REMnux v8: 15 Years of Building a Malware Analysis Toolkit
REMnux v8 adds AI capabilities, updates the tools and the base OS, and uses a new, more resilient installer. After 15 years and eight major releases, the toolkit continues to evolve to reflect the needs of the malware analysis community.
REMnux v8 is now available. It’s a free, open source Linux toolkit with over 200 tools for analyzing malicious software. You can run it as a VM, a Docker container, or install it onto an existing system.
I released the first version of REMnux in 2010 to package the utilities I needed for teaching malware analysis and to share the toolkit with the community. Fifteen years and eight major releases later, the toolkit continues to evolve in step with malware trends and analysts’ needs.
Preparing for AI Agents
The most notable change in REMnux v8 is the support for AI-assisted malware analysis. The new REMnux MCP server connects AI agents to the distro’s tools with practitioner guidance built in. The toolkit’s documented tools and predictable interfaces also make it particularly useful to AI agents.
The updated documentation includes a new “Use Artificial Intelligence” tool category that lists OpenCode as a terminal-based AI coding agent, GhidrAssistMCP for AI-assisted reverse engineering in Ghidra, and the r2ai and decai plugins for Radare2. There will be more.
Tool Additions
As malware trends evolve, as do the tools that analysts require. New tools appear and some fade away. In v8 release, I removed the tools that are no longer relevant or maintained. More excitingly, I added several new ones to the toolkit.
Notable additions include YARA-X (a Rust rewrite of YARA) with YARA-Forge rules, GoReSym and Redress for Go binary analysis, and Manalyze and LIEF for PE/ELF/MachO parsing. For Python-based malware: pyinstxtractor-ng, uncompyle6, and AutoIt-Ripper. APKiD handles Android analysis, origamindee handles PDFs, and zbar-tools decodes QR codes.
In addition to refreshing the tools available in the REMnux distro, I also refreshed the ones available as standalone Docker images. For example, PyLingual, an ML-based decompiler for Python, is now available.
Behind the Scenes
Ubuntu 24.04 (Noble) replaces Ubuntu 20.04 (Focal) as the base OS. A new Cast-based installer from Erik Kristensen replaces remnux-cli, for more resilient setup and upgrades.
As the size of the REMnux virtual appliance and containers grew, so did the challenges of making them available for downloads. Fortunately, Cloudflare accepted REMnux into Project Alexandria, their open-source support program, which helps host the virtual appliance files. Similarly, REMnux Docker images benefit from the Docker Open Source Program.
Acknowledgments
Corey Forman assists with tool packaging, testing, and ideation, doing the work out of the spotlight. His expertise broadens what the toolkit can offer. Having him as a collaborator inspires me to continue putting energy into the project.
Erik Kristensen designed the Cast-based installer architecture and built the SaltStack architecture that has powered REMnux since v7.
In addition to benefiting from the free hosting provided by Cloudflare and Docker, REMnux also benefits from the generous free tiers of Github (source control and some file hosting), GitBook (documentation), and Canonical Launchpad (package hosting).
Many thanks to the authors of the tools that comprise the REMnux toolkit. These individuals and companies have shared their time and expertise to move our community forward.