Book a Demo
Back to blog

MoP – “Master of Puppets” – Advanced malware tracking framework revealed at BlackHat Arsenal 2019.

Written by
Omri Ben Bassat
Omri Ben Bassat

At BlackHat Arsenal 2019 Intezer’s researcher, Omri Ben-Bassat, revealed open-source tool called MoP (“Master of Puppets”) which is a framework for reverse engineers who wish to create and operate trackers for new malware found in the wild for research purposes.

To make it simple – MoP framework takes care of all the generic malware tracker stuff so the reverse engineer is left with pure reverse engineering work, You only need to implement a simple plugin on top of MoP which describes the malware’s network protocol.

MoP ships with a variety of workstation simulation capabilities, such as: fake filesystem manager, fake process manager, multi-worker orchestration, TOR integration and more, all of which aim to deceive adversaries into interacting with our simulated environment and possibly drop new unique samples. Since everything is done in pure python, no virtual machines or Docker containers are needed and no actual malicious code is executed.

This enables you to scale up in a click of a button, connecting to potentially thousands of different malicious servers at once from a single instance running on a single laptop. MoP framework comes with a number of pre-built plugins for known RATs, such as NjRAT and Gh0stRAT. Find it on GitHub

TOR integration

Real NjRAT server with fake victim connected from MoP instance

Omri Ben Bassat
Omri Ben Bassat

Ex-officer in the IDF CERT. Malware analyst and a reverse engineer with vast experience in dealing with nation-state sponsored cyber attacks. Omri is the creator of Master of Puppets (MoP)—an open-source framework for reverse engineers who wish to create and operate trackers for new malware found in the wild—which was presented during the Black Hat USA 2019 Arsenal.

In this article

Share this article
Recommended Blogs
5MIN READ

AI SOC for teams outgrowing MDR

For teams that have outgrown their MDR, the answer isn’t a better MDR. It’s a different operating model.
3MIN READ

Intezer’s 2025 momentum reflects rapid adoption of AI SOC in global enterprise 

Enterprises are adopting AI SOC as the new model for running security operations. This shift is reflected clearly in Intezer’s momentum over the past year.
8MIN READ

Alert fatigue is costing you: Why your SOC misses 1% of real threats

Our 2026 AI SOC Report, based on the analysis of more than 25M security alerts across live enterprise environments, reveals a critical disconnect between how security teams prioritize alerts and where real threats actually originate.