VX Underground

Overview

VX Underground (vx-underground.org) is one of the largest public malware archives and threat research repositories. It hosts samples, papers, ebooks, training material, and community collections spanning decades of malware history.

Collections include APT reports, ransomware builds, proof-of-concept exploit code, and educational texts (e.g., classic virus writing manuals for historical study). The site survived multiple takedown attempts and mirrors; check current domain status.

Researchers use vx-underground for offline sample retrieval, comparing hash variants, and accessing papers not on arXiv or publisher sites. Telegram/Discord communities often announce new uploads.

Operational security: downloading known malware triggers AV/EDR. Use isolated VMs, hash verify, and legal compliance with local computer misuse laws.

Primary use cases

• Retrieving samples referenced in threat intel reports
• Malware research coursework and historical analysis
• Locating leaked builder source for signature development
• Archive backup when private shares disappear

Detection / defense notes

• Network egress filtering from analysis VLANs
• YARA sweep after any extract from archive downloads

Related tools

• Church of Malware — Curated malware corpus and reference library. Indexed samples, writeups, and scripture-style documentation for researchers tracing lineage and behavior.
• Sploitus — Exploit and tool search engine. Aggregates Exploit-DB, GitHub PoCs, and Metasploit modules into one query interface.
• YARA — Malware identification language. String/hex patterns with boolean conditions over scanned files.