Security Talent Threat Intel is a Node.js command-line toolkit for malware triage, IOC enrichment, dark web correlation, and detection-content generation. It supports binary samples, JavaScript payloads, extracted strings, JSON logs, batch directories, and standalone IOCs such as hashes, IPs, domains, and URLs.
The platform combines:
- Static analysis
- Behavioral heuristics
- Network IOC extraction
- MITRE ATT&CK mapping
- Risk scoring
- YARA and Sigma generation
- Optional Tor-backed dark web correlation
- JSON, text-summary, and STIX 2.1 style reporting
- Node.js 18 or later
- npm
- Optional Tor service for onion lookups
- Optional API keys for external enrichment
npm installCreate a local environment file:
TOR_PROXY=socks5h://127.0.0.1:9050
TOR_TIMEOUT=30000
ABUSEIPDB_KEY=
VT_KEY=
SHODAN_KEY=
MALWAREBAZAAR_KEY=
URLSCAN_KEY=
FLARE_API_KEY=
FLARE_TENANT_ID=
FLARE_SEARCH_SIZE=5Project already loads these values from .env through config/default.js.
threat-intel-platform/
|-- config/
| `-- default.js
|-- src/
| |-- analyzers/
| | |-- behavioral.js
| | |-- detection.js
| | |-- mitre.js
| | |-- network.js
| | |-- risk.js
| | `-- static.js
| |-- collectors/
| | |-- combined.js
| | |-- darkweb.js
| | `-- ioc.js
| |-- parsers/
| | `-- strings.js
| |-- reporters/
| | `-- json.js
| |-- utils/
| | |-- crypto.js
| | |-- entropy.js
| | `-- patterns.js
| `-- index.js
|-- package.json
`-- README.md
config/default.js controls:
- Tor proxy host, timeout, and retry settings
- Configured onion search engines
- Configured clear-web enrichment endpoints
- API key loading from environment variables
- Flare API tenant and result-size settings
- Entropy and string extraction thresholds
Main entry point:
node src/index.js [options]Help:
node src/index.js --help| Option | Purpose | Example |
|---|---|---|
--file <path> |
Analyze a binary or generic file payload | node src/index.js --file ./sample.bin |
--hex <hex> |
Analyze hex-decoded content | node src/index.js --hex 4D5A9000 |
--strings <path> |
Analyze a text file containing extracted strings | node src/index.js --strings ./strings.txt |
--logs <path> |
Analyze JSON logs or network telemetry | node src/index.js --logs ./network.json |
--code <path> |
Analyze JavaScript or decompiled source | node src/index.js --code ./sample.js |
--batch <dir> |
Analyze every file in a directory | node src/index.js --batch ./samples |
--ioc <value> |
Run IOC-only lookup for hash, IP, domain, or URL | node src/index.js --darkweb --ioc 2156...2a0c |
| Option | Purpose | Example |
|---|---|---|
--darkweb |
Enable OSINT and onion-source correlation | node src/index.js --darkweb --ioc 142.11.206.73 |
--report <path> |
Write JSON report to a custom path | node src/index.js --file ./sample.bin --report ./output/report.json |
--output <path> |
Choose output directory | node src/index.js --file ./sample.bin --output ./output |
--gen-yara |
Export generated YARA rule | node src/index.js --file ./sample.bin --gen-yara |
--gen-sigma |
Export generated Sigma rule | node src/index.js --file ./sample.bin --gen-sigma |
node src/index.js --file ./sample.binnode src/index.js --hex 4D5A9000node src/index.js --strings ./strings.txtnode src/index.js --logs ./network.jsonnode src/index.js --code ./sample.jsnode src/index.js --batch ./samplesnode src/index.js --darkweb --ioc 2156c504f8b4ddc6d2760a0c989c31c93d53b85252d14095cebcadcbe3772a0cnode src/index.js --darkweb --ioc 142.11.206.73node src/index.js --darkweb --ioc sfrclak.comnode src/index.js --darkweb --ioc https://evil.example.com/payloadnode src/index.js --file ./sample.bin --report ./output/report.jsonnode src/index.js --file ./sample.bin --gen-yara --gen-sigmanode src/index.js --code ./sample.js --darkweb --gen-yara --gen-sigma --output ./outputUse npm.cmd on Windows PowerShell if npm is blocked by execution policy.
| Script | Purpose | Usage |
|---|---|---|
npm.cmd run cli:help |
Show CLI help | npm.cmd run cli:help |
npm.cmd run analyze:file -- <path> |
File analysis wrapper | npm.cmd run analyze:file -- .\\sample.bin |
npm.cmd run analyze:hex -- <hex> |
Hex analysis wrapper | npm.cmd run analyze:hex -- 4D5A9000 |
npm.cmd run analyze:strings -- <path> |
Strings analysis wrapper | npm.cmd run analyze:strings -- .\\strings.txt |
npm.cmd run analyze:logs -- <path> |
Logs analysis wrapper | npm.cmd run analyze:logs -- .\\network.json |
npm.cmd run analyze:code -- <path> |
Code analysis wrapper | npm.cmd run analyze:code -- .\\sample.js |
npm.cmd run analyze:batch -- <dir> |
Batch analysis wrapper | npm.cmd run analyze:batch -- .\\samples |
npm.cmd run ioc:search -- --ioc <value> |
IOC-only lookup wrapper | npm.cmd run ioc:search -- --ioc 2156...2a0c |
npm.cmd run darkweb:search -- --ioc <value> |
IOC lookup with dark web flag | npm.cmd run darkweb:search -- --ioc sfrclak.com |
npm.cmd run report -- --file <path> --report <path> |
Generic reporting wrapper | npm.cmd run report -- --file .\\sample.bin --report .\\output\\report.json |
npm.cmd run generate:yara -- --file <path> |
Generate YARA output | npm.cmd run generate:yara -- --file .\\sample.bin |
npm.cmd run generate:sigma -- --file <path> |
Generate Sigma output | npm.cmd run generate:sigma -- --file .\\sample.bin |
src/index.js runs the following stages:
- Input loading
- Static analysis
- Behavioral analysis
- Network intelligence
- IOC extraction
- MITRE ATT&CK mapping
- Risk assessment
- Detection rule generation
- Optional dark web correlation
- Recommendation generation
- JSON report output
src/collectors/combined.js exposes a reusable orchestration flow for programmatic use.
Default output directory: ./output
Generated files may include:
threat_intel_report.jsongenerated_rule.yaragenerated_rule_sigma.yml- Timestamped JSON report from the reporter module
- Timestamped summary text report
- Timestamped STIX 2.1 bundle
batch_report.jsonfor batch mode
The dark web and clear-web backend is driven by the darkweb object in config/default.js and executed by src/collectors/darkweb.js.
darkweb.engines is a dictionary of onion search endpoints. When --darkweb is enabled, the backend:
- Creates a SOCKS proxy agent using
TOR_PROXY - Iterates over the IOC targets supplied by the user or derived from analysis
- Sends search requests to the configured onion engines through Tor
- Stops after a small number of onion attempts per target to avoid excessive delay
- Extracts:
- direct IOC mentions
.onionlinks- short text context around matches
- Stores results in:
sources_usedmentions_foundonion_links
In code, the relevant flow is:
DarkWebCollector.search(targets)DarkWebCollector.searchOnionEngines(target, results, agent)
Each onion engine is queried using a URL pattern like:
<engine>/search?query=<ioc>
The response body is scanned for:
- the IOC string itself
- any
.onionaddresses - nearby context snippets for reporting
darkweb.clearweb defines the external API endpoints used for non-onion enrichment:
abuseipdburlscanvirustotalshodanmalwarebazaarflare
These are consumed selectively by the backend:
searchAbuseIPDB()for IP reputationsearchMalwareBazaar()for hash-based malware sample metadata and family hintssearchShodan()for IP exposure, DNS records, and resolved-host summariessearchUrlscan()for scan history and domain/URL visibilitysearchVirusTotal()for hash reputationsearchFlare()for global event search and leak/event correlation
For each IOC target, the backend currently runs in this order:
- AbuseIPDB
- MalwareBazaar
- Shodan
- URLScan
- VirusTotal
- Flare
- Onion search engines
- Paste site lookups
- Local campaign correlation engine
This order is implemented inside:
DarkWebCollector.search()
Clear-web sources:
- use direct HTTPS requests through
axios - depend on API keys where required
- skip silently when credentials are missing
Onion sources:
- use
SocksProxyAgent - route through
TOR_PROXY - depend on a working Tor listener such as
127.0.0.1:9050
The Flare integration uses a two-step backend flow:
- Generate a temporary token from the API key
- Use that bearer token to search global events
Current implementation:
POST https://api.flare.io/tokens/generatePOST https://api.flare.io/firework/v4/events/global/_search
Returned event metadata and highlight snippets are normalized into:
mentions_foundcorrelation
All enrichment results are merged into a single result object:
sources_usedmentions_foundleaksmarketplacesonion_linkscorrelationenrichment
The top-level report also exposes the same normalized enrichment rows in:
source_attributionexternal_references
Runtime-oriented output is also normalized in:
runtime_observables.runtime_modulesruntime_observables.registry_keys_openedruntime_observables.files_droppedruntime_observables.files_deletedruntime_observables.files_writtenruntime_observables.files_openedruntime_observables.dns_resolutionsruntime_observables.ip_traffic
external_references may include curated:
- Valhalla / Nextron rule links
- VirusTotal collection links
- sandbox report links such as Triage, Intezer, FileScan, Malwares.com, and MalProb.io
- public research and community analysis references
Each enrichment row can now include:
sourcetargettypeconfidencematch_percentdetection_ratioresult_urlsearch_url
The backend de-duplicates repeated entries before returning the final report object.
The backend is intentionally fail-soft:
- missing API keys do not stop analysis
- Tor outages do not stop analysis
- individual source failures are ignored silently
- the final report is still generated even when enrichment sources return nothing
This design keeps the CLI usable during offline triage and partial-enrichment scenarios.
These engines are defined in config/default.js and are queried through Tor when --darkweb is used:
ahmiaonionlandtorgleamnesiakaizeranimatornadotornettorlandfindtorexcavatoronionwaytor66osstorgoldeep
- AbuseIPDB
- MalwareBazaar
- Shodan
- URLScan
- VirusTotal
- Flare
- Pastebin mirror search via
psbdmp.ws - Ghostbin search
- Onion engines require a working Tor proxy.
- API-backed enrichment requires valid API keys.
- Flare integration uses the documented Flare token flow and then queries the Global Search endpoint.
FLARE_TENANT_IDis optional. If omitted, Flare uses the API key's default tenant.FLARE_SEARCH_SIZEis capped at 10 to match the documented endpoint limit.- If Tor or keys are unavailable, the tool still completes analysis and returns a report with empty enrichment results instead of crashing.
The following command paths were locally verified on May 5, 2026 using temporary fixtures:
| Area | Status | Notes |
|---|---|---|
--help |
Verified | CLI help renders correctly |
--file |
Verified | JSON report generated |
--hex |
Verified | JSON report generated |
--strings |
Verified | Analysis and report generated |
--logs |
Verified | Analysis and report generated |
--code |
Verified | Analysis and report generated |
--batch |
Verified | batch_report.json generated |
--ioc with hash |
Verified | IOC-only mode now works correctly |
--report |
Verified | Custom JSON path written correctly |
--gen-yara |
Verified | YARA file exported |
--gen-sigma |
Verified | Sigma file exported |
npm.cmd run cli:help |
Verified | Works on Windows |
npm.cmd run analyze:file |
Verified | Wrapper works |
npm.cmd run analyze:strings |
Verified | Wrapper works |
npm.cmd run ioc:search |
Verified | Wrapper works |
| Live MalwareBazaar results | Not live-tested | Requires network access and may optionally use MALWAREBAZAAR_KEY |
| Live VirusTotal or AbuseIPDB results | Not live-tested | Requires valid API keys and network access |
| Live Shodan results | Not live-tested | Requires valid Shodan API key and network access |
| Live Flare results | Not live-tested | Requires valid Flare API key, tenant access, and network access |
| Live onion-engine results | Not live-tested | Requires Tor access and reachable onion services |
- src/parsers/strings.js: printable string extraction with de-duplication
- src/utils/entropy.js: Shannon entropy calculation
- src/utils/crypto.js: MD5, SHA1, SHA256 hashing
- src/utils/patterns.js: regex definitions for URLs, IPs, files, registry keys, mutexes, obfuscation, persistence, and injection
- src/analyzers/static.js: file type, entropy, packing, hashes, and notable strings
- src/analyzers/behavioral.js: behavior inference from strings
- src/analyzers/network.js: domains, IPs, URLs, and C2 detection
- src/analyzers/mitre.js: ATT&CK technique mapping
- src/analyzers/risk.js: severity, impact, scoring, and recommendations
- src/analyzers/detection.js: YARA and Sigma generation
- src/collectors/ioc.js: sample IOC and campaign artifact extraction
- src/collectors/darkweb.js: IOC enrichment across APIs, onion engines, and paste sources
- src/reporters/json.js: JSON, summary text, and STIX export
- Use raw
node src/index.js ...if you want the most predictable cross-shell behavior. - On Windows PowerShell, prefer
npm.cmdinstead ofnpmwhen script-execution policy blocksnpm.ps1. - IOC-only mode is for reputation and correlation. Full malware classification still benefits from analyzing the actual sample with
--fileor--code.
