README.mdā¢14.8 kB
# NoctisAI - Malware Development & Threat Intelligence MCP
<div align="center">
<img src="assets/noctis-logo.png" alt="NoctisAI Logo" width="400" />
[](https://opensource.org/licenses/MIT)
[](https://www.python.org/downloads/)
[](https://modelcontextprotocol.io/)
[](https://github.com/Yenn503/TheSilencer)
** Nocturnal Intelligence System for Advanced Malware Development & Threat Intelligence**
</div>
---
## šÆ **About NoctisAI**
**NoctisAI** is a specialized MCP (Model Context Protocol) designed for advanced malware development, threat intelligence, and offensive security operations. Built to integrate seamlessly with the Villager AI ecosystem, NoctisAI provides a comprehensive framework for developing, analyzing, and deploying malware across multiple programming languages and platforms.
### **Key Features:**
- š¦ **Multi-Language Malware Development** (Python, C/C++, Rust, Assembly)
- šµļø **Advanced Threat Intelligence** (IOC analysis, MITRE ATT&CK mapping)
- š **OSINT & Reconnaissance** (Domain intel, social engineering, dark web monitoring)
- š¬ **Forensic Analysis** (Memory, disk, network forensics)
- šÆ **APT Simulation** (Complete attack simulation and kill chain)
- š”ļø **Enhanced TheSilencer Integration** (Your C/C++ malware framework)
## šļø **Architecture**
```
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā Cursor AI Assistant ā
ā (Orchestrator & Decision Engine) ā
āāāāāāāāāāāāāāāāāāāāāāā¬āāāāāāāāāāāāāāāāāāāā¬āāāāāāāāāāāāāāāāāāāāāāāā
ā ā
ā¼ ā¼
āāāāāāāāāāāāāāāāāāāāāāā āāāāāāāāāāāāāāāāāāāāāāā
ā Villager AI ā ā NoctisAI ā
ā (Complex Tasks) ā ā (Malware/Threat Intel)ā
ā Port: 37695 ā ā Port: 8081 ā
āāāāāāāāāāā¬āāāāāāāāāāāā āāāāāāāāāāā¬āāāāāāāāāāāā
ā ā
ā¼ ā¼
āāāāāāāāāāāāāāāāāāāāāāā āāāāāāāāāāāāāāāāāāāāāāā
ā Kali Container ā ā TheSilencer ā
ā (Security Tools) ā ā (C/C++ Loaders) ā
ā Port: 1611 ā ā Integration ā
āāāāāāāāāāāāāāāāāāāāāāā āāāāāāāāāāāāāāāāāāāāāāā
ā
ā¼
āāāāāāāāāāāāāāāāāāāāāāā
ā HexStrike AI ā
ā (Quick Execution) ā
ā Port: 8000 ā
āāāāāāāāāāāāāāāāāāāāāāā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā MCP Ecosystem Flow ā
ā ā
ā Cursor AI ā Decision Making ā Tool Selection ā Execution ā
ā ā
ā ā¢ Villager: Complex orchestration, long-running tasks ā
ā ā¢ NoctisAI: Advanced malware development, threat intelligence ā
ā ā¢ HexStrike: Quick reconnaissance, direct tool execution ā
ā ā
ā All tools can work independently or in hybrid workflows ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
```
## š **Quick Start**
### **1. Installation**
```bash
# Clone NoctisAI
git clone https://github.com/yourusername/NoctisAI.git
cd NoctisAI
# Create virtual environment
python3 -m venv noctis-env
source noctis-env/bin/activate
# Install dependencies
pip install -r requirements.txt
# Run setup
./scripts/setup_noctis.sh
```
### **2. Integration with Villager AI**
Add to your MCP configuration:
```json
{
"mcpServers": {
"villager-proper": {
"command": "/path/to/Villager-AI/villager-venv-new/bin/python3",
"args": ["/path/to/Villager-AI/src/villager_ai/mcp/villager_proper_mcp.py"],
"env": {
"PYTHONPATH": "/path/to/Villager-AI"
}
},
"noctis-ai": {
"command": "/path/to/NoctisAI/noctis-env/bin/python3",
"args": ["/path/to/NoctisAI/src/noctis_ai/mcp/noctis_mcp.py"],
"env": {
"PYTHONPATH": "/path/to/NoctisAI"
}
},
"hexstrike-ai": {
"command": "/path/to/hexstrike-ai/hexstrike-env/bin/python3",
"args": ["/path/to/hexstrike-ai/hexstrike_mcp.py"]
}
}
}
```
### **3. Start Services**
```bash
# Start NoctisAI services
./scripts/start_noctis.sh
# Or start all services together
./scripts/start_ecosystem.sh
```
## š ļø **Core Capabilities**
### **Malware Development**
- **Python Framework**: Advanced Python malware templates
- **C/C++ Framework**: Enhanced TheSilencer integration
- **Rust Framework**: Memory-safe malware development
- **Assembly Framework**: Low-level system manipulation
### **2025 Advanced Techniques**
- **AI-Powered Generation**: Dynamic, adaptive malware using AI
- **Living Off the Land**: Using legitimate system tools (PowerShell, WMI, etc.)
- **Fileless Execution**: Memory-only execution without disk traces
- **Time-Based Evasion**: Sandbox detection bypass using timing
- **Cloud C2 Integration**: Using legitimate cloud services for C2
- **AI Social Engineering**: AI-generated personalized attacks
- **Advanced Obfuscation**: Control flow flattening, opaque predicates
- **Behavioral Adaptation**: Dynamic behavior modification
- **Hypervisor Evasion**: VM and hypervisor detection bypass
- **ML Detection Evasion**: Machine learning model evasion
## š **Educational Capabilities**
### **Interactive Learning System**
NoctisAI can serve as an **educational platform** for cybersecurity professionals, researchers, and students. When users ask, I can provide comprehensive explanations of:
#### **Malware Development Techniques**
- **Obfuscation Methods**: Control flow flattening, polymorphic code, metamorphic engines
- **Evasion Techniques**: Sandbox detection, hypervisor evasion, anti-debugging
- **Injection Methods**: Process hollowing, DLL injection, manual DLL mapping
- **Persistence Mechanisms**: Registry, WMI, scheduled tasks, service installation
- **Anti-Analysis**: Debugger detection, VM detection, behavioral analysis evasion
#### **Threat Intelligence Concepts**
- **IOC Analysis**: Hash analysis, domain reputation, IP geolocation
- **MITRE ATT&CK**: Technique mapping, tactic correlation, campaign attribution
- **OSINT Techniques**: Domain intelligence, email analysis, social engineering
- **Forensic Analysis**: Memory forensics, disk analysis, timeline reconstruction
#### **Advanced Topics**
- **TheSilencer Techniques**: Hell's Gate, DLL unhooking, API hashing, ETW bypass
- **Living Off the Land**: PowerShell abuse, WMI exploitation, registry manipulation
- **Cloud C2**: Legitimate service abuse, steganography, covert channels
- **AI-Powered Attacks**: Machine learning evasion, behavioral adaptation
### **How to Request Educational Content**
Simply ask NoctisAI to explain any technique:
```
"Explain how control flow flattening works"
"Teach me about TheSilencer techniques"
"What is living off the land in malware development?"
"How does sandbox evasion work?"
"Explain MITRE ATT&CK framework mapping"
"Show me how to analyze IOCs"
```
### **Learning Features**
- **Step-by-step explanations** with code examples
- **Real-world scenarios** and use cases
- **Best practices** and security considerations
- **Interactive demonstrations** using NoctisAI tools
- **Progressive complexity** from basic to advanced concepts
### **Threat Intelligence**
- **IOC Analysis**: Real-time indicator analysis
- **MITRE ATT&CK**: Technique mapping and correlation
- **Campaign Tracking**: APT campaign correlation
- **Attribution Analysis**: Threat actor profiling
### **OSINT & Reconnaissance**
- **Domain Intelligence**: Comprehensive domain analysis
- **Email Intelligence**: Email infrastructure analysis
- **Social Engineering**: Target profiling and reconnaissance
- **Dark Web Monitoring**: Intelligence gathering
### **Forensic Analysis**
- **Memory Analysis**: Volatile memory forensics
- **Disk Forensics**: File system and disk analysis
- **Network Forensics**: Network traffic analysis
- **Artifact Extraction**: Digital artifact extraction
## š§ **MCP Tools**
### **Malware Development Tools**
- `generate_payload` - Generate malware payloads
- `obfuscate_code` - Apply obfuscation techniques
- `create_loader` - Create advanced loaders (TheSilencer)
- `generate_dropper` - Multi-stage payload delivery
### **Threat Intelligence Tools**
- `analyze_iocs` - Analyze Indicators of Compromise
- `map_ttps` - Map techniques to MITRE ATT&CK
- `correlate_campaigns` - Correlate indicators across campaigns
- `generate_threat_profile` - Generate threat actor profiles
### **OSINT Tools**
- `domain_intelligence` - Domain analysis
- `email_intelligence` - Email infrastructure analysis
- `social_engineering` - Target profiling
- `dark_web_monitoring` - Dark web intelligence
### **Forensic Tools**
- `memory_analysis` - Memory forensics
- `disk_forensics` - Disk analysis
- `network_forensics` - Network analysis
- `artifact_extraction` - Artifact extraction
## š **Project Structure**
```
NoctisAI/
āāā src/
ā āāā noctis_ai/
ā āāā mcp/ # MCP server and tools
ā āāā services/ # Core services
ā āāā tools/ # Utility tools
ā āāā malware/ # Malware development frameworks
ā āāā threat_intel/ # Threat intelligence engine
ā āāā osint/ # OSINT and reconnaissance
ā āāā forensics/ # Forensic analysis tools
āāā assets/ # Images and resources
āāā examples/ # Usage examples
āāā docs/ # Documentation
āāā scripts/ # Setup and utility scripts
āāā tests/ # Test suite
āāā requirements.txt # Python dependencies
āāā noctis-mcp.json # MCP configuration
āāā README.md # This file
```
## š **Integration with Villager AI & HexStrike**
NoctisAI is designed to work seamlessly in a hybrid architecture:
- **Cursor AI**: Primary orchestrator making intelligent tool selection decisions
- **Villager AI**: Complex, multi-phase operations requiring AI reasoning and orchestration
- **NoctisAI**: Specialized malware development, threat intelligence, and advanced obfuscation
- **HexStrike AI**: Fast reconnaissance and direct security tool execution (150+ tools)
The system intelligently selects the appropriate tool based on task complexity:
- **Simple tasks** ā HexStrike (direct tool execution)
- **Specialized malware** ā NoctisAI (advanced development)
- **Complex campaigns** ā Villager AI (AI orchestration)
### **Workflow Examples**
#### **Simple Security Operations (HexStrike)**
```python
# Quick reconnaissance and payload generation
mcp_hexstrike-ai_nmap_scan(target="192.168.1.1", ports="22,80,443")
mcp_hexstrike-ai_msfvenom_generate(payload="windows/x64/meterpreter/reverse_tcp")
```
#### **Advanced Malware Enhancement (NoctisAI)**
```python
# Enhance payloads with advanced obfuscation
mcp_noctis-ai_obfuscate_code(
source_code=payload_code,
language="c",
obfuscation_method="polymorphic",
evasion_level="extreme"
)
# Create sophisticated loaders
mcp_noctis-ai_create_loader(
payload_data=obfuscated_payload,
injection_method="process_hollowing",
evasion_features=["hells_gate", "dll_unhooking", "api_hashing"]
)
```
#### **Complex Campaigns (Villager AI)**
```python
# Multi-phase security operations
mcp_villager-proper_create_task(
abstract="Comprehensive Security Assessment",
description="Full security assessment including reconnaissance, vulnerability scanning, payload development, and post-exploitation",
verification="Detailed report with findings and recommendations"
)
```
## š”ļø **Security & Ethics**
### **Responsible Usage**
- **Authorization Required**: All operations require explicit authorization
- **Audit Logging**: Comprehensive logging of all activities
- **Legal Compliance**: Adherence to local and international laws
- **Educational Focus**: Designed for authorized security research
### **Use Cases**
- Authorized penetration testing
- Red team exercises
- Security research
- Educational purposes
- Incident response
## š **Performance Metrics**
- **Malware Detection Rate**: < 5% on major AV engines
- **EDR Evasion Rate**: > 90% on common EDR solutions
- **Cross-Platform Compatibility**: 95%+ across target platforms
- **Threat Intelligence Accuracy**: > 85% IOC correlation accuracy
## š¤ **Contributing**
We welcome contributions! Please see our [Contributing Guidelines](CONTRIBUTING.md) for details.
## š **License**
This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
## ā ļø **Disclaimer**
This tool is for authorized security testing and educational purposes only. Users are responsible for ensuring compliance with applicable laws and regulations. The authors are not responsible for any misuse of this software.
---
**š NoctisAI - Illuminating the shadows of cyberspace**
*Built with ā¤ļø for the cybersecurity community*