This project provides a safe, open-source framework for emulating malware behavior, enabling security researchers, red teamers, and blue teamers to generate reproducible threat artifacts. It facilitates hands-on learning for improving detection engineering and operator training by simulating complex scenarios like C2 communication, persistence, and lateral movement without causing actual system damage.

How It Works

Peekaboo employs a modular architecture centered around a Python-based builder and a Flask dashboard. It allows users to construct custom malware agents from C/C++ source code templates, selecting specific modules for encryption, injection, persistence (Registry Run Keys, Winlogon, Screensaver), and data exfiltration. The framework supports multi-channel Command & Control (C2) over standard HTTP/S, GitHub, Telegram, and Discord, alongside staged exfiltration to various cloud services. Novelty lies in its integrated threat intelligence capabilities, including MITRE ATT&CK mapping with inline source code extraction and Malpedia integration using local LLM embeddings for semantic threat actor matching.

Quick Start & Requirements

To run the dashboard, execute python3 peekaboo.py dashboard or cd dashboard && python3 app.py. Key requirements include Python 3, API keys for various services (Telegram, GitHub, Azure, Angelcam, Ollama, Gemini, Malpedia), and potentially Ollama for local LLM functionality.

Highlighted Details

• MITRE ATT&CK R&D: Indexes over 200 blog posts, maps techniques to ATT&CK IDs, and automatically extracts inline source code (C, C++, Nim, assembly) with live progress updates during re-indexing.
• Malpedia Integration: Connects to the Malpedia REST API for threat actor and malware family lookups, utilizing local LLM embeddings for semantic similarity matching against blog posts without hardcoded rules.
• AI Assistant: Features a local RAG chatbot (Ollama/qwen3) trained on the codebase and blog posts, capable of answering technical questions and supporting Claude and Gemini APIs.
• Payload Builder: Compiles payloads and stealers from source templates, offering live build log streaming within the dashboard interface.

Maintenance & Community

No specific details regarding maintainers, community channels (e.g., Discord, Slack), or project roadmap were found in the provided README.

Licensing & Compatibility

The project is released under the MIT license, which generally permits commercial use and derivative works. However, the project explicitly states it is a "Proof of Concept and is for Educational Purposes Only!!!"

Limitations & Caveats

This tool is designated as a Proof of Concept strictly for educational purposes, focusing on telemetry generation rather than destructive actions. Some planned C2 and exfiltration channels are marked as "TODO" in the documentation.