theZoo

theZoo is a collection of real malware samples and source code gathered into one place for the purpose of security research and malware analysis. The project exists because actual malware files are difficult to obtain in a form that is safe to study, so the maintainers collected and organized them to make analysis more accessible to researchers and students.

The malware files are stored encrypted in password-protected ZIP archives. Each entry in the collection includes the encrypted archive, a password file, and checksums for verification. The repository contains both binary samples and source code, with some source code being the original leaked version and some being partially reconstructed through reverse engineering.

A Python command-line tool provides an interface for browsing and retrieving samples from a SQLite database. Running it starts an interactive console where you can search for specific malware by name or other attributes. The database search is described as free-form, and the tool includes auto-complete for malware names.

The README includes a prominent safety warning: these are live, functional malware samples. The project strongly recommends running any samples only inside a virtual machine with no network connection and without guest additions installed. Some samples are worms that will automatically attempt to spread if executed outside a controlled environment.

Submitting new samples involves running a preparation script that encrypts the file and creates the directory structure, then submitting a pull request along with a database entry. The project is licensed under GPL version 3, though the license explicitly does not apply to the malware samples themselves. The project was created by Yuval Nativ and is maintained by Shahak Shalev.