What inspired the creation of MalwareGallery.com, and how has the site’s mission or scope evolved since you launched?
The inspiration for Malware Gallery comes directly from my personal history, going back more than 20 years. I grew up within what was then called the “Trojan Scene,” a community that evolved on dedicated IRC servers, bulletin boards, and forums where people exchanged projects and ideas related to malware development. Many of the principles established during that period remain relevant today, even if they are no longer referred to in the same way, and they continue to shape the modern malware landscape.
Back then, several independent websites already existed to catalog new malware families. Their releases and updates were highlighted and documented on specialized underground platforms, two well-known examples being the infamous Progenic site and MegaSecurity.
Malware Gallery was created with a similar purpose: to serve as a reference point for malware families from this period. However, it was designed to offer a more modern and user-friendly browsing experience. As a tribute to its heritage, the site also includes the original MegaSecurity database in the Archives section, with the approval of MegaSecurity’s founder.
Initially, Malware Gallery was simply a platform showcasing malware families, primarily Remote Access Trojans, which have had a lasting impact on the field. Much like the earlier platforms I mentioned, it served mainly as a reference point. However, it quickly evolved into something more complete, incorporating detailed documentation of malware features and techniques. To make these concepts more tangible, the site now also provides code snippets illustrating how such techniques were implemented in practice.
The project is not only a digital museum but also a growing reference for both cybersecurity professionals and students. It provides a way to learn new techniques, recognize patterns, and ultimately improve responses to emerging threats.
How do you decide which malware families, releases, techniques, or code snippets to include in the collection, and what is your sourcing process?
Over the past 20 years, I have collected thousands of malware families. For the digital museum section of Malware Gallery, the focus is deliberately limited to malware developed between the late 90s and 2010. This period is often considered the “golden age of malware,” a time when many authors created malware primarily for learning, experimentation, and sharing knowledge, rather than for profit or large-scale destruction. While financial or destructive motives certainly existed, they were less dominant compared to today.
Within this historical scope, Malware Gallery highlights the most impactful families, with a particular focus on Remote Access Trojans (RATs) and related hacking tools. To be included, a malware family must typically have featured either a builder (the tool used to generate the malware) and/or a command-and-control component with a graphical interface. These graphical interfaces were especially significant, as they made malware more accessible to a wider range of users, including less technical actors often referred to as “script kiddies.”
Code snippets, on the other hand, follow a different approach. They are not tied to a specific era but are selected for their technical value. Some illustrate historical concepts from the golden age, while others demonstrate techniques that remain highly relevant in today’s malware landscape. This combination allows the platform to bridge past and present, offering both historical perspective and practical insights for modern cybersecurity learning.
What measures do you take to ensure accuracy and trustworthiness of the technical information (e.g. techniques, APIs, authors, releases) provided on MalwareGallery?
Currently, Malware Gallery does not accept public contributions, so all code snippets and technical content are created and documented by myself. This ensures that the information is accurate and consistent.
When public contributions are eventually enabled, I plan to implement a robust validation process to maintain trustworthiness. This will include verifying code authorship, confirming that code snippets function as intended, and ensuring that any malware families submitted meet the historical period and specific inclusion criteria established for the platform. These measures will help maintain both technical accuracy and the integrity of the collection.
How do you balance making malware research and information accessible to security researchers and students, while preventing misuse or abuse of the data hosted?
In truth, it is impossible to completely prevent misuse or abuse of information shared online. My approach is guided by the principle that knowledge itself is inherently more valuable than the risks of potential misuse. Hiding knowledge to prevent its use for harmful purposes is, in my view, counterproductive. Those with malicious intent will find ways to achieve their goals; it is only a matter of time and effort.
This reality has become even more true with the arrival of LLMs. Today, even individuals with limited technical expertise can generate harmful code capable of creating functional malware, ranging from the most basic crypto miners and ransomware to data stealers, without needing deep programming knowledge. In this context, restricting access to knowledge would primarily restrict those who could use it for good: cybersecurity professionals, students, and curious minds.
By making information accessible, Malware Gallery empowers users to understand how malware works, recognize malicious patterns, and develop effective defenses. In essence, transparency and education increase resilience and reduce vulnerability, equipping the “good actors” in cybersecurity with the tools and awareness they need to respond to threats effectively. Knowledge, when shared responsibly, becomes a force for protection rather than exploitation.
It is important to understand that, despite any amount of effort or security mechanisms, any software can be misused. Open source software and libraries can be used or modified for malicious purposes, code snippets can be repurposed with harmful intent, and even operating system documentation can serve as a blueprint for creating malware. The potential for misuse exists in virtually all technical resources.
What future features or expansions are you planning (for example interactive analysis, community contributions, or integration with threat intelligence tools)?
Malware Gallery is still in its early stages, as development is primarily done during my personal time. As such, the roadmap is shaped by the time I can dedicate to the project. In the near term, the priority is to continue filling gaps in the malware families and releases sections by documenting additional impactful malware families. Following this, I plan to progressively expand the library of techniques and code snippets. Once a solid foundation is established, the platform will be opened to public contributions to accelerate content growth and community engagement.
Regarding more advanced features, such as interactive analysis and integration with threat intelligence tools, these possibilities are not excluded. One idea under consideration is the implementation of a file scanner that could identify techniques in unknown or untrusted binaries, highlighting potential harmful or unexpected actions. This approach would be somewhat similar to the work we have done on the Unprotect Project (unprotect.it) with Thomas Roccia, which focused specifically on malware evasion techniques.
