About MalChain
MalChain is an open-source, behaviour-centric malware kill-chain framework maintained by Malwarehunts. It models real-world adversary operations across the full intrusion lifecycle by abstracting attacker actions into reusable operational capabilities that stay stable even as malware tooling evolves.
Behaviour-centric
Models attacker capabilities and trust abuse, not fragile tool or hash indicators.
Full lifecycle
Six phases and 52 techniques spanning initial access through exfiltration and C2.
Detection-ready
Every technique ships runnable KQL, and 30 ship validated YARA rules.
Who maintains it
MalChain is a project by Malwarehunts — a threat-research effort focused on malware analysis, detection engineering, and threat hunting. Our goal is to help defenders reason about attacker behaviour in a structured, high-fidelity way and turn that understanding into detections they can deploy the same day.
Who it’s for
Security operations centres, detection-engineering and threat-hunting teams, incident responders, malware researchers, and red / purple teams. MalChain is platform-agnostic and applies across endpoint, network, cloud, and hybrid environments.
What’s inside
Six phases — Ingress, Activation, Anchoring, Concealment, Expansion, and Extraction — covering 52 techniques. Each technique carries a summary, detection guidance, a ready-to-run Microsoft Defender / Sentinel KQL query, a YARA rule where file or memory artifacts apply, mitigation and incident-response notes, and chain-linking to the techniques it enables next.
Contributing
Contributions are welcome — malware case studies, new or tuned detection signatures (KQL and YARA), and technical analysis. Open an issue or pull request on GitHub.
Stay in touch
Read more research and analysis at malwarehunts.com, or follow development on GitHub.