Give your AI assistant the ability to triage malware.
Beta. Anubis is in active development. The six core tools work and are tested, but expect rough edges, breaking changes, and new features in upcoming releases. Feedback and issues are welcome.
Anubis is a Model Context Protocol (MCP) server that exposes a malware analyst's toolkit to any MCP-compatible AI client — Claude Desktop, Cursor, or the MCP Inspector. Drop a suspicious binary into your samples directory and ask your assistant "is this file malicious, and what does it do?" Anubis lets the AI call the right static-analysis tools and synthesize the findings into a readable triage report.
Built for SOC analysts, malware researchers, and detection engineers who want LLM-assisted triage without uploading samples to a third-party service. Everything runs locally.
Triaging a suspicious file means running the same handful of tools every time — hash it, check VirusTotal, pull strings, scan with YARA, inspect imports, glance at the disassembly — then mentally stitching the results together. It's repetitive, and it's exactly the kind of multi-tool synthesis LLMs are good at.
Anubis turns that workflow into a conversation. The analyst asks a question; the AI decides which tools to call, calls them, and explains what it found. The analyst stays in control of the verdict — Anubis just removes the busywork of running six tools by hand and correlating their output.
Three design commitments:
- Local-first. Samples never leave your machine. The only outbound call is an optional VirusTotal hash lookup — never an upload.
- Static only. Anubis reads, parses, hashes, and disassembles. It never executes a sample.
- Sandboxed. Every tool is locked to a single samples directory. Path traversal and symlink escapes are rejected.
Six static-analysis tools, exposed as MCP functions:
| Tool | What it does |
|---|---|
inspect_file |
Size, SHA-256, format detection (PE / ELF / Mach-O), import hash for PE |
extract_strings |
Surfaces suspicious strings only — URLs, IPs, registry keys, file paths, Win32 APIs |
run_yara |
Scans against a bundled, custom-authored YARA ruleset |
check_hash |
VirusTotal reputation lookup by SHA-256 — hash only, no upload |
pe_imports |
Lists imported DLLs/functions, flags injection and evasion APIs |
disassemble_function |
radare2 disassembly of any named function or address |
Ships with a curated detection ruleset of original YARA rules — no external rule downloads required to get started.
Tested against a live Linux ELF sample from MalwareBazaar (SHA-256 f29525ef…d932). The full triage took under a minute.
Identify the file — inspect_file reports a 4.5 MB statically-linked ELF. file confirms a Go BuildID: this is a Go-compiled binary.
Check reputation — check_hash returns the VirusTotal verdict:
malicious: 14 / 75 engines
tags: elf, persistence, detect-debug-environment
Pull the strings — extract_strings surfaces the malware's own internals:
Botnet/Methods
http://%s/bins.sh
http://%s/config.dat
Connecting to CNC...
Connected to CNC!
GET /config.dat HTTP/1.1
Loaded %d proxies for TLSPlusBypass
/etc/rc.local
/root/.bashrc
Read together, these describe a Go-compiled DDoS/proxy botnet: a hardcoded Botnet package, C2 endpoints for fetching payloads (/bins.sh) and config (/config.dat), a TLS-bypass proxy feature, and persistence via shell rc files.
Scan with YARA — Anubis's bundled ruleset fires on six independent indicators:
Anubis_Go_Compiled_Binary
Anubis_Linux_Botnet_C2_Strings
Anubis_Browser_UserAgent_Impersonation
Anubis_Linux_Persistence_Paths
Anubis_Suspicious_Stripped_Static_ELF
Anubis_TLS_Proxy_Bypass
The detail worth noting: 61 of 75 commercial AV engines, and the widely-used signature-base ruleset, returned zero matches on this sample. Go-compiled malware is a known blind spot for traditional signatures — Go statically links its entire runtime, producing multi-megabyte binaries with no byte patterns in common with the C-compiled Mirai variants most rules target.
Anubis's rules close that gap by detecting behavioral string indicators (C2 messages, persistence paths, proxy-bypass features) and the Go-compilation fingerprint itself — and, just as importantly, they don't fire on traits the sample doesn't have (no cryptominer, reverse-shell, or packing rules triggered). Selective detection, not pattern-spraying.
Requirements: Linux (tested on Kali, Debian, Fedora) · Python 3.10+ · uv · radare2 · a free VirusTotal API key (optional, only needed for check_hash)
# 1. System dependency
sudo apt install -y radare2
# 2. Clone and install
git clone https://github.com/Jeesun-38/anubis.git
cd anubis
uv venv
source .venv/bin/activate
uv pip install -r requirements.txt
# 3. Create your samples directory
mkdir -p ~/anubis-samples
# 4. Point Anubis at it (the bundled ruleset is used automatically)
export ANUBIS_SAMPLES_DIR="$HOME/anubis-samples"
export ANUBIS_YARA_DIR="$PWD/rules"
export VT_API_KEY="your_virustotal_api_key" # optional
# 5. Test it with the MCP Inspector
npx @modelcontextprotocol/inspector uv run server.pyThe Inspector opens in your browser. Connect, list tools, drop a file into ~/anubis-samples/, and call inspect_file against it.
Add Anubis to your claude_desktop_config.json:
{
"mcpServers": {
"anubis": {
"command": "uv",
"args": ["--directory", "/absolute/path/to/anubis", "run", "server.py"],
"env": {
"ANUBIS_SAMPLES_DIR": "/home/youruser/anubis-samples",
"ANUBIS_YARA_DIR": "/absolute/path/to/anubis/rules",
"VT_API_KEY": "your_key"
}
}
}
}Restart Claude Desktop, drop a sample into your samples directory, and ask it to analyze the file.
All configuration is via environment variables:
| Variable | Default | Purpose |
|---|---|---|
ANUBIS_SAMPLES_DIR |
~/anubis-samples |
Sandbox root — only files beneath this path can be analyzed |
ANUBIS_YARA_DIR |
~/anubis-rules |
Directory containing default.yar |
ANUBIS_MAX_FILE_SIZE |
524288000 (500 MB) |
Maximum analyzable file size |
VT_API_KEY |
(unset) | VirusTotal API v3 key; check_hash is disabled without it |
Anubis ships with rules/default.yar — a set of original, MIT-licensed YARA rules focused on areas where traditional rulesets are weak, especially Linux and Go-compiled malware:
| Rule | Targets |
|---|---|
Anubis_Go_Compiled_Binary |
Go-compilation fingerprint (BuildID, runtime symbols) |
Anubis_Linux_Botnet_C2_Strings |
CNC connection messages, payload/config endpoints |
Anubis_Browser_UserAgent_Impersonation |
Multiple hardcoded browser User-Agents |
Anubis_Reverse_Shell_Patterns |
/dev/tcp/, bash -i, nc -e, named-pipe shells |
Anubis_Cryptominer_Indicators |
Stratum URLs, miner names, mining pools |
Anubis_Linux_Persistence_Paths |
Multiple persistence locations in one binary |
Anubis_Suspicious_Stripped_Static_ELF |
Statically-linked, stripped ELF droppers |
Anubis_TLS_Proxy_Bypass |
Proxy-pool / TLS-inspection evasion features |
Anubis_Embedded_Base64_ELF |
Base64-encoded ELF payloads (f0VMR…) |
Anubis_High_Entropy_File |
Packed / encrypted / compressed content |
Most rules require multiple indicators before firing, to keep false positives low. To extend coverage, drop additional .yar files into your ANUBIS_YARA_DIR or merge in a third-party set such as signature-base (mind its separate license).
- Path sandboxing — every file-taking tool resolves input with
os.path.realpath()and rejects anything outsideANUBIS_SAMPLES_DIR.../traversal and symlink escapes are blocked. - No execution — Anubis performs static analysis only. It never runs a sample.
- No uploads — the only network call is an optional VirusTotal hash lookup. Sample bytes never leave the machine.
- Run live malware in a VM — analyze real samples inside a disposable VM with no egress to your host or sensitive systems. Anubis won't execute them, but treat samples as radioactive regardless.
- Not a network service — Anubis speaks MCP over local stdio. It has no authentication or rate limiting and is not built to be exposed over a network.
Anubis is beta. Planned for upcoming releases:
detect_go_malware— recover Go package paths from stripped binaries and flag malicious package namesextract_iocs— return structured IOCs (IPs, domains, hashes) instead of raw stringself_sections/pe_sections— per-section entropy analysis- Capa integration for capability detection
- Expanded Linux/ELF rule coverage
- Docker image for one-command setup
Licensed under the MIT License. The bundled YARA ruleset is original work, also MIT-licensed.
Built on the open-source work of:
- Model Context Protocol — the open AI-tool integration standard
- radare2 · LIEF · yara-python
- MalwareBazaar — free malware samples for research