atomdrift The first open-source AI platform for malware detection
Codeberg Lab
Home Projects News

About

Atomdrift is an end-to-end open-source pipeline for AI-based malware detection. cleave decomposes a binary or package into capabilities mapped to MITRE ATT&CK and the Malware Behavior Catalog. azoth, an open-source model trained on that schema, classifies the result. litmus is the scanner that drives them. ELF, PE, Mach-O, Python, npm, VS Code extensions — whatever supply chains ship.

Everything is Apache 2.0. If you can't see behind the curtains, it's not security — it's theater.

News

  • 2026-04-28 Release Mania: stng v1.2.1, cleave v1.2.0, litmus v1.1.0 cleave fixes a class of rayon deadlocks, parses Python pickle and MSI-embedded PE, and skips rizin on Go binaries for a real speedup; litmus gains worker-mode fleet scanning behind a hardened HTTP server; stng stops mis-flagging Kotlin as Python.
  • 2026-04-21 stng v1.2.0 Preserve Telegram bot tokens, JWTs, and Swift mangled symbols that the chaos filter was dropping; cut XOR IP false positives inside binary data tables.
  • 2026-04-10 stng v1.1.8 Aho-Corasick rewrite of XOR/string classification and parallel disassembly via iced-x86; fixes a PE/XOR bug that was missing office_update-style samples.
  • 2026-04-10 cleave v1.1.0 PE Authenticode chain extraction and ~100 new ELF/Mach-O fields; archive scanning raised from 1K to 100K members; breaking V4 output schema.
  • 2026-03-26 litmus v1.0.0 First tagged release. Open-source malware classifier with TreeSHAP-explained verdicts; CPU-only, offline, no telemetry. Default model is beta — not production-ready yet.

All news →

Projects

  • litmus beta
    Malware analysis CLI that classifies binaries, scripts, and source using open-source ML models like azoth, fed by capabilities extracted from cleave.
  • azoth COMING SOON
    The first open-source AI model for general malware detection. Classifies on cleave-extracted capabilities across 20+ languages and six binary formats; runs on CPU.
  • cleave stable
    AST-aware software decomposition engine for supply-chain security. Detects capabilities and behaviors across 20+ languages and six binary formats in a single pass.
  • stng stable
    Modern string extraction for binary analysis — all of the good stuff, none of the garbage. Useful for initial triage, C2 enumeration, credential extraction, and signature development.
  • xgboost-ars stable
    Pure Rust XGBoost inference with exact TreeSHAP. No ONNX, no C++ runtime — runs anywhere Rust does.
  • c.diff DESIGN PHASE
    Context-driven molecular drift detection. Tracks how code atoms shift across versions and dependencies.
⚛ Atomdrift Lab

Submit files for free malware analysis. Open to researchers, defenders, and the curious.

Open the Lab →

Get the Code

Project Info

License
Apache 2.0
Languages
Rust, Go
© 2026 The Atomdrift Project