ph0neutria is a malware zoo builder that sources samples straight from the wild. Everything is stored in Viper for ease of access and manageability.
Switch branches/tags
Nothing to show
Clone or download
Latest commit f2e9f5d Sep 28, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information.
core MalShare HTTPS. Sep 28, 2018
data v1.0.0 initial commit. Sep 14, 2018
res v1.0.0 initial commit. Sep 14, 2018
tmp v1.0.0 initial commit. Sep 14, 2018
LICENSE Create LICENSE Mar 4, 2018 v1.0.0 initial commit. Sep 14, 2018 v1.0.0 initial commit. Sep 14, 2018 Readme update. Sep 14, 2018
requirements.txt v1.0.0 initial commit. Sep 14, 2018 v1.0.0 initial commit. Sep 14, 2018


ph0neutria malware crawler


ph0neutria is a malware zoo builder that sources samples straight from the wild. Everything is stored in Viper for ease of access and manageability.

This project was inspired by Ragpicker (, formerly known as "Malware Crawler"). However, ph0neutria aims to:

  • Limit the scope of crawling to only frequently updated and reliable sources.
  • Maximise the effectiveness of individual indicators.
  • Offer a single, reliable and well organised storage mechanism.
  • Not do work that can instead be done by Viper.

What does the name mean? "Phoneutria nigriventer" is commonly known as the Brazillian Wandering Spider:


As of version 1.0.0 all sources are created as 'plugins', found in the plugin sub-directory of the core scripts folder. Default sources are:

  • CleanMX (requires approved user-agent).
  • Cymon, which includes: trackers, Bambenek C2 feed, Cyber Crime Tracker, Malc0de, URLVir and VX Vault.
  • Hybrid Analysis (requires vetted API key).
  • OTX.
  • Shodan, using the Malware Hunter search facility.
  • URLhaus.

Each plugin has parameters that must be completed prior to operation. You'll find these at the top of each plugin file.

VirusTotal is a core component of ph0neutria that cannot be disabled. IP lists are fed into it to discover URL's that are known for the IP's. If you have a standard 5 request/minute API key then I'd encourage being conservative with what you feed it. You can do this by:

  • Reducing the number of Cymon feeds.
  • Reducing your OTX subscription count.
  • Setting the Hybrid Analysis SCORE_MIN parameter to 100.



Version Notes

  • 0.6.0: Tor proxying requires pysocks (pip install pysocks) and at least version 2.10.0 of python requests for SOCKS proxy support.
  • 0.9.0: OSINT functionality pulled from Phage Malware Tracker (private project) - requires VirusTotal API key. More robust retrieval of wild files. Local URL and hash caching (reduces API load).
  • 0.9.1: Updated to use V3 Viper API. No longer compatiable with V2.
  • 1.0.0: Major update. Pull from Safari Guide malware pipeline. Plugin architecture. Python 3.0.


The following script will install ph0neutria along with Viper and Tor:

chmod +x  
sudo ./  

Simple as that!


Configure additional ClamAV signatures:

cd /tmp  
git clone  
cd clamav-unofficial-sigs  
cp /usr/local/bin  
chmod 755 /usr/local/bin/  
mkdir /etc/clamav-unofficial-sigs  
cp config/* /etc/clamav-unofficial-sigs  
cd /etc/clamav-unofficial-sigs

Rename os..conf to os.conf, for example:

mv os.ubuntu.conf os.conf  

Modify configuration files:

  • master.conf: search for "Enabled Databases" and enable/disable desired sources.
  • user.conf: uncomment the required lines for sources you have enabled and complete them. user.conf overrides master.conf. You must uncomment user_configuration_complete="yes" once you've completed setup for the following commands to succeed.

For more configuration info see:

mkdir /var/log/clamav-unofficial-sigs --install-cron --install-logrotate --install-man  
cd /tmp/clamav-unofficial-sigs  
cp systemd/\* /etc/systemd  
cd ..  
rm -rf clamav-unofficial-sigs*  

It'll take a while to pull down the new signatures - during which time ClamAV may not be available.


Take precautions when piecing together your malware zoo:

Ensure Tor is started:

service tor restart

Start the Viper API and web interface:

cd /opt/viper  
sudo -H -u spider python3 viper-web

Take note of the admin password that is created when Viper is started. Use this to log into http://<viper IP\>:<viper port>/admin (default: and retrieve the API token from the Tokens page.

The main Viper web interface will be available at http://<viper IP>:<viper port> (default:

  • Complete the config file at: /opt/ph0neutria/core/config/settings.conf
  • Complete the parameters at the top of each plugin. If you wish to disable the plugin, set DISABLED = True: /opt/ph0neutria/core/plugins/*.py

Start ph0neutria:

cd /opt/ph0neutria  
sudo -H -u spider pytho3n

You can press Ctrl+C at any time to kill the run. You are free to run it again as soon as you'd like - you can't end up with database duplicates.

To run this daily, create a script in /etc/cron.daily with the following:

cd /opt/ph0neutria && sudo -H -u spider python3*

Tags and Notes


  • Date stamp.
  • Sample domain.
  • Host ASN.
  • Host country.

{1)({2}) via {3}

  • Sample URL.
  • Host IP address.
  • URL source.

The original name of the file forms the identifying name within Viper.