Malice's mission is to be a free open source version of VirusTotal that anyone can use at any scale from an independent researcher to a fortune 500 company.

Released: December 31, 2025

Major improvements: Enhanced security, performance optimization, graceful shutdown, connection pooling, and comprehensive error handling. See full changelog →

DEMO: demo.malice.io

• username: malice
• password: ecilam

• ~16GB disk space
• ~4GB RAM

• Docker (v20.10+)
• Go (v1.21+) - for building from source

✨ Key Features:

• Security: Path traversal prevention, input validation, secure path handling
• Performance: Elasticsearch connection pooling (20-30% improvement)
• Reliability: Graceful shutdown, context-based cancellation, timeout protection
• Code Quality: Custom error types, structured logging, comprehensive tests
• Resource Management: Bounded concurrency (max 10 plugins), connection reuse

$ brew install maliceio/tap/malice

Usage: malice [OPTIONS] COMMAND [arg...]

Open Source Malware Analysis Framework

Version: 0.3.11

Author:
  blacktop - <https://github.com/blacktop>

Options:
  --debug, -D      Enable debug mode [$MALICE_DEBUG]
  --help, -h       show help
  --version, -v    print the version

Commands:
  scan        Scan a file
  watch        Watch a folder
  lookup    Look up a file hash
  elk        Start an ELK docker container
  plugin    List, Install or Remove Plugins
  help        Shows a list of commands or help for one command

Run 'malice COMMAND --help' for more information on a command.

$ malice scan evil.malware

NOTE: On the first run malice will download all of it's default plugins which can take a while to complete.

Malice will output the results as a markdown table that can be piped or copied into a results.md that will look great on Github see here

$ malice elk

You can open the Kibana UI and look at the scan results here: http://localhost (assuming you are using Docker for Mac)

• Type in malice as the Index name or pattern and click Create.

• Now click on the Malice Tab and behold!!!

docker run --rm -v /var/run/docker.sock:/var/run/docker.sock malice/engine plugin update --all

docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
                -v `pwd`:/malice/samples \
                --network="host" \
                -e MALICE_VT_API=$MALICE_VT_API \
                malice/engine scan SAMPLE

• Documentation
• Plugins
• Examples
• Roadmap
• Contributing
• v0.4.0 Improvements - Detailed technical improvements
• Best Practices - Go development patterns
• Release Notes - v0.4.0 changelog

I have noticed when running the new 5.0+ version of malice/elasticsearch on a linux host you need to increase the memory map areas with the following command

sudo sysctl -w vm.max_map_count=262144

Elasticsearch requires a LOT of RAM to run smoothly. You can lower it to 2GB by running the following (before running a scan):

$ docker run -d \
         -p 9200:9200 \
         --name malice-elastic \
         -e ES_JAVA_OPTS="-Xms2g -Xmx2g" \
         malice/elasticsearch

Find a bug? Want more features? Find something missing in the documentation? Let me know! Please don't hesitate to file an issue

See CHANGELOG.md

Apache License (Version 2.0)
Copyright (c) 2013 - 2018 blacktop