About Malware Gallery

About Malware Gallery A Journey Through Time

The Malware Gallery is a digital museum dedicated to the "Trojan Scene," a term used by the hackers and developers who were actually part of it. This unique era in malware history kicked off in the mid-1990s. As the internet went mainstream, the earliest concepts matured, and the first infamous remote access trojans (RATs) and hacktools began to spread. The scene thrived on raw creativity and passion until around 2010, when it slowly started to fade out.

Today, this platform is actively and progressively documenting, piece by piece, those fifteen years - the golden age - of early Windows hacking tools to preserve a subculture that genuinely laid the groundwork for modern cybersecurity. The legacy of those early RATs hasn't disappeared. You can still see their influence in both today's sophisticated cyber threats and the essential tools security teams use to fight them, like those relied on for penetration testing and adversary simulation - though, unfortunately, they also provided the blueprint for the cyber weapons used by modern threat actors.

The Malware Gallery serves as the perfect platform to explore this niche field. It preserves a vital piece of internet history for those who want to remember it, and offers a window into the past for those who didn't grow up during this era. Whether you are completely new to the topic, working generally in IT, or already deep in the trenches as a penetration tester, malware researcher, or reverse engineer, this collection offers a fascinating look at how it all began.

Platform Version: 3.2.0 / Last Update: 2026-04-28

A heartfelt thank you to

CrazyBoris

Cryakl

IllWill

MegaSecurity

Mobman

OussamiO

Ryan

Tataye

Vx Underground

Xylitol

For helping me fill the memory gaps and/or providing some lost media and resources.

A Brief History The Era of the Trojan Scene

Long before malware became a lucrative industry - for both cybercriminals and cybersecurity professionals - there was a quite small underground subculture. It was made up of hackers, programmers, and enthusiasts obsessed with building the coolest hacktools and Remote Access Trojans (RATs) in what was known as the "Trojan Scene."

On obscure mIRC channels, old-school bulletin boards, and nostalgic messaging apps like ICQ, AIM, and MSN Messenger, hobbyists and "script kiddies" spent hours discussing backdoors, evasion techniques, and malware development. The goal rarely had anything to do with financial gain. People wrote code to learn, to create, to prank their friends and classmates, to earn street cred, or simply for the thrill of it.

Unlike modern malware - which typically relies on a narrow set of functions and advanced stealth to bypass modern defenses like EDRs, XDRs, NDRs for quiet data theft, ransomware, or espionage - the tools of that era were loud, proud, and built for the grace of the gesture and huge dose of fun.
That isn't to say stealth didn't exist back then. In fact, some of the evasion techniques still used today were created during this exact period. But staying invisible wasn't the primary obsession, and these programs weren't designed as surgical weapons for specific crimes. Instead, the focus was on showing off. Developers fiercely competed for prestige in underground communities, packing their RATs with flashy GUIs and a wild variety of features. They wanted to build the ultimate digital Swiss Army knife, giving anyone the power to completely own a target machine with just the click of a button.

A Timeline of Digital Mischief and Evolution

The Wild West (1995 - 1999): The release of Windows 95 and the mainstream adoption of dial-up internet created a massive, highly vulnerable attack surface. This era saw the release of foundational tools like NetBus (1998), the Cult of the Dead Cow's infamous Back Orifice (1998), and SubSeven (1999). These programs popularized the client-server architecture of remote administration and introduced the world to the concept of unauthorized graphical access.
The Golden Age of RATs (2000 – 2008): As the internet matured, so did the Trojan Scene. The tools became highly customizable and dangerously feature-rich. Programs like Beast (2002), ProRat (2003), Bifrost (2004), Poison Ivy (2005), and DarkComet (2008) dominated the landscape. This era also saw the standardization of "builders" (tools used to generate custom malware payloads) and "crypters" (software used to hide the payloads from early antimalware engines).
The Shift to Professionalization (2010 and Beyond): By the end of the 2000s, the amateur, community-driven scene began to fade. The landscape became heavily commercialized. The playful and destructive Trojans of the past were rapidly replaced by organized cybercrime operations, including massive botnets and the earliest iterations of ransomware.

A Dual Legacy

The "Trojan Scene" as we knew may have ended, but its DNA survived. The GUI-based, client-server models pioneered by teenagers and hobbyists laid the direct groundwork for the tools we see today across the entire cybersecurity spectrum.

On the malicious side, the foundational code and concepts of the late 90s and 2000s evolved into the stealthy infostealers and botnet infrastructures business that plague modern networks.

However, this heritage also inspired modern tools used for the good. The framework of early RATs influenced the development of legitimate offensive security tools. Today, industry-standard tools like Metasploit, Cobalt Strike, Havoc and Adaptix - just to name a few - owe a quite significant architectural debt to the amateur developers of that period.

Our Mission

The Malware Gallery exists to archive, document, and contextualize this chapter of internet history. By preserving these early hacking tools - not as active threats, but as historical artifacts - we aim to educate researchers, cybersecurity professionals, history enthusiasts, and even complete outsiders about where many modern cyber threats originated and how some of the foundational concepts of offensive security were built.

This mission is a massive effort. With thousands of impactful samples to analyze and document, building this archive will naturally take time. Since I was a product of that era myself, I recall many of these tools and unwritten anecdotes firsthand, and I had the chance to know several of the most important figures in the field. Even so, there are still many gaps in the puzzle and pieces of history yet to be recovered.

Families and releases will be added progressively, piece by piece, as I find the time to research and document them, but I also rely on the collective knowledge of the community. If you have any old media, forgotten stories, or resources that could help fill in those gaps and preserve this history, please don't hesitate to reach out.

The Floor Plan

Families

Explore the major malware and hacktool families that defined the era. This section groups the most impactful Remote Access Trojans (RATs) and hacking utilities by their lineage, providing a complete overview of how these foundational tools evolved and influenced the scene over time.

Releases

Dive into the specific versions and updates within each malware family. This section tracks the step-by-step evolution of individual tools, detailing the new features, interface changes, and technical milestones that marked every major release.

Authors

Meet the minds behind the code. This section archives the known aliases of the developers, hobbyists, and programmers who built these tools, preserving the history of the individuals who drove the innovation and mischief of the Trojan Scene.

Teams

Discover the underground groups and developer collectives that collaborated during this era. This section highlights the teams who pooled their skills to work on specific malware families and releases, showcasing how collective effort shaped the digital landscape of the 90s and 2000s.

Features

Explore the core capabilities built into these early tools. This section categorizes the major functionalities - such as Keyloggers, File Managers, Process Managers, Password Recovery - that defined exactly what these programs could do once deployed on a target machine.

Feature Techniques

Dive deeper into how each feature was actually executed. A broad capability like a "File Manager" relies on multiple granular actions, such as browsing directories, uploading payloads, or modifying files. This section maps out the specific, individual techniques that powered these overarching features.

Technique Snippets

Examine the underlying code. To help researchers and reverse engineers recognize historical patterns, many techniques are illustrated with structural code snippets. (Note: As a responsible archive, we strictly omit functional code for highly dangerous or easily weaponized techniques to prevent modern misuse).

Windows API

This section catalogs the common Windows Application Programming Interfaces (APIs) frequently abused during this era, linking specific API calls directly back to the features and techniques that relied on them.

Archive MegaSecurity.Org

Step into the legendary Mega Security database. This section hosts a modernized, searchable reconstruction of the famous 90s-era "Kobayashi" archive. Authorized by its original creator, MasterRat, it preserves thousands of historical samples and proudly continues the dedicated cataloging work of the original Mega Security staff.

My Writings A Malware Retrospective

In 2023, I embarked on crafting a series of articles titled "A Malware Retrospective." This series delves into the fascinating stories behind some of the most infamous malware projects from the past, featuring exclusive interviews with their original creators. If you're keen to uncover these hidden gems and explore the minds behind the malware, I invite you to follow me on Medium to ensure you don't miss any upcoming stories.

Published Stories So Far

A malware retrospective: IceCold

A malware retrospective: PrjRAPTOR

A malware retrospective: SubSeven

A malware retrospective: The Beast RAT

Follow Me On Medium

They Talk About Us

FAQ Frequently Asked Questions

Can malware samples be downloaded or accessed?

Malware samples cannot be downloaded from this web application for obvious reasons. We are not providing access to malicious tools but rather documenting these samples. Sharing malware samples, even very old ones, is most of the time considered illegal.

Are there any exceptions to the rule against sharing malware samples?

Generally, no. However, you're welcome to contact me, and we can explore if there's a viable solution.

Do you plan to extend this concept to include new malware?

It's not ruled out. Currently, my focus is entirely on the core concept of the website, which is to showcase old malware that had a significant impact on the scene. In the future, extending the concept to include new malware is a possibility, provided they meet certain criteria. This website is akin to an art gallery; malware from the past was considered an art form, distinguished by its uniqueness. Today, they often appear quite similar, losing some of that individual artistic expression.

I recognize myself as the creator of one of the samples referenced on the site. What should I do?

If you can prove you are the author of one of the referenced samples, I would be happy to redact any personal information that may be present. Additionally, if you wish to provide more details about your former work, I am open to incorporating them. Should you be interested in contributing to the "Malware Retrospective" series, I would be pleased to send you a set of questions to learn more about your insights.

However, since your samples have been made public, only personal information can be removed. The sample information itself, including name, version, author nickname, features, images, etc., cannot be removed.

Other Project You Might Appreciate

I'm also engaged in a project that could capture your interest, focusing this time on Malware Evasion Techniques. This project offers an extensive compilation of strategies used by malware authors to bypass and slow down defense mechanisms. Originally created by Thomas Roccia, I became part of the project's development in 2019. Today, it stands as the most comprehensive database dedicated to malware evasion techniques.

Visit Unprotect Now

www.unprotect.it

Disclaimer

The content provided on this website — including, but not limited to, text, images, hyperlinks (embedded or explicit), code snippets, and technical descriptions — is intended strictly for educational, informational, and research purposes only. This site exists to promote cybersecurity awareness, support academic and professional research, and illustrate the mechanisms, behaviors, and techniques employed by malicious software in a controlled, responsible context. It is expressly not intended to promote, enable, or facilitate malicious activity of any kind.

While every reasonable effort has been made to ensure that the examples, demonstrations, and discussions presented here omit operationally dangerous or exploitable components, some materials may depict or describe real-world malware techniques. These are included solely to assist researchers, analysts, and students in understanding threat actor methodologies and to further legitimate defensive and forensic education.

Access to and use of this website constitutes explicit agreement to the following terms:

No Endorsement or Guarantee: The website owner makes no representations or warranties, express or implied, regarding the accuracy, completeness, or reliability of any content. All content is provided “as is” and “as available.”
Use at Your Own Risk: Any use of the materials — whether for research, reverse engineering, simulation, or analysis — is done solely at the user's own risk. The owner, contributors, and authors of this site shall not be held liable for any damages, loss, disruption, or liability, direct or indirect, resulting from the use, misuse, or interpretation of the content.
Link Disclaimer: This website may contain links embedded in text, images, or code. These links are provided only for informational convenience and do not constitute an endorsement or validation of any third-party content. Visiting these links is done at your own discretion and risk. The owner disclaims any liability arising from third-party sites or their contents.
No Authorization for Malicious Use: You are strictly prohibited from using any content or knowledge gained from this website to:
- Develop, distribute, or deploy malware or malicious utilities.
- Engage in unauthorized system access, compromise, or intrusion.
- Bypass security controls or violate laws governing computer use.
Ethical and Legal Use Only: This content is intended for qualified security professionals, academic researchers, and educators operating within the bounds of applicable laws and ethical standards. If you are uncertain whether your intended use complies with local, national, or international law, you are urged to consult legal counsel before proceeding.
No Liability for Misuse: The website owner disclaims all responsibility and liability for any outcomes resulting from the improper, unethical, or unlawful application of the information provided. Users assume full responsibility for their actions, decisions, and consequences arising from interaction with this content.
Due Diligence Expected: Users are expected to exercise independent judgment, critical thinking, and due diligence when engaging with any content hosted on this website.

By continuing to use or access this website, you affirm that you understand and accept the above terms, and that you will conduct yourself responsibly, ethically, and within the limits of all applicable laws.

Useful Links

Mentions Légales Sitemap RSS Feed