DEV Community

Alex Spinov
Alex Spinov

Posted on

MalwareBazaar Has a Free API — Download and Analyze Malware Samples Programmatically

#python #api #security #tutorial

The Story

A security researcher friend asked me: where do you get malware samples for analysis without risking infection? You cannot just google 'download malware'. That is how you GET malware.

The answer: MalwareBazaar by abuse.ch — a free, open malware sample repository with an API.

What Is MalwareBazaar?

MalwareBazaar is a project by abuse.ch that collects and shares malware samples. Security researchers upload samples, tag them, and share indicators of compromise (IOCs).

It is used by antivirus companies, SOC teams, and security researchers worldwide.

The API 

# Get recent malware samples
curl -s -X POST "https://mb-api.abuse.ch/api/v1/" \
  -d "query=get_recent&selector=100"

# Search by tag (e.g., Emotet)
curl -s -X POST "https://mb-api.abuse.ch/api/v1/" \
  -d "query=get_taginfo&tag=emotet"

# Search by file hash
curl -s -X POST "https://mb-api.abuse.ch/api/v1/" \
  -d "query=get_info&hash=SHA256_HASH_HERE"

# Get signature info
curl -s -X POST "https://mb-api.abuse.ch/api/v1/" \
  -d "query=get_siginfo&signature=Emotet"
Enter fullscreen mode Exit fullscreen mode

No API key required.

Practical Example: Track Malware Trends 

import requests
from collections import Counter

def get_recent_malware(limit=100):
    r = requests.post(
        "https://mb-api.abuse.ch/api/v1/",
        data={"query": "get_recent", "selector": str(limit)}
    )
    return r.json().get("data", [])

# Get latest 100 samples
samples = get_recent_malware(100)

# Count by signature
signatures = Counter(s.get("signature") for s in samples if s.get("signature"))
print("Top malware families (last 100 samples):")
for name, count in signatures.most_common(10):
    print(f"  {name}: {count} samples")

# Count by file type
types = Counter(s.get("file_type") for s in samples)
print("\nFile types:")
for ft, count in types.most_common(5):
    print(f"  {ft}: {count}")
Enter fullscreen mode Exit fullscreen mode

Use Cases

  1. Threat intelligence — Track which malware families are most active
  2. AV testing — Download samples to test your detection rules
  3. Research — Analyze malware behavior in sandboxes
  4. IOC feeds — Import hashes into your SIEM/EDR

The abuse.ch Ecosystem

Service What It Does API Key
MalwareBazaar Malware samples Not needed
URLhaus Malicious URLs Not needed
ThreatFox IOCs (IPs, domains, URLs) Not needed
Feodo Tracker Botnet C2 servers Not needed
SSL Blacklist Malicious SSL certs Not needed

All free. All open. All no-key.

More security APIs: Free Security APIs

Do you analyze malware samples? What sandbox or analysis tool do you use? Share your setup in the comments!

Follow me for daily free API discoveries and security tools.

Top comments (0)