Dual-Framework Cyber Threat Intelligence Platform
Paste suspicious code. Get instant AI-powered threat intelligence in under 20 seconds β mapped to MITRE ATT&CK and MITRE ATLAS.
DarkDecoder is the only free tool that combines two official cyber threat frameworks β MITRE ATT&CK for traditional malware and MITRE ATLAS for AI/ML adversarial threats β in a single platform.
Security analysts waste hours manually cross-referencing malicious code against threat databases. DarkDecoder does it in 20 seconds: paste code, get a full breakdown β danger score, technique mappings, IOCs, kill chain, remediation steps, and exportable reports.
- Deobfuscates base64, hex, eval chains, string concatenation
- Classifies malware type: Ransomware, Keylogger, Reverse Shell, Cryptominer, Webshell, and more
- Danger score 1β10 with full justification
- Maps to MITRE ATT&CK T-codes (T1059, T1547, T1486, etc.)
- Extracts IOCs: IPs, domains, URLs, file paths, registry keys, mutexes
- Plain English summary for non-technical stakeholders
- Actionable remediation steps
- Detects prompt injection attacks targeting LLM-based systems
- Identifies jailbreak and safety guardrail bypass techniques
- Flags training data poisoning and backdoor injection samples
- Catches model extraction and membership inference queries
- Maps directly to MITRE ATLAS AML.TXXXX codes β the official AI adversarial threat framework
- Full 10-phase ATT&CK kill chain visualization
- Weaponization score + stealth rating (1β10)
- Privilege escalation level: None β Local β Admin β Domain Admin β SYSTEM/Root
- Detection difficulty rating + CVSS vector string generation
- Named APT group / threat actor similarity matching
- Full attack narrative from an adversary perspective
| Feature | Details |
|---|---|
| File Upload | .py .js .php .ps1 .sh .bat .rb .go .cs .vbs (up to 200 MB) |
| Report Export | PDF Β· JSON Β· TXT β one click, all modules |
| Attack Timeline | Step-by-step progression with MITRE technique IDs |
| Session History | All scans logged with timestamps in sidebar |
| Hash Analysis | SHA256 + MD5 computed on every submission |
| Built-in Samples | Pre-loaded demo payloads for instant testing |
| Zero Cost | Runs entirely on Groq's free tier β no credit card |
| Component | Technology |
|---|---|
| AI Engine | Groq API β Llama 3.3 70B Versatile |
| Threat Framework 1 | MITRE ATT&CK v14 |
| Threat Framework 2 | MITRE ATLAS (AI/ML adversarial threats) |
| Backend | Python 3.10+ |
| Frontend | Streamlit |
| PDF Generation | fpdf2 |
| Environment | python-dotenv |
# 1. Clone
git clone https://github.com/Pyhroff/darkdecoder
cd darkdecoder
# 2. Install dependencies
pip install -r requirements.txt
# 3. Add your free Groq API key
cp .env.example .env
# Open .env and set: GROQ_API_KEY=your_key_here
# 4. Run
streamlit run app.pyGet a free Groq API key at console.groq.com β no credit card, 14,400 requests/day free tier.
| Module | Sample Payloads |
|---|---|
| Malware Scanner | PowerShell Dropper Β· Python Reverse Shell Β· JS Cryptominer Β· PHP Webshell Β· Ransomware Stub |
| AI Threat Analyzer | Prompt Injection Β· Data Poisoning Β· Model Extraction Β· Jailbreak Attempt |
| Red Team Intel | Privilege Escalation Β· Lateral Movement Β· Defense Evasion Β· C2 Beacon |
| DarkDecoder | VirusTotal | Traditional SIEMs | |
|---|---|---|---|
| MITRE ATT&CK mapping | β | Partial | β (paid) |
| MITRE ATLAS (AI threats) | β | β | β |
| Red team kill chain | β | β | β |
| Free tier | β | β | β |
| Self-hostable | β | β | β |
| Explains WHY | β | β | β |
darkdecoder/
βββ app.py # Main Streamlit UI
βββ analyzer.py # MITRE ATT&CK malware scanner
βββ ai_analyzer.py # MITRE ATLAS AI threat detector
βββ redteam_analyzer.py # Red team kill chain analyzer
βββ report_generator.py # PDF report generation
βββ requirements.txt
βββ .env.example
βββ .gitignore
MIT License β free to use, modify, and deploy.
DarkDecoder β Because malware doesn't explain itself.