NoctisAI - Malware Development & Threat Intelligence MCP

License: MIT Python 3.8+ MCP Compatible Malware Dev

** Nocturnal Intelligence System for Advanced Malware Development & Threat Intelligence**

🎯 About NoctisAI

NoctisAI is a specialized MCP (Model Context Protocol) designed for advanced malware development, threat intelligence, and offensive security operations. Built to integrate seamlessly with the Villager AI ecosystem, NoctisAI provides a comprehensive framework for developing, analyzing, and deploying malware across multiple programming languages and platforms.

Key Features:

🦠 Multi-Language Malware Development (Python, C/C++, Rust, Assembly)
🕵️ Advanced Threat Intelligence (IOC analysis, MITRE ATT&CK mapping)
🔍 OSINT & Reconnaissance (Domain intel, social engineering, dark web monitoring)
🔬 Forensic Analysis (Memory, disk, network forensics)
🎯 APT Simulation (Complete attack simulation and kill chain)
🛡️ Enhanced TheSilencer Integration (Your C/C++ malware framework)

🏗️ Architecture

┌─────────────────────────────────────────────────────────────────┐ │ Cursor AI Assistant │ │ (Orchestrator & Decision Engine) │ └─────────────────────┬───────────────────┬───────────────────────┘ │ │ ▼ ▼ ┌─────────────────────┐ ┌─────────────────────┐ │ Villager AI │ │ NoctisAI │ │ (Complex Tasks) │ │ (Malware/Threat Intel)│ │ Port: 37695 │ │ Port: 8081 │ └─────────┬───────────┘ └─────────┬───────────┘ │ │ ▼ ▼ ┌─────────────────────┐ ┌─────────────────────┐ │ Kali Container │ │ TheSilencer │ │ (Security Tools) │ │ (C/C++ Loaders) │ │ Port: 1611 │ │ Integration │ └─────────────────────┘ └─────────────────────┘ │ ▼ ┌─────────────────────┐ │ HexStrike AI │ │ (Quick Execution) │ │ Port: 8000 │ └─────────────────────┘ ┌─────────────────────────────────────────────────────────────────┐ │ MCP Ecosystem Flow │ │ │ │ Cursor AI → Decision Making → Tool Selection → Execution │ │ │ │ • Villager: Complex orchestration, long-running tasks │ │ • NoctisAI: Advanced malware development, threat intelligence │ │ • HexStrike: Quick reconnaissance, direct tool execution │ │ │ │ All tools can work independently or in hybrid workflows │ └─────────────────────────────────────────────────────────────────┘

🚀 Quick Start

1. Installation

# Clone NoctisAI git clone https://github.com/yourusername/NoctisAI.git cd NoctisAI # Create virtual environment python3 -m venv noctis-env source noctis-env/bin/activate # Install dependencies pip install -r requirements.txt # Run setup ./scripts/setup_noctis.sh

2. Integration with Villager AI

Add to your MCP configuration:

{ "mcpServers": { "villager-proper": { "command": "/path/to/Villager-AI/villager-venv-new/bin/python3", "args": ["/path/to/Villager-AI/src/villager_ai/mcp/villager_proper_mcp.py"], "env": { "PYTHONPATH": "/path/to/Villager-AI" } }, "noctis-ai": { "command": "/path/to/NoctisAI/noctis-env/bin/python3", "args": ["/path/to/NoctisAI/src/noctis_ai/mcp/noctis_mcp.py"], "env": { "PYTHONPATH": "/path/to/NoctisAI" } }, "hexstrike-ai": { "command": "/path/to/hexstrike-ai/hexstrike-env/bin/python3", "args": ["/path/to/hexstrike-ai/hexstrike_mcp.py"] } } }

3. Start Services

# Start NoctisAI services ./scripts/start_noctis.sh # Or start all services together ./scripts/start_ecosystem.sh

🛠️ Core Capabilities

Malware Development

Python Framework: Advanced Python malware templates
C/C++ Framework: Enhanced TheSilencer integration
Rust Framework: Memory-safe malware development
Assembly Framework: Low-level system manipulation

2025 Advanced Techniques

AI-Powered Generation: Dynamic, adaptive malware using AI
Living Off the Land: Using legitimate system tools (PowerShell, WMI, etc.)
Fileless Execution: Memory-only execution without disk traces
Time-Based Evasion: Sandbox detection bypass using timing
Cloud C2 Integration: Using legitimate cloud services for C2
AI Social Engineering: AI-generated personalized attacks
Advanced Obfuscation: Control flow flattening, opaque predicates
Behavioral Adaptation: Dynamic behavior modification
Hypervisor Evasion: VM and hypervisor detection bypass
ML Detection Evasion: Machine learning model evasion

🎓 Educational Capabilities

Interactive Learning System

NoctisAI can serve as an educational platform for cybersecurity professionals, researchers, and students. When users ask, I can provide comprehensive explanations of:

Malware Development Techniques

Obfuscation Methods: Control flow flattening, polymorphic code, metamorphic engines
Evasion Techniques: Sandbox detection, hypervisor evasion, anti-debugging
Injection Methods: Process hollowing, DLL injection, manual DLL mapping
Persistence Mechanisms: Registry, WMI, scheduled tasks, service installation
Anti-Analysis: Debugger detection, VM detection, behavioral analysis evasion

Threat Intelligence Concepts

IOC Analysis: Hash analysis, domain reputation, IP geolocation
MITRE ATT&CK: Technique mapping, tactic correlation, campaign attribution
OSINT Techniques: Domain intelligence, email analysis, social engineering
Forensic Analysis: Memory forensics, disk analysis, timeline reconstruction

Advanced Topics

TheSilencer Techniques: Hell's Gate, DLL unhooking, API hashing, ETW bypass
Living Off the Land: PowerShell abuse, WMI exploitation, registry manipulation
Cloud C2: Legitimate service abuse, steganography, covert channels
AI-Powered Attacks: Machine learning evasion, behavioral adaptation

How to Request Educational Content

Simply ask NoctisAI to explain any technique:

"Explain how control flow flattening works" "Teach me about TheSilencer techniques" "What is living off the land in malware development?" "How does sandbox evasion work?" "Explain MITRE ATT&CK framework mapping" "Show me how to analyze IOCs"

Learning Features

Step-by-step explanations with code examples
Real-world scenarios and use cases
Best practices and security considerations
Interactive demonstrations using NoctisAI tools
Progressive complexity from basic to advanced concepts

Threat Intelligence

IOC Analysis: Real-time indicator analysis
MITRE ATT&CK: Technique mapping and correlation
Campaign Tracking: APT campaign correlation
Attribution Analysis: Threat actor profiling

OSINT & Reconnaissance

Domain Intelligence: Comprehensive domain analysis
Email Intelligence: Email infrastructure analysis
Social Engineering: Target profiling and reconnaissance
Dark Web Monitoring: Intelligence gathering

Forensic Analysis

Memory Analysis: Volatile memory forensics
Disk Forensics: File system and disk analysis
Network Forensics: Network traffic analysis
Artifact Extraction: Digital artifact extraction

🔧 MCP Tools

Malware Development Tools

generate_payload - Generate malware payloads
obfuscate_code - Apply obfuscation techniques
create_loader - Create advanced loaders (TheSilencer)
generate_dropper - Multi-stage payload delivery

Threat Intelligence Tools

analyze_iocs - Analyze Indicators of Compromise
map_ttps - Map techniques to MITRE ATT&CK
correlate_campaigns - Correlate indicators across campaigns
generate_threat_profile - Generate threat actor profiles

OSINT Tools

domain_intelligence - Domain analysis
email_intelligence - Email infrastructure analysis
social_engineering - Target profiling
dark_web_monitoring - Dark web intelligence

Forensic Tools

memory_analysis - Memory forensics
disk_forensics - Disk analysis
network_forensics - Network analysis
artifact_extraction - Artifact extraction

📁 Project Structure

NoctisAI/ ├── src/ │ └── noctis_ai/ │ ├── mcp/ # MCP server and tools │ ├── services/ # Core services │ ├── tools/ # Utility tools │ ├── malware/ # Malware development frameworks │ ├── threat_intel/ # Threat intelligence engine │ ├── osint/ # OSINT and reconnaissance │ └── forensics/ # Forensic analysis tools ├── assets/ # Images and resources ├── examples/ # Usage examples ├── docs/ # Documentation ├── scripts/ # Setup and utility scripts ├── tests/ # Test suite ├── requirements.txt # Python dependencies ├── noctis-mcp.json # MCP configuration └── README.md # This file

🔗 Integration with Villager AI & HexStrike

NoctisAI is designed to work seamlessly in a hybrid architecture:

Cursor AI: Primary orchestrator making intelligent tool selection decisions
Villager AI: Complex, multi-phase operations requiring AI reasoning and orchestration
NoctisAI: Specialized malware development, threat intelligence, and advanced obfuscation
HexStrike AI: Fast reconnaissance and direct security tool execution (150+ tools)

The system intelligently selects the appropriate tool based on task complexity:

Simple tasks → HexStrike (direct tool execution)
Specialized malware → NoctisAI (advanced development)
Complex campaigns → Villager AI (AI orchestration)

Workflow Examples

Simple Security Operations (HexStrike)

# Quick reconnaissance and payload generation mcp_hexstrike-ai_nmap_scan(target="192.168.1.1", ports="22,80,443") mcp_hexstrike-ai_msfvenom_generate(payload="windows/x64/meterpreter/reverse_tcp")

Advanced Malware Enhancement (NoctisAI)

# Enhance payloads with advanced obfuscation mcp_noctis-ai_obfuscate_code( source_code=payload_code, language="c", obfuscation_method="polymorphic", evasion_level="extreme" ) # Create sophisticated loaders mcp_noctis-ai_create_loader( payload_data=obfuscated_payload, injection_method="process_hollowing", evasion_features=["hells_gate", "dll_unhooking", "api_hashing"] )

Complex Campaigns (Villager AI)

# Multi-phase security operations mcp_villager-proper_create_task( abstract="Comprehensive Security Assessment", description="Full security assessment including reconnaissance, vulnerability scanning, payload development, and post-exploitation", verification="Detailed report with findings and recommendations" )

🛡️ Security & Ethics

Responsible Usage

Authorization Required: All operations require explicit authorization
Audit Logging: Comprehensive logging of all activities
Legal Compliance: Adherence to local and international laws
Educational Focus: Designed for authorized security research

Use Cases

Authorized penetration testing
Red team exercises
Security research
Educational purposes
Incident response

📊 Performance Metrics

Malware Detection Rate: < 5% on major AV engines
EDR Evasion Rate: > 90% on common EDR solutions
Cross-Platform Compatibility: 95%+ across target platforms
Threat Intelligence Accuracy: > 85% IOC correlation accuracy

🤝 Contributing

We welcome contributions! Please see our Contributing Guidelines for details.

📄 License

This project is licensed under the MIT License - see the LICENSE file for details.

⚠️ Disclaimer

This tool is for authorized security testing and educational purposes only. Users are responsible for ensuring compliance with applicable laws and regulations. The authors are not responsible for any misuse of this software.

🌙 NoctisAI - Illuminating the shadows of cyberspace

Built with ❤️ for the cybersecurity community

This server cannot be installed

security - not tested

license - not found

quality - not tested

How are these scores calculated?

hybrid server

The server is able to function both locally and remotely, depending on the configuration or use case.

Enables advanced malware development, threat intelligence analysis, and offensive security operations through specialized tools for multi-language payload generation, obfuscation, OSINT reconnaissance, and forensic analysis. Designed for authorized penetration testing, red team exercises, and cybersecurity research with comprehensive educational capabilities.