These scripts are used to download recently discovered malware payloads that are reported to URLHaus. It is designed to run constantly behind a network security platform and will attempt to download payloads on a randomized time interval.


  • Python3


Clone the repo onto a Linux or Mac host

$ git clone

Install the required Python3 dependencies

$ cd sharkbait
$ sudo pip3 install -r requirements.txt

Copy the Python scripts into /usr/local/bin or another directory in your $PATH

$ sudo cp *.py /usr/local/bin/

Optionally, configure your host to automatically start sharkbait at boot time. This can typically be done in /etc/rc.local, /etc/init.d or /etc/systemd, depending on your OS platform.


The script is designed to run as a background process and can be launched from system startup tools or simply with a nohup shell command. It will log results to /tmp/sharkbait.log by default.

usage: [-h] --mode {nibble,chum,frenzy} [--logfile LOGFILE]

Generate malware download activity.

optional arguments:
  -h, --help            show this help message and exit
  --mode {nibble,chum,frenzy}
                        Malware download timing
  --logfile LOGFILE     The log filename

The script can be used at any time to report on the results of the malware download activity. It parses the /tmp/sharkbait.log file by default.

usage: [-h] [--logfile LOGFILE]

Generate sharkbait reports.

optional arguments:
-h, --help         show this help message and exit
--logfile LOGFILE  The log filename

Developer Sites


Copyright © 2024 Palo Alto Networks, Inc. All rights reserved.