Citadel is a binary static analysis framework for payload analysis and malware research. It helps identify why implants are being detected statically by providing comprehensive PE parsing, capability detection, and similarity analysis through a modern web interface.
| Date | Blog |
|---|---|
| 15-01-2025 | Citadel: Binary Static Analysis Framework |
| 28-06-2025 | Citadel 2.0: Predicting Maliciousness |
| 26-09-2025 | Using EMBER2024 to evaluate red team implants |
Citadel addresses the frustration of static detection analysis by providing the following features:
- Remote Analysis: HTTP API to avoid copying files to VMs where Defender might interfere
- Comprehensive PE Parsing: Multiple parsers for thorough binary analysis
- Capability Detection: MITRE ATT&CK and Malware Behavior Catalog mapping
- Similarity Analysis: TLSH fuzzy hashing for sample clustering
- Modern UI: Clean dashboard for analysis results with multiple visualizations
- Python 3.10+
- MongoDB
- Windows VM (for the .NET agent)
install.sh will install the following:
- Python 3.10
- Radare2
- MongoDB
- Citadel
- TLSH database (from data/tlsh.tar.gz)
bash install.shIn one pane, run:
uv run frontend/app.pyThen in another pane, run:
uv run worker.py
