryuk", "win.conti", "win.cobalt_strike"]},
"win.qakbot": {"loaders": ["email/macro", "win.emotet"], "payloads": ["win.cobalt_strike", "win.blackbasta"]},
"win.cobalt_strike": {"loaders": ["win.emotet", "win.trickbot", "win.qakbot"], "payloads": ["ransomware"]},
}
if family_name in known_chains:
chain["known_loaders"] = known_chains[family_name]["loaders"]
chain["known_payloads"] = known_chains[family_name]["payloads"]
return chain
mapper = MalwareFamilyMapper(client)
ecosystem = mapper.map_actor_ecosystem("Wizard Spider")
shared = mapper.find_shared_tooling(["Wizard Spider", "FIN7", "Lazarus Group"])
chain = mapper.build_loader_payload_chain("win.emotet")
步骤 3:提取并编译 YARA 规则
def compile_yara_ruleset(client, family_names, output_file="malware_yara_rules.yar"):
"""为多个恶意软件家族编译 YARA 规则。"""
all_rules = []
for family in family_names:
yara_data = client.get_family_yara(family)
if isinstance(yara_data, dict):
for source, rules in yara_data.items():
if isinstance(rules, list):
for rule in rules:
all_rules.append(f"// Source: {source} - Family: {family}\n{rule}")
elif isinstance(rules, str):
all_rules.append(f"// Source: {source} - Family: {family}\n{rules}")
with open(output_file, "w") as f:
f.write(f"// Malpedia YARA Rules - {len(all_rules)} rules\n")
f.write(f"// Families: {', '.join(family_names)}\n\n")
for rule in all_rules:
f.write(rule + "\n\n")
print(f"[+] 已编译 {len(all_rules)} 条 YARA 规则到 {output_file}")
return all_rules
compile_yara_ruleset(client, ["win.emotet", "win.trickbot", "win.cobalt_strike"])
验收标准
- 成功查询 Malpedia API 获取恶意软件家族
- 检索到包含别名、行为者和参考资料的家族信息
- 正确映射行为者-家族关系
- 识别行为者之间的共享工具
- 提取并编译 YARA 规则用于检测
- 记录加载器-载荷链以用于威胁情报
参考资料
- Malpedia Platform
- Malpedia API Documentation
- Malpedia Research Paper
- YARA Rules Project
- malwoverview Multi-Platform Tool
- CyberAtlas: Malpedia Integration
Related Skills
killvxk/conducting-social-engineering-penetration-test
testing
VerifiedTrustedCommunity
设计并执行社会工程学渗透测试,包括钓鱼、语音钓鱼、短信钓鱼和物理借口活动,以衡量人员安全韧性并识别培训差距。
10SKILL.mdUpdated Apr 29, 2026
killvxk/conducting-post-incident-lessons-learned
testing
VerifiedTrustedCommunity
主持结构化的事件后审查,以识别根本原因、记录有效和无效的措施,并提出可操作的改进建议以提升未来的事件响应能力。
10SKILL.mdUpdated Apr 29, 2026
killvxk/conducting-phishing-incident-response
testing
VerifiedTrustedCommunity
通过分析举报的邮件、提取指标、评估凭据受攻陷情况、在全组织范围隔离恶意邮件并修复受影响账号来响应网络钓鱼事件。涵盖邮件头分析、URL/附件沙箱检测和邮箱范围清除操作。适用于网络钓鱼响应、邮件事件、凭据钓鱼、鱼叉式网络钓鱼调查或钓鱼修复相关请求。
10SKILL.mdUpdated Apr 29, 2026
killvxk/conducting-pass-the-ticket-attack
tools
VerifiedTrustedCommunity
票据传递(Pass-the-Ticket,PtT)是一种横向移动技术,使用窃取的 Kerberos 票据(TGT 或 TGS)在不知道用户密码的情况下向服务进行认证。通过从已控制的主机内存中提取 Kerberos 票据,攻击者可以将这些票据注入自己的会话以模拟票据所有者。
10SKILL.mdUpdated Apr 29, 2026