Malware Analysis MCP Server

1

Add it to Claude Code

Run this in a terminal.

Run in terminal
claude mcp add -e "MB_AUTH_KEY=${MB_AUTH_KEY}" malware-analysis -- npx ts-node mcp-server.ts
Required:MB_AUTH_KEY+ 4 optional
README.md

Real-time threat intelligence and malware metadata for defensive research

Malware Analysis MCP server (Cursor MCP Server)

This is a Cursor MCP (Model Context Protocol) server that talks to the MalwareBazaar Community API/VirusTotal to provide real-time threat intel / malware sample metadata (IOCs) for authorized defensive research workflows.

Note: get_file (malware binary download) is disabled in this project. This server provides metadata/IOCs only.

What you get

  • Recent sample metadata from MalwareBazaar (get_recent)
  • Detailed metadata for a specific sha256 (get_info)
  • Samples associated with a specific tag (get_taginfo)
  • VirusTotal analysis stats summary (vt_lookup)
  • Telegram alerts (send_alert)
  • Check a local file against MalwareBazaar/VirusTotal by hashing it (check_local_file)
  • Suggested analysis blogs/resources for a malware family/signature (suggest_analysis_blogs)

Requirements

  • Windows 10+
  • Node.js (recommended LTS)
  • npm

Install

Inside the project folder:

npm install

Configure (.env)

Set these in the root .env file:

PORT=3000

# MalwareBazaar (required)
MB_AUTH_KEY=YOUR_ABUSECH_AUTH_KEY

# VirusTotal (optional - only for vt_lookup)
VT_API_KEY=YOUR_VT_KEY

# Telegram (optional - only for send_alert)
TG_BOT_TOKEN=YOUR_BOT_TOKEN
TG_CHAT_ID=YOUR_CHAT_ID
  • Where to get MB_AUTH_KEY: https://auth.abuse.ch/

Cursor MCP setup (important)

Cursor runs MCP servers from mcp.json.

For this repo, the global Cursor config file c:\Users\user\.cursor\mcp.json contains a malware-mcp entry that runs using stdio transport:

  • cmd.exe /c npx -y ts-node ${workspaceFolder}/mcp-server.ts
  • Automatically loads .env via envFile: ${workspaceFolder}/.env

After changing config

  • Restart Cursor (or reload MCP) so the new config is loaded.

Run (manual testing)

You can also run it locally:

npx ts-node mcp-server.ts

This is a stdio MCP server, so you won’t see “web server style” output—Cursor/the MCP host will communicate over the MCP protocol.

MCP Tools

help

Prints a quick usage guide listing all tools and example prompts/args.

Input

  • none

Example

Run help

get_recent

Get recent sample metadata from MalwareBazaar.

Input

  • limit (1..100, default 10)
  • selector ("100" or "time", default "100")

Example

{ "limit": 10, "selector": "100" }

get_info

Get full metadata for a specific sample.

Input

  • hash (sha256 string)

Example

{ "hash": "81ddacc1d4689616b993f34465cb372e6046c035b45a4831343bd55ed37d48ee" }

get_taginfo

Get samples associated with a specific tag.

Input

  • tag (required)
  • limit (1..1000, default 100)

Example

{ "tag": "TrickBot", "limit": 50 }

virustotal_lookup (alias: vt_lookup)

VirusTotal analysis stats summary.

Input

  • hash (sha256 string)

Example

{ "hash": "81ddacc1d4689616b993f34465cb372e6046c035b45a4831343bd55ed37d48ee" }

send_alert

Send a message via your Telegram bot.

Input

  • message (string)

Example

{ "message": "🚨 New malware sample: <sha256> ..." }

get_file (disabled)

This tool is intentionally disabled because it would involve downloading live malware binaries.

check_local_file

Compute the SHA256 of a local file (on this PC) and check whether it matches a known entry in MalwareBazaar. Optionally also performs a VirusTotal lookup by SHA256 (requires VT_API_KEY).

Input

  • path (string, required): absolute path to the file
  • vt (boolean, optional, default true): also run VirusTotal lookup

Example

{ "path": "C:\\\\Users\\\\user\\\\Downloads\\\\somefile.exe", "vt": true }

suggest_analysis_blogs

Suggests relevant analysis blogs/resources for the same malware family/signature (Malpedia / MITRE / abuse.ch / vendor writeups).
You can pass a signature name directly, or pass a hash and it will try to resolve the signature via MalwareBazaar first.

Input

  • signature (string, optional)
  • hash (string, optional; sha256 recommended)

Examples

{ "signature": "HijackLoader" }

{ "hash": "4f9669712b6cd325eba9e94faf73a7d6ac29cdb724e857f5693aebe542f64b94" }

Utility Tools (encoding/encryption/compression/analysis)

These tools run offline (no uploads) and are useful for quick data transformations and analysis.

base64_encode

{ "text": "hello" }

base64_decode

{ "base64": "aGVsbG8=" }

url_encode / url_decode

{ "text": "a+b c" }

hex_encode / hex_decode

{ "text": "hello" }

gzip_compress

Compress UTF-8 text and return base64.

{ "text": "hello" }

gzip_decompress

Decompress from base64 (gzip bytes) back to UTF-8.

{ "base64": "<gzip_base64>" }

hash_text

{ "alg": "sha256", "text": "hello" }

Tools (7)

get_recentGet recent sample metadata from MalwareBazaar.
get_infoGet full metadata for a specific sample.
get_taginfoGet samples associated with a specific tag.
vt_lookupVirusTotal analysis stats summary.
send_alertSend a message via your Telegram bot.
check_local_fileCompute the SHA256 of a local file and check against MalwareBazaar and VirusTotal.
suggest_analysis_blogsSuggests relevant analysis blogs or resources for a malware family or signature.

Environment Variables

PORTPort for the server
MB_AUTH_KEYrequiredMalwareBazaar authentication key
VT_API_KEYVirusTotal API key
TG_BOT_TOKENTelegram bot token
TG_CHAT_IDTelegram chat ID

Configuration

claude_desktop_config.json
{"mcpServers": {"malware-mcp": {"command": "npx", "args": ["-y", "ts-node", "mcp-server.ts"], "env": {"MB_AUTH_KEY": "YOUR_ABUSECH_AUTH_KEY", "VT_API_KEY": "YOUR_VT_KEY"}}}}

Try it

Check the latest malware samples from MalwareBazaar.
Get detailed metadata for the file hash 81ddacc1d4689616b993f34465cb372e6046c035b45a4831343bd55ed37d48ee.
Find recent samples tagged with TrickBot.
Run a VirusTotal lookup for the file at C:\Downloads\suspicious_file.exe.
Suggest analysis blogs for the malware signature HijackLoader.

Frequently Asked Questions

What are the key features of Malware Analysis?

Real-time threat intelligence retrieval from MalwareBazaar. VirusTotal analysis summary lookups. Local file hash verification against threat databases. Automated Telegram alerting for security events. Offline utility tools for data transformation and hashing.

What can I use Malware Analysis for?

Security researchers verifying IOCs for incident response. Automated monitoring of new malware samples via Telegram. Quick analysis of local files for potential threats. Gathering context and research write-ups for specific malware families.

How do I install Malware Analysis?

Install Malware Analysis by running: npm install

What MCP clients work with Malware Analysis?

Malware Analysis works with any MCP-compatible client including Claude Desktop, Claude Code, Cursor, and other editors with MCP support.

Turn this server into reusable context

Keep Malware Analysis docs, env vars, and workflow notes in Conare so your agent carries them across sessions.

Need the old visual installer? Open Conare IDE.
Open Conare
View all monitoring servers →

Related MCP Servers

Skylos
Find dead code, secrets, and exploitable flows in Python, TypeScript, and Go.
monitoring344 stars
Linux MCP Server
Read-only Linux system administration and diagnostics on RHEL-based systems.
monitoring189 stars
Charles MCP Server
Integrates Charles Proxy with MCP clients for real-time network traffic analysis
monitoring118 stars
HomeButler
All-in-one homelab management MCP server.
monitoring64 stars
Wireshark MCP
Give your AI assistant a packet analyzer.
monitoring55 stars
RenderDoc MCP
Analyze GPU frame captures for graphics debugging and performance analysis.
monitoring42 stars