Security builder & leader

REMnux v8: 15 Years of Building a Malware Analysis Toolkit

REMnux v8 adds AI capabilities, updates the tools and the base OS, and uses a new, more resilient installer. After 15 years and eight major releases, the toolkit continues to evolve to reflect the needs of the malware analysis community.

REMnux v8: 15 Years of Building a Malware Analysis Toolkit - illustration

REMnux v8 is now available. It’s a free, open source Linux toolkit with over 200 tools for analyzing malicious software. You can run it as a VM, a Docker container, or install it onto an existing system.

I released the first version of REMnux in 2010 to package the utilities I needed for teaching malware analysis and to share the toolkit with the community. Fifteen years and eight major releases later, the toolkit continues to evolve in step with malware trends and analysts’ needs. Some of the tools have faded as maintainers switched interests or jobs, while new ones appeared to address industry needs.

Preparing for AI Agents

The most notable change in REMnux v8 is the support for AI-assisted malware analysis. The new REMnux MCP server connects AI agents to the distro’s tools with practitioner guidance built in. The docs include a new “Use Artificial Intelligence” tool category that lists OpenCode as a terminal-based AI coding agent, GhidrAssistMCP for AI-assisted reverse engineering in Ghidra, and the r2ai and decai plugins for Radare2.

The toolkit’s documented tools and predictable interfaces also make it useful to AI agents.

Tool Additions

Notable tool additions include YARA-X (a Rust rewrite of YARA) with YARA-Forge rules, GoReSym and Redress for Go binary analysis, and Manalyze and LIEF for PE/ELF/MachO parsing. For Python-based malware: pyinstxtractor-ng, uncompyle6, and AutoIt-Ripper. APKiD handles Android analysis, origamindee handles PDFs, and zbar-tools decodes QR codes.

Behind the Scenes

Ubuntu 24.04 (Noble) replaces Ubuntu 20.04 (Focal) as the base. A new Cast-based installer from Erik Kristensen replaces remnux-cli, for more resilient setup and upgrades.

As the size of the REMnux virtual appliance and containers grew, so did the challenges of making them available for downloads. Fortunately, Cloudflare accepted REMnux into Project Alexandria, their open-source support program, which helps host the virtual appliance files. Similarly, REMnux Docker images benefit from the Docker Open Source Program.

Acknowledgments

Corey Forman assists with tool packaging, testing, and ideation, doing the work out of the spotlight. His expertise broadens what the toolkit can offer. Having him as a collaborator inspires me to continue putting energy into the project.

Erik Kristensen designed the Cast-based installer architecture and built the SaltStack architecture that has powered REMnux since v7.

In addition to benefiting from the free hosting provided by Cloudflare and Docker, REMnux also benefits from the generous free tiers of Github (source control and some file hosting), GitBook (documentation), and Canonical Launchpad (package hosting).

Thank you to the authors of the tools that comprise the REMnux toolkit. These individuals and companies have shared their time and expertise to continue moving our community forward.

More on
Malware AnalysisREMnux
For a historical look at REMnux releases, see the announcement pages for versions 7, 6, 5, 4, 3, 2, and 1.
2 min to read
February 11, 2026

About the Author

Lenny Zeltser is a cybersecurity executive with deep technical roots, product management experience, and a business mindset. He has built security products and programs from early stage to enterprise scale. He is also a Faculty Fellow at SANS Institute and the creator of REMnux, a popular Linux toolkit for malware analysis. Lenny shares his perspectives on security leadership and technology at zeltser.com.

Learn more →