NoctisAI - Malware Development & Threat Intelligence MCP

<div align="center">

<img src="assets/noctis-logo.png" alt="NoctisAI Logo" width="400" />

** Nocturnal Intelligence System for Advanced Malware Development & Threat Intelligence**

</div>

---

🎯 About NoctisAI

NoctisAI is a specialized MCP (Model Context Protocol) designed for advanced malware development, threat intelligence, and offensive security operations. Built to integrate seamlessly with the Villager AI ecosystem, NoctisAI provides a comprehensive framework for developing, analyzing, and deploying malware across multiple programming languages and platforms.

Key Features:

• 🦠 Multi-Language Malware Development (Python, C/C++, Rust, Assembly)
• 🕵️ Advanced Threat Intelligence (IOC analysis, MITRE ATT&CK mapping)
• 🔍 OSINT & Reconnaissance (Domain intel, social engineering, dark web monitoring)
• 🔬 Forensic Analysis (Memory, disk, network forensics)
• 🎯 APT Simulation (Complete attack simulation and kill chain)
• 🛡️ Enhanced TheSilencer Integration (Your C/C++ malware framework)

🏗️ Architecture

┌─────────────────────────────────────────────────────────────────┐
│                        Cursor AI Assistant                      │
│                    (Orchestrator & Decision Engine)             │
└─────────────────────┬───────────────────┬───────────────────────┘
                      │                   │
                      ▼                   ▼
        ┌─────────────────────┐  ┌─────────────────────┐
        │    Villager AI      │  │     NoctisAI        │
        │   (Complex Tasks)   │  │ (Malware/Threat Intel)│
        │   Port: 37695       │  │   Port: 8081        │
        └─────────┬───────────┘  └─────────┬───────────┘
                  │                        │
                  ▼                        ▼
        ┌─────────────────────┐  ┌─────────────────────┐
        │   Kali Container    │  │   TheSilencer       │
        │   (Security Tools)  │  │   (C/C++ Loaders)   │
        │   Port: 1611        │  │   Integration       │
        └─────────────────────┘  └─────────────────────┘
                  │
                  ▼
        ┌─────────────────────┐
        │    HexStrike AI     │
        │  (Quick Execution)  │
        │   Port: 8000        │
        └─────────────────────┘

┌─────────────────────────────────────────────────────────────────┐
│                    MCP Ecosystem Flow                          │
│                                                                 │
│  Cursor AI → Decision Making → Tool Selection → Execution      │
│                                                                 │
│  • Villager: Complex orchestration, long-running tasks         │
│  • NoctisAI: Advanced malware development, threat intelligence │
│  • HexStrike: Quick reconnaissance, direct tool execution      │
│                                                                 │
│  All tools can work independently or in hybrid workflows       │
└─────────────────────────────────────────────────────────────────┘

🚀 Quick Start

1. Installation

# Clone NoctisAI
git clone https://github.com/Yenn503/NoctisAI.git
cd NoctisAI

# Create virtual environment
python3 -m venv noctis-env
source noctis-env/bin/activate

# Install dependencies
pip install -r requirements.txt

# Run setup
./scripts/setup_noctis.sh

2. Integration with Villager AI

Add to your MCP configuration:

{
  "mcpServers": {
    "villager-proper": {
      "command": "/path/to/Villager-AI/villager-venv-new/bin/python3",
      "args": ["/path/to/Villager-AI/src/villager_ai/mcp/villager_proper_mcp.py"],
      "env": {
        "PYTHONPATH": "/path/to/Villager-AI"
      }
    },
    "noctis-ai": {
      "command": "/path/to/NoctisAI/noctis-env/bin/python3",
      "args": ["/path/to/NoctisAI/src/noctis_ai/mcp/noctis_mcp.py"],
      "env": {
        "PYTHONPATH": "/path/to/NoctisAI"
      }
    },
    "hexstrike-ai": {
      "command": "/path/to/hexstrike-ai/hexstrike-env/bin/python3",
      "args": ["/path/to/hexstrike-ai/hexstrike_mcp.py"]
    }
  }
}

3. Start Services

# Start NoctisAI services
./scripts/start_noctis.sh

# Or start all services together
./scripts/start_ecosystem.sh

🛠️ Core Capabilities

Malware Development

• Python Framework: Advanced Python malware templates
• C/C++ Framework: Enhanced TheSilencer integration
• Rust Framework: Memory-safe malware development
• Assembly Framework: Low-level system manipulation

2025 Advanced Techniques

• AI-Powered Generation: Dynamic, adaptive malware using AI
• Living Off the Land: Using legitimate system tools (PowerShell, WMI, etc.)
• Fileless Execution: Memory-only execution without disk traces
• Time-Based Evasion: Sandbox detection bypass using timing
• Cloud C2 Integration: Using legitimate cloud services for C2
• AI Social Engineering: AI-generated personalized attacks
• Advanced Obfuscation: Control flow flattening, opaque predicates
• Behavioral Adaptation: Dynamic behavior modification
• Hypervisor Evasion: VM and hypervisor detection bypass
• ML Detection Evasion: Machine learning model evasion

🎓 Educational Capabilities

Interactive Learning System

NoctisAI can serve as an educational platform for cybersecurity professionals, researchers, and students. When users ask, I can provide comprehensive explanations of:

Malware Development Techniques

• Obfuscation Methods: Control flow flattening, polymorphic code, metamorphic engines
• Evasion Techniques: Sandbox detection, hypervisor evasion, anti-debugging
• Injection Methods: Process hollowing, DLL injection, manual DLL mapping
• Persistence Mechanisms: Registry, WMI, scheduled tasks, service installation
• Anti-Analysis: Debugger detection, VM detection, behavioral analysis evasion

Threat Intelligence Concepts

• IOC Analysis: Hash analysis, domain reputation, IP geolocation
• MITRE ATT&CK: Technique mapping, tactic correlation, campaign attribution
• OSINT Techniques: Domain intelligence, email analysis, social engineering
• Forensic Analysis: Memory forensics, disk analysis, timeline reconstruction

Advanced Topics

• TheSilencer Techniques: Hell's Gate, DLL unhooking, API hashing, ETW bypass
• Living Off the Land: PowerShell abuse, WMI exploitation, registry manipulation
• Cloud C2: Legitimate service abuse, steganography, covert channels
• AI-Powered Attacks: Machine learning evasion, behavioral adaptation

How to Request Educational Content

Simply ask NoctisAI to explain any technique:

"Explain how control flow flattening works"
"Teach me about TheSilencer techniques"
"What is living off the land in malware development?"
"How does sandbox evasion work?"
"Explain MITRE ATT&CK framework mapping"
"Show me how to analyze IOCs"

Learning Features

• Step-by-step explanations with code examples
• Real-world scenarios and use cases
• Best practices and security considerations
• Interactive demonstrations using NoctisAI tools
• Progressive complexity from basic to advanced concepts

Threat Intelligence

• IOC Analysis: Real-time indicator analysis
• MITRE ATT&CK: Technique mapping and correlation
• Campaign Tracking: APT campaign correlation
• Attribution Analysis: Threat actor profiling

OSINT & Reconnaissance

• Domain Intelligence: Comprehensive domain analysis
• Email Intelligence: Email infrastructure analysis
• Social Engineering: Target profiling and reconnaissance
• Dark Web Monitoring: Intelligence gathering

Forensic Analysis

• Memory Analysis: Volatile memory forensics
• Disk Forensics: File system and disk analysis
• Network Forensics: Network traffic analysis
• Artifact Extraction: Digital artifact extraction

🔧 MCP Tools

Malware Development Tools

• generate_payload - Generate malware payloads
• obfuscate_code - Apply obfuscation techniques
• create_loader - Create advanced loaders (TheSilencer)
• generate_dropper - Multi-stage payload delivery

Threat Intelligence Tools

• analyze_iocs - Analyze Indicators of Compromise
• map_ttps - Map techniques to MITRE ATT&CK
• correlate_campaigns - Correlate indicators across campaigns
• generate_threat_profile - Generate threat actor profiles

OSINT Tools

• domain_intelligence - Domain analysis
• email_intelligence - Email infrastructure analysis
• social_engineering - Target profiling
• dark_web_monitoring - Dark web intelligence

Forensic Tools

• memory_analysis - Memory forensics
• disk_forensics - Disk analysis
• network_forensics - Network analysis
• artifact_extraction - Artifact extraction

📁 Project Structure

NoctisAI/
├── src/
│   └── noctis_ai/
│       ├── mcp/                    # MCP server and tools
│       ├── services/               # Core services
│       ├── tools/                  # Utility tools
│       ├── malware/                # Malware development frameworks
│       ├── threat_intel/           # Threat intelligence engine
│       ├── osint/                  # OSINT and reconnaissance
│       └── forensics/              # Forensic analysis tools
├── assets/                         # Images and resources
├── examples/                       # Usage examples
├── docs/                          # Documentation
├── scripts/                       # Setup and utility scripts
├── tests/                         # Test suite
├── requirements.txt               # Python dependencies
├── noctis-mcp.json               # MCP configuration
└── README.md                     # This file

🔗 Integration with Villager AI & HexStrike

NoctisAI is designed to work seamlessly in a hybrid architecture:

• Cursor AI: Primary orchestrator making intelligent tool selection decisions
• Villager AI: Complex, multi-phase operations requiring AI reasoning and orchestration
• NoctisAI: Specialized malware development, threat intelligence, and advanced obfuscation
• HexStrike AI: Fast reconnaissance and direct security tool execution (150+ tools)

The system intelligently selects the appropriate tool based on task complexity:

• Simple tasks → HexStrike (direct tool execution)
• Specialized malware → NoctisAI (advanced development)
• Complex campaigns → Villager AI (AI orchestration)

Workflow Examples

Simple Security Operations (HexStrike)

# Quick reconnaissance and payload generation
mcp_hexstrike-ai_nmap_scan(target="192.168.1.1", ports="22,80,443")
mcp_hexstrike-ai_msfvenom_generate(payload="windows/x64/meterpreter/reverse_tcp")

Advanced Malware Enhancement (NoctisAI)

# Enhance payloads with advanced obfuscation
mcp_noctis-ai_obfuscate_code(
    source_code=payload_code,
    language="c",
    obfuscation_method="polymorphic",
    evasion_level="extreme"
)

# Create sophisticated loaders
mcp_noctis-ai_create_loader(
    payload_data=obfuscated_payload,
    injection_method="process_hollowing",
    evasion_features=["hells_gate", "dll_unhooking", "api_hashing"]
)

Complex Campaigns (Villager AI)

# Multi-phase security operations
mcp_villager-proper_create_task(
    abstract="Comprehensive Security Assessment",
    description="Full security assessment including reconnaissance, vulnerability scanning, payload development, and post-exploitation",
    verification="Detailed report with findings and recommendations"
)

🛡️ Security & Ethics

Responsible Usage

• Authorization Required: All operations require explicit authorization
• Audit Logging: Comprehensive logging of all activities
• Legal Compliance: Adherence to local and international laws
• Educational Focus: Designed for authorized security research

Use Cases

• Authorized penetration testing
• Red team exercises
• Security research
• Educational purposes
• Incident response

📊 Performance Metrics

• Malware Detection Rate: < 5% on major AV engines
• EDR Evasion Rate: > 90% on common EDR solutions
• Cross-Platform Compatibility: 95%+ across target platforms
• Threat Intelligence Accuracy: > 85% IOC correlation accuracy

🤝 Contributing

We welcome contributions! Please see our Contributing Guidelines for details.

📄 License

This project is licensed under the MIT License - see the LICENSE file for details.

⚠️ Disclaimer

This tool is for authorized security testing and educational purposes only. Users are responsible for ensuring compliance with applicable laws and regulations. The authors are not responsible for any misuse of this software.

---

🌙 NoctisAI - Illuminating the shadows of cyberspace

Built with ❤️ for the cybersecurity community