MalwareConfig - archive & analysis

This domain hosted MalwareConfig.com, an open configuration-extraction service operated by Kevin Breen between 2014 and 2019. At its peak the service indexed 25,473 malware configs across families like njRat, DarkComet, Xtreme RAT, adWind, Dridex, NanoCore, and Pony.

The original service is no longer running. This archive preserves what it was, links to the projects that filled the gap, and runs an occasional technical writeup on the same kinds of questions the service answered: how do these families store their config, and how do you extract it without running the sample?

The historical subdomains have their own pages: aptnotes, viper, dridex.

writeups

2026-06-02 APT reports in the post-APTNotes era: how the open-source threat-intel archive ecosystem works in 2026 apt · threat-intel · archives · aptnotes · malpedia
2026-05-16 What I miss about the 2010s malware analysis web editorial · history · tooling
2026-05-06 Modern stealer config formats: how Lumma, Atomic, and DanaBot store their C2 data config-extraction · stealers · lumma · atomic · danabot
2026-04-27 What I use instead of malwareconfig.com (notes from the new operator) config-extraction · tooling · sandboxes · archive