Awesome malware development
Curated resources for malware dev, reverse engineering, and defensive security research.
**Curated collection of the best resources for malware development, rootkits, implants, evasion, and red-team tooling.** The project is distributed under the MIT License license, first published in 2022. It has gained significant community traction with 1,762 stars and 194 forks on GitHub. Key topics include: malware, malware-development, malware-research.
Awesome Malware Development
Curated collection of the best resources for malware development, rootkits, implants, evasion, and red-team tooling.
⚠️ Disclaimer
This repository is for educational, research, ethical hacking, and red-teaming purposes only.
Any misuse may violate laws in your jurisdiction. The maintainer is not responsible for illegal activity.
Table of Contents
- Learning Path
- Modern Topics (2025–2026)
- Essentials
- Tools & Frameworks
- Open-Source PoCs & Sample Projects
- Blogs
- Talks
- YouTube Channels
- Courses
- Books
- Articles & Writeups
- Contributing
Learning Path
Beginner → Advanced Roadmap
- Fundamentals – C, Assembly, Windows internals
- Userland Malware – Process injection, loaders, crypters
- Evasion – AV/EDR bypass, obfuscation
- Kernel & Rootkits – Drivers, hooks, DKOM
- Advanced – UEFI bootkits, reflective loading, C2 implants
Modern Topics (2025–2026) ← FRESH & HIGHLY RECOMMENDED
The latest content the community is using right now:
EDR Evasion & Modern Techniques
- Endpoint Evasion Techniques (2020–2025): The Evolution (NEW 2025)
- Bypassing Modern EDRs: Practical Evasion Techniques (2025 Edition) (NEW 2025)
- EDR Evasion 101: 29 Ways Attackers Are Slipping Past Defenses (NEW 2026)
- Understanding EDR Evasion Tactics & Defense Methods (NEW 2026)
Rust / Nim / Go for Malware Development
- Rust for Malware Development (Bishop Fox, 2025) (NEW 2025)
- NIM Malware Development — Introduction (NEW 2025)
- Rust and Go Malware: Cross-Platform Threats Evading Traditional Defenses (NEW 2025)
Linux Kernel & Rootkits
- Linux malware development 1: Intro to kernel hacking (2024) (NEW 2024)
- Singularity: Deep Dive into a Modern Stealth Linux Kernel Rootkit (NEW 2025)
UEFI Bootkits & Advanced Kernel
- Awesome Bootkits & Rootkits Development (curated list) (NEW 2025)
- Bootkits-Development-Starter-Pack (NEW 2025)
- UEFI Bootkits and Kernel-Mode Rootkits Development (NEW 2025)
Essentials
Strong C/C++ and x86/x64 assembly knowledge is highly recommended.
C Programming
x86/x64 Assembly
Tools & Frameworks (Updated 2026)
- Havoc (NEW 2024–2026) – Modern, malleable C2 framework with beautiful GUI
- Mythic – Highly modular cross-platform C2
- Sliver – Cross-platform implant framework
- Donut – Shellcode generator & loader
- SysWhispers – Syscall generator for evasion
- InlineWhispers – Direct syscall evasion
Open-Source PoCs & Sample Projects
- TheMalwareGuardian/Awesome-Bootkits-Rootkits-Development (NEW 2025)
- TheMalwareGuardian/Bootkits-Development-Starter-Pack (NEW 2025)
- chvancooten/maldev-for-dummies (NEW 2025) – Beginner malware workshop
- cr-0w/maldev – Malware development growth repo
- vxunderground/MalwareSourceCode – Archived malware source (historical, research only)
- stephenfewer/ReflectiveDLLInjection
- h0mbre/Learn-C-By-Creating-A-Rootkit
- xcellerator/linux_kernel_rootkits
- MatheuZSecurity/Singularity (NEW 2025) – Modern Linux kernel rootkit
Blogs
- Vitali Kremez — Deep dive malware analysis
- 0xPat — Outstanding malware development series
- zerosum0x0 — deep technical posts
- Guitmz — High-quality maldev content
- TheXcellerator — Amazing LKM rootkit series
- cocomelonc (NEW) — Excellent Linux malware & kernel series
- captmeelo - Excellent writeups check this out!!!
- iRedTeam - red team notes
Talks
- Horse Pill: A New Type of Linux Rootkit
- LKM Rootkit Series (playlist)
- Creating and Countering the Next Generation of Linux Rootkits
- Kernel Mode Threats and Practical Defenses
- Alex Ionescu – Advancing the State of UEFI Bootkits
- BlueHat v18: Return of the kernel rootkit malware (Windows 10)
- BlackAlps 2025: Level Up Your Malware – A Practical Journey Into EDR Evasion (NEW 2025)
YouTube Channels
- AGDC Services — High-quality malware content
- TheSphinx — Full RAT-from-scratch series
- Joey Abrams — Code-injection & Linux maldev
- w3w3w3 — Solid LKM rootkit series
Courses
- RED TEAM Operator: Malware Development Essentials (Sektor7)
- RED TEAM Operator: Malware Development Intermediate (Sektor7)
- RingZerø: Windows Kernel Rootkits
- CodeMachine: Windows Kernel Rootkits
- Maldev Academy – Malware Development Course (NEW 2025–2026) — Continuously updated, 200+ modules, community favorite
Books
- The Art of Computer Virus Research and Defense
- The Giant Black Book of Computer Viruses
- Designing BSD Rootkits: An Introduction to Kernel Hacking
- Rootkits and Bootkits
- The Antivirus Hackers’ Handbook
Free Books / PDFs
Articles & Writeups
Malware Development Fundamentals & Series
- Malware Development – Welcome to the Dark Side: Part 1
- Art of Malware
- Malware Development Part 1
- Basic Ransomware guide
- Master of RATs - How to create your own Tracker
- Amazing article to read with some good resources (Personal Tale and the Road to Malware Development, Resources)
- Best series i will say if you wanna get into programming/malware dev recommended series to follow it will start with learn programming thats needed asm and stuff after that getting into maldev
- Filess malware
- Examining the Morris Worm Source Code
- IOT Malware
- Roadmap for Malware Development and Evasion (NEW 2026)
Rootkits (Userland & Kernel)
- PT_NOTE -> PT_LOAD x64 ELF virus written in Assembly
- The magic of LD_PRELOAD for Userland Rootkits (good read if you wanna get into rootkits this blog is for userland rootkits)
- (Recommended Read) if you want to creat your first userland rootkit and you just know C you can go for this blog if you wanna start into rootkit development
- Complete guide on LKM hacking
- Becoming-rat-your-system
- Singularity: Deep Dive into a Modern Stealth Linux Kernel Rootkit (NEW 2025)
Injection & Hooking Techniques
- Function Hooking Part I: Hooking Shared Library Function Calls in Linux
- Inline Hooking for Programmers (Part 1: Introduction)
- Inline Hooking for Programmers (Part 2: Writing a Hooking Engine)
- PE injection for beginners
Evasion & Obfuscation
- Understanding TRITON and the Missing Final Stage of the Attack good read.
- Windows Defender antivirus bypass in 2025 - part 1 (NEW 2025)
Specific Malware & APT Analysis
Contributing
See CONTRIBUTING.md
Made with ❤️ by the community • v2.0 – Full Merge + Massive 2025–2026 Expansion (April 2026)
Contributors
Showing top 1 contributor by commit count.
Related Repositories
StevenBlack/hosts
🔒 Consolidating and extending hosts files from several well-curated sources. Optionally pick extensions for porn, social media, and other categories.
hagezi/dns-blocklists
DNS-Blocklists: For a better internet - keep the internet clean!
vxunderground/MalwareSourceCode
Collection of malware source code for a variety of platforms in an array of different programming languages.
vitalysim/Awesome-Hacking-Resources
A collection of hacking / penetration testing resources to make you better!
wifiphisher/wifiphisher
The Rogue Access Point Framework
mytechnotalent/Reverse-Engineering
A FREE comprehensive reverse engineering tutorial covering x86, x64, 32-bit/64-bit ARM, 8-bit AVR and 32-bit RISC-V architectures.