MalX

The Malware Experimentation Layer

Malicious by Design.

A research-driven offensive-security initiative focused on malware execution, adversary tradecraft, and the mechanics of real-world exploitation.

Explore the Labs View the Research

Scroll to learn more

↓

What is MalX?

MalX is an independent research effort dedicated to understanding how malicious code behaves in real environments. We study execution flow, evasion, staging, and adversarial automation — not as theory, but as hostile systems in motion.

To understand an adversary, you must think like one — and build like one.

MalX provides the structure, tooling, and research needed to explore modern offensive techniques with precision and clarity.

The MalX Ecosystem

A modular architecture for adversarial experimentation.

MalX Core

Foundational primitives for execution flow, staging, and runtime manipulation.

MalX Sandbox

A controlled environment for malware execution and behavioural experimentation.

MalX Forge

Tooling for crafting loaders, stagers, payloads, and execution chains.

MalX Archive

Research, PoCs, experiments, and adversarial studies.

MalX Labs

The GitHub organization powering the ecosystem.

PAAX

A precision adversarial fixture generator for PE structures. Produces syntactically valid binaries engineered to test loader edge cases and parser robustness.

Adversarial File‑Format Research

Exploring the boundaries of executable formats through adversarial construction, malformed‑but‑valid structures, and parser robustness testing.

PE Adversarial Fixtures

Syntactically valid PE files engineered to stress-test loader assumptions, section‑header logic, and boundary conditions.

Ghidra 12.1 PE Loader Failure

Discovery of an import‑time crash in Ghidra's PE loader triggered by extreme but syntactically valid SizeOfRawData values. Demonstrates a bounds-checking weakness in section-header handling. Documented as issue #9264.

View Issue →

Parser Robustness Studies

Systematic evaluation of static-analysis, and reverse‑engineering tools under adversarial input conditions, focusing on correctness, stability, and resilience.

IOCX Parser

Independent PE static-analysis engine used to validate structural anomalies and compare loader behaviour under adversarial conditions.

Visit IOCX →

Research Focus

MalX explores the mechanics of malicious execution through:

Payload execution and post-exploitation
Loader and stager design
Obfuscation and transformation pipelines
Evasion and runtime manipulation
Adversarial automation
Red-team tradecraft and operator workflows
Abuse of legitimate system components

Security Research

Parser robustness and malformed‑file behaviour
Executable‑format edge‑case engineering
Adversarial fixture generation (PAAX)
Reverse‑engineering tool reliability studies

ARCHITECTURE

Segmentation by Design

MalX operates within a fully isolated adversarial topology — engineered for containment, observation, and precision execution.

Explore the architecture →

Ethos

Toolmaker mindset

We build the mechanisms required to study malicious behaviour - practical, minimal, and purpose-driven.

Research over presentation

Clarity matters more than aesthetics. The work leads; the visuals follow..

Precision over noise

Focused, deliberate engineering.

Malicious by design

To understand hostile systems, we model them - safely, intentionally, and in controlled environments.

Roadmap

The MalX ecosystem evolves continuously. Current areas of development include:

Execution-flow primitives in MalX Core
Dynamic instrumentation in MalX Sandbox
Loader and stager pipelines in MalX Forge
Expanded adversarial research in MalX Archive
Documentation and architecture guides

Responsible Use

MalX exists for research, education, and the advancement of offensive-security understanding. All tools and experiments are intended for authorized environments only.

MalX does not distribute operational malware or offensive tooling. All research artifacts are non-functional, adversarial test fixtures designed for analysis and robustness evaluation.

Misuse is not tolerated. Understanding adversaries does not require becoming one.

Get Involved

MalX is open to researchers, operators, and toolmakers who share a commitment to adversarial clarity.

Visit GitHub Read the Archive

ARCHITECTURE DETAIL

Adversarial Flow Architecture

A segmented, observation-first topology for studying hostile systems in motion — without exposing the host.

Host Machine

192.168.1.0/24
Operator environment
No direct access

NO DIRECT ACCESS

libvirt isolation-net
192.168.200.0/24

Ubuntu Infra VM

INetSim · Zeek · tcpdump
Simulation & observation

OS: Ubuntu 24.04

Windows VM

Controlled execution surface
Behavioral interaction

OS: Windows 11 Enterprise / Windows 10 Enterprise LTSC

Ubuntu Sandbox VM

Linux testing
Post-execution analysis

OS: Ubuntu 24.04