_____         .__                                  _____                  __ ________  .__        
    /     \ _____  |  |__  _  _______ _______   ____   /     \  __ __  _______/  |\______ \ |__| ____  
   /  \ /  \\__  \ |  |\ \/ \/ /\__  \\_  __ \_/ __ \ /  \ /  \|  |  \/  ___/\   __\    |  \|  |/ __ \ 
  /    Y    \/ __ \|  |_\     /  / __ \|  | \/\  ___//    Y    \  |  /\___ \  |  | |    `   \  \  ___/ 
  \____|__  (____  /____/\/\_/  (____  /__|    \___  >____|__  /____//____  > |__|/_______  /__|\___  >
          \/     \/                  \/            \/        \/           \/              \/        \/ 

MalwareMustDie! :: malwaremustdie.org

[ Wiki ] [ Blog ] [ Tweets ] [ Codes ] [ Archive ] [ Old Site ]

[ News ] [ Video ] [ Linux Malware DB ] [ Why MMD? ] [ SendSample ]

About MalwareMustDie

MalwareMustDie (MMD) is a prominent nonprofit whitehat security research group that emerged in August 2012, standing as a collective force against the proliferation of malware on the internet. The organization comprises a collaborative effort of IT professionals and dedicated security researchers, united by a shared mission to combat and mitigate the impact of various forms of malicious software.

Inception and Objectives

MalwareMustDie was founded with the primary objective of reducing and preventing malware infections across the internet. This collaborative workgroup serves as a medium for IT professionals and security researchers to pool their expertise and resources, forming a cohesive workflow to address the evolving challenges posed by cyber threats.

Malware Analysis

At the core of MalwareMustDie's activities is a rigorous and systematic approach to malware analysis. The group actively engages in the examination and dissection of various forms of malware, aiming to unravel their functionalities, propagation methods, and potential vulnerabilities.

The findings derived from these analyses are crucial for enhancing the collective understanding of cyber threats within the security community. MalwareMustDie meticulously documents its research, sharing insights through its dedicated malware analysis blog. This resource serves as a valuable repository of knowledge, aiding both security professionals and the wider community in staying informed about emerging threats.

Infrastructure Dismantling

MalwareMustDie distinguishes itself by not merely stopping at analysis but actively participating in operations to dismantle malicious infrastructure. This involves identifying and disrupting the networks, servers, and systems that underpin the operations of various cyber threats. By taking direct action against these elements, the group contributes to mitigating the impact of malware campaigns and hindering the activities of threat actors.

Advocacy and Information Sharing

In addition to its hands-on approach, MalwareMustDie plays a vital role in advocacy and information sharing within the cybersecurity space. The group communicates general information about malware trends and advocates for improved detection mechanisms, particularly emphasizing the realm of Linux malware. This proactive stance contributes to raising awareness within the industry and encourages collaborative efforts to fortify cyber defenses.

Notable Discoveries and Threat Disclosures

MalwareMustDie has earned acclaim for its role in discovering and disclosing various internet threats. The group's track record includes identifying and announcing the presence of significant malware strains, botnets, and state-sponsored attacks.

Other notable malware threats and botnets that were first discovered and disclosed by MalwareMustDie include Prison Locker, Mayhem (Linux botnet), Kelihos botnet v2, ZeusVM, Darkleech botnet, LuaBot, NyaDrop, and various others.

Vulnerability Analysis

Beyond malware analysis, MalwareMustDie actively engages in the analysis of client vector threats' vulnerabilities. This includes researching and reporting on vulnerabilities present in software and devices. For instance, the group conducted reverse engineering on a proof of concept for a backdoor case (CVE-2016-6564) affecting a brand of Android phone devices, ultimately found to impact a staggering 2 billion devices.

Social Media Presence and Community Engagement

MalwareMustDie maintains an active presence on social media platforms, particularly Twitter and Reddit. Through these channels, the group shares real-time updates, ongoing research, and insights into new Linux malware threats. This commitment to transparent communication fosters a sense of community within the cybersecurity space, encouraging collaboration and knowledge exchange.

Ongoing Research and Threat Monitoring

The dedication of MalwareMustDie to its mission is evident in its ongoing research efforts. The group continues to post new Linux malware research, keeping the community informed about emerging threats and evolving tactics employed by cybercriminals. This commitment to continuous learning and adaptation is crucial in the ever-changing landscape of cybersecurity.

Future Directions and Challenges

As the cybersecurity landscape evolves, MalwareMustDie faces the ongoing challenge of staying ahead of emerging threats. The group's future directions may involve further collaboration with industry partners, law enforcement agencies, and the cybersecurity community to collectively strengthen defenses against cyber threats.


MalwareMustDie stands as a testament to the power of collaborative efforts in the fight against cyber threats. Its multifaceted approach, encompassing malware analysis, infrastructure dismantling, advocacy, and information sharing, positions the group as a proactive force within the cybersecurity community. By actively contributing to threat intelligence and taking direct action against malicious infrastructure, MalwareMustDie plays a crucial role in mitigating the impact of malware on the internet. Through its ongoing research and community engagement, the group remains a valuable asset in the collective endeavor to create a more secure digital landscape.

To summarize about MalwareMustDie:

Key aspects of MalwareMustDie's activities include:

Their dedication to reducing the impact of malware is evident in their multifaceted approach, from detailed analyses and information sharing to direct action against malicious infrastructure. The group's work contributes to the broader cybersecurity community by enhancing awareness, promoting collaboration, and actively countering cyber threats.

While the organization is recognized for its collective efforts, individual authors or leaders are not prominently mentioned in the provided information. MalwareMustDie continues to actively contribute to the field of cybersecurity by sharing research, analysis, and threat intelligence.

More about us

We aim to establish good relationships vertically with authorities, and horizontally with the fellow researchers and security entities, so that cooperation can be enlisted in dismatling domains that host malware and its infection components in the internet.

Our analysis and reports can be viewed in our media i.e. our blog - in every posts we are not only sharing analysis information but sharing research materials for education in malware analysis to increase the malware detection ratio, we always upload our malware samples in Virus Total after the analysis and precaution needed is done. We also share the method we used for research in our shared code repository in the Github or its archived in the Google Codes that contains of tools, codes and tips, and we share our research drafts, guides and security awareness by using our twitter account. You can reach our other shared information from media sites by using the menu link on the top of this page.

Some of our recent achievement can be viewed in the internet news with the earlist news can be viewed in the next section, and in this link you can review the background and of why we start our workgroup.

We often use the term "crusade", which is taken from the medieval terminology, but please don't get us wrong, that is the term used for a condition when a member is in online and contributing his "rest or private" time in research of analyzing a new threat or a malicious scheme, un-related to the crusade era eventhough we like to use many images of it. The research itself is conducted by the member(s) in their free time after daily work and is not related to their professional obligation, as his contribution to our MalwareMustDie workgroup research, for the public awareness purpose.

All of research materials collected are evaluated and checked for its credibility and quality before being posted in our sites as analysis research, or passed as a report to the authority, or to be published in our mentioned publication media. We often encourage the people in the info security to interact with our security experts in malware analysis and infection handling by providing Q/A assistance via twitter. All of the research information that we share is bound to our legal disclaimer.

Reports, news and mentions during establishment period

We collected the news about us during our earliest establishment period and can be viewed as per below list.
With thank you very much to the fellow researchers, news media and friends for the kindly mention our works.

News: Die Malware Crusaders kämpfen gegen Schadsoftware. Hacker gegen Malware "Nachts nehmen wir Malware-Seiten hoch"
News (mentioned): The rise of the white hats
News: Second Version of Hlux/Kelihos Botnet Getting Smaller, MalwareMustDie disagrees with the figures..
News: Malware Must Die : Opération « Tango Down » sur des sites russes malveillants
News (mentioned): Kelihos Relying on CBL Blacklists to Evaluate New Bots
News: CookieBomb Attacks Compromise Legitimate Sites
News (mentioned/quoted): Exclusive: Ongoing malware attack targeting Apache hijacks 20,000 sites
Report: Deactivation of severe .RU malware infector domains (collaboration w/CERT-GIB friends)
Report: The shutdown of Malware Domains served by Malicious DNS
Report: Guide to decode Blackhole infected sites released
Mentioned: Octopi Managed Services: "About Malware Must Die"
Mentioned: Cisco Blog: New Fake UPS Malware Email Campaign
Mentioned: Eromang - Boeing-job.com Campaign and Adobe Flash 0days
Mentioned: Sam Bowne's CNIT 126: Practical Malware Analysis
Mentioned in Talos/VRT/Snort: The 0-day That Wasn't: Dissecting A Highly Obfuscated PDF Attack
Mentioned: Kahu Security - Clever Redirect to Impact EK
Mentioned: Contagio - Blackhole 2 exploit kit (partial pack) and ZeroAccess
Mentioned: E-Hacking News: Spam Tweets : "My aunt joined and is making 2k .."
Mentioned: 0x109 - Evading AV signatures, BHEK2 way
Mentioned: A Guide of confirming a hacked legit service by Blackhole Exploit Kit
Reference: Botnets.fr - Getting more personal and deeper into Cridex with parfeit credential stealer
Mentioned: Cyren - Analysis Drive-by-Malware ½·Eine Analyse (Eleven-securityblog.de)
Mentioned: DNS-BH Sinkhole - Big Update: 211 Serenity Exploit Kit, Malspam, Malicious Domains

And there are plenty more MalwareMudtDie workgroup's works were mentioned in the internet media and security research reports afterward.
Please search "MalwareMustDie" keyword in your favorite search engine for the "recent" news results.


If you are looking for our assitance please do not hesitate to send a direct message to our twitter account @malwaremustdie.
Or please leave comment to our research/analysis blog into a specific post you would like us to elaborate or explain.

Your contact will be followed by handler(s) accordingly. Until then..stay safe!