Malware Orchestration & Reverse engineering
Detection Operations Runtime
“One does not simply walk into Mordor—
and no malware simply hides within it.”
/PHASES
The Pipeline
Six phases of analysis, each with agents that actually know their tools. No malware slips through — not even packed, obfuscated, or encrypted.
FINGERPRINT
Hash computation, OSINT lookups, string extraction, import analysis, crypto constant detection, packer heuristics.
FILTER & GROUP
Noise removal, signal clustering by category, adversarial review. Gollum must give 3 benign explanations before flagging.
HYPOTHESIZE
Build structured hypotheses per category — persistence, C2, injection, collection, exfiltration — with confidence scoring.
MAP STRUCTURE
Ghidra decompilation, XREF mapping, dual-tool cross-validation with radare2. Every flagged function must have a caller.
DEEP ANALYSIS
Rank hypotheses by risk score. Saruman (Claude Opus) activated only for CRITICAL confidence paths (>85%).
VALIDATE
Frida runtime hooks, x64dbg traces, Wireshark network capture, YARA matching, Volatility3 memory forensics, CyberChef deobfuscation.
/AGENTS
The Fellowship
Sixteen agents, each wired to a real tool. LangGraph decides who talks when.
Orchestrator
Claude Sonnet 4.5
Deep Analyzer
Claude Opus
Static Analysis
GhidraMCP
Cross-validation
radare2-mcp
Runtime Hooking
Frida
Debugger
x64dbg
Network Behavior
Wireshark
OSINT / Recon
Shodan
IoC Matching
YARA
Deobfuscation
CyberChef
Memory Forensics
Volatility3
Sandbox Isolation
Docker
Adversarial Review
LLM (anti-FP)
Triage
LLM
Case Memory
filesystem persistence
IOC Export
STIX2 / YARA / Sigma
/CAPABILITIES
Built for Scale
For people who reverse malware for a living. Depth when you need it, speed when you don't.
Multi-Agent Pipeline
Six-phase analysis orchestrated by LangGraph — from fingerprinting through dynamic validation. Each phase assigns the right agent and tool.
Adversarial Anti-FP
Gollum enforces a three-benign-reasons gate before any CRITICAL classification. Dual-tool cross-validation with LEGOLAS + ELROND.
Confidence Scoring
BOROMIR scores every signal and hypothesis (0-100). CRITICAL > 85%, SUSPICIOUS 50-85%, INFO < 50%. SARUMAN activated only for CRITICAL paths.
Triple Confirmation Gate
Static flag → FRODO runtime confirm → PIPPIN network confirm. All three must agree for CRITICAL. Harder to get a false positive through.
Deep Analysis
SARUMAN (Claude Opus) performs MITRE ATT&CK mapping, behavioral timeline construction, and deep structural analysis on critical findings.
IOC Export
BILBO exports findings as STIX2, YARA, and Sigma formats — ready for SIEM ingestion, threat intel feeds, and detection pipelines.
Streaming & Resume
Real-time SSE streaming for long-running analyses. SAM persists all artifacts — interrupted pipelines resume from the last completed phase.
Three Analysis Tiers
Quick (tool-only triage), Standard (full pipeline), Deep (extra validation + SARUMAN). Use quick for the easy stuff. Go deep when it matters.
/SETUP
Quick Start
Two minutes if you type fast.
curl -fsSL https://mordor.digital/setup.sh | bashcd MORDOR && python -m venv .venv && source .venv/bin/activatepip install -r requirements.txtcp .env.example .env # add your ANTHROPIC_API_KEY# Quick triage — no LLM calls
python scripts/run_analysis.py /path/to/sample.bin --tier quick