I got tired of Ctrl-F'ing PDFs for malware family names so I built a catalog

jordanricky1604-ship-it — Tue, 02 Jun 2026 17:06:16 +0000

Quick backstory. I do MSP work and a chunk of my week is triage. Something pops on an endpoint, you get a family name back from whatever tool flagged it, and now you're trying to figure out if this thing is a banker, a loader, a wiper, ransomware, whatever. Half the time the top Google hit is a vendor blog from 2019 with a popup begging you to download a whitepaper. The other half is some forum thread where the actual useful comment got deleted.

So I made a thing. It's just a static site with one page per malware family. 2,899 of them, pulled from the EMBER 2018 list (Endgame's dataset, the one a lot of ML-for-malware papers train against). Each family gets its own URL like /families/emotet.html, /families/trickbot.html and so on. Nothing fancy. No JS framework. Just HTML you can land on from a search result and read in two seconds.

Live here if you want to poke at it: https://jordanricky1604-ship-it.github.io/malware-families-catalog/

Why bother. Honestly because I kept hitting the same wall. You're on a call, the SOC analyst on the other side says "we're seeing Qakbot", and you want a one-pager you can skim while they keep talking. Not a 40 page report. Not a paywall. Just "here's what this is, here's what it usually does, here's a couple of references." That's the whole pitch.

The other annoying thing was discoverability. If I dump a CSV on HuggingFace nobody searching for a specific family name is going to find it. The CSV is one URL. But if every family is its own page with the name in the title tag and the H1, then someone Googling "what is njRAT" can actually land on it. That was the bet anyway. Still waiting to see how Google feels about it but Bing already indexed ~250 URLs which I'll take.

I also mirrored the dataset to HuggingFace (https://huggingface.co/datasets/Jordan123234/malware-families-catalog) and Kaggle (https://www.kaggle.com/datasets/rickyjordan/malware-families-catalog) because that's where ML folks actually go looking. The GitHub Pages site is the canonical though, the other two are mirrors that point back.

A few things I learned that might save someone else time:

Generating 2,899 HTML files from a template is fine. The slow part isn't the generation, it's getting Pages to actually finish building. I had to split things or it would time out.
Sitemaps matter way more than I expected. I had the pages live for like a week before I realised Search Console wasn't picking them up because my sitemap was only listing the index. Once I generated a proper sitemap with every family URL in it the crawl rate jumped immediately.
Don't name your files with weird characters. Some of the family names in EMBER have slashes, dots, parentheses. I lowercased and stripped everything down to [a-z0-9-] and kept a mapping file. Worth it.
If you cross-link aggressively (A-Z index, related families, prev/next nav) crawlers will actually follow. If you just dump 2,899 orphan pages and pray, they sit there forever.

It's Apache 2.0 so do whatever you want with it. PRs welcome if you want to add a reference or fix a family description, there's a decent chance I got something wrong on a less common one. The build pipeline is in the repo too if you want to fork it for a different taxonomy (CVEs, threat actors, whatever).

That's it. Going back to my actual job now.

I open-sourced a Malware Families Catalog built on EMBER 2018

jordanricky1604-ship-it — Fri, 29 May 2026 23:12:14 +0000

What it is

I just released an open-source dataset that maps EMBER 2018 malware family labels to a unified, structured catalog. It's published identically on three platforms so you can pull it whichever way fits your workflow:

GitHub Pages (canonical): https://jordanricky1604-ship-it.github.io/malware-families-catalog/
HuggingFace: https://huggingface.co/datasets/Jordan123234/malware-families-catalog
Kaggle: https://www.kaggle.com/datasets/rickyjordan/malware-families-catalog

License is Apache-2.0. The schema is identical across all three so you can swap loaders without touching the rest of your pipeline.

Why I built it

The EMBER 2018 benchmark from Elastic is one of the most widely used static-PE malware classification datasets — but the family label column is sparse and noisy, and there's no canonical companion that catalogs which families appear, how often, and what's known about them. Most projects either drop the family labels entirely (and just do benign/malicious classification) or hand-roll their own family lookup table.

I wanted a clean, honest catalog you can join against EMBER without having to do that work yourself.

A few constraints I held myself to while building it:

No fabricated facts. If a family is obscure or unattributed, the record says so. I'd rather have a null than a confident-sounding hallucination.
No manual removal instructions. This is a research dataset, not a how-to. Records describe what a family is and link out to authoritative sources where appropriate.
One schema everywhere. Same columns, same types, same row counts on HF, Kaggle, and GitHub. The README on each platform points at the others.

How to load it

From HuggingFace:

from datasets import load_dataset
ds = load_dataset("Jordan123234/malware-families-catalog")

From Kaggle (via the Kaggle CLI):

kaggle datasets download -d rickyjordan/malware-families-catalog

From GitHub Pages (raw files):

curl -O https://jordanricky1604-ship-it.github.io/malware-families-catalog/data/families.csv

What's next

I'd love feedback — especially from people who've worked with EMBER and have opinions about which family attributes are most useful for downstream classifiers. Open an issue on the GitHub repo if anything looks off.

If you find it useful, a star on the repo helps surface it for the next person searching for the same thing.