{"id":55350,"date":"2026-02-27T11:55:46","date_gmt":"2026-02-27T16:55:46","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=55350"},"modified":"2026-03-02T04:40:35","modified_gmt":"2026-03-02T09:40:35","slug":"ktae-onprem-ida-pro-plugin","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/ktae-onprem-ida-pro-plugin\/55350\/","title":{"rendered":"Cloudless malware attribution"},"content":{"rendered":"

In a previous post<\/a>, we walked through a practical example of how threat attribution helps in incident investigations. We also introduced the Kaspersky Threat Attribution Engine (KTAE) \u2014 our tool for making an educated guess about which specific APT group a malware sample belongs to. To demonstrate it, we used the Kaspersky Threat Intelligence Portal<\/a> \u2014 a cloud-based tool that provides access to KTAE as part of our comprehensive Threat Analysis service, alongside a sandbox and a non-attributing similarity-search tool. The advantages of a cloud service are obvious: clients don\u2019t need to invest in hardware, install anything, or manage any software. However, as real-world experience shows, the cloud version of an attribution tool isn\u2019t for everyone\u2026<\/p>\n

First, some organizations are bound by regulatory restrictions that strictly forbid any data from leaving their internal perimeter. For the security analysts at these firms, uploading files to a third-party service is out of the question. Second, some companies employ hardcore threat hunters who need a more flexible toolkit \u2014 one that lets them work with their own proprietary research alongside Kaspersky\u2019s threat intelligence. That\u2019s why KTAE is available in two flavors: a cloud-based version and an on-prem deployment.<\/p>\n

What are the on-prem KTAE advantages over the cloud version?<\/h2>\n

First off, the local version of KTAE ensures an investigation stays fully confidential. All the analysis takes place right in the organization\u2019s internal network. The threat intelligence source is a database deployed inside the company perimeter; it is packed with the unique indicators and attribution data of every malicious sample known to our experts; and it also contains the characteristics pertaining to legitimate files to exclude false-positive detections. The database gets regular updates, but it operates one-way: no information ever leaves the client\u2019s network.<\/p>\n

\"\"<\/a><\/p>\n

Additionally, the on-prem version of KTAE gives experts the ability to add new threat groups to the database and link them to malware samples they discovered on their own. This means that subsequent attribution of new files will account for the data added by internal researchers. This allows experts to catalog their own unique malware clusters, work with them, and identify similarities.<\/p>\n

Here\u2019s another handy expert tool: our team has developed a free plugin for IDA Pro, a popular disassembler<\/a>, for use with the local version of KTAE.<\/p>\n

What\u2019s the purpose of an attribution plugin for a disassembler?<\/h2>\n

For a SOC analyst on alert triage, attributing a malicious file found in the infrastructure is straightforward: just upload it to KTAE (cloud or on-prem) and get a verdict, like Manuscrypt (83%)<\/em>. That\u2019s sufficient for taking adequate countermeasures against that group\u2019s known toolkit and assessing the overall situation. A threat hunter, however, might not want to take that verdict at face value. Alternatively, they might ask, \u201cWhich code fragments are unique across all the malware samples used by this group?\u201d Here an attribution plugin for a disassembler comes in handy.<\/p>\n

\"\"<\/a>
\nInside the IDA Pro interface, the plugin highlights the specific disassembled code fragments that triggered the attribution algorithm. This doesn\u2019t just allow for a more expert-level deep dive into new malware samples; it also lets Kaspersky researchers refine attribution rules on the fly. As a result, the algorithm \u2014 and KTAE itself \u2014 keeps evolving, making attribution more accurate with every run.<\/p>\n

How to set up the plugin<\/h2>\n

The plugin is a script written in Python. To get it up and running you need IDA Pro. Unfortunately, it won\u2019t work in IDA Free, since it lacks support for Python plugins. If you don\u2019t have Python installed yet, you\u2019d need to grab that, set up the dependencies (check the requirements file in our GitHub repository<\/a>), and make sure IDA Pro environment variables are pointing to the Python libraries.<\/p>\n

Next, you\u2019d need to insert the URL for your local KTAE instance into the script body and provide your API token (which is available on a commercial basis) \u2014 just like it\u2019s done in the example script described in the KTAE documentation<\/a>.<\/p>\n

Then you can simply drop the script into your IDA Pro plugins folder and fire up the disassembler. If you\u2019ve done it right, then, after loading and disassembling a sample, you\u2019ll see the option to launch the Kaspersky Threat Attribution Engine (KTAE)<\/em> plugin under Edit<\/em> \u2192 Plugins<\/em>:<\/p>\n

\"\"<\/a><\/p>\n

<\/a>How to use the plugin<\/h2>\n

When the plugin is installed, here\u2019s what happens under the hood: the file currently loaded in IDA Pro is sent via API to the locally installed KTAE service, at the URL configured in the script. The service analyzes the file, and the analysis results are piped right back into IDA Pro.<\/p>\n

On a local network, the script usually finishes its job in a matter of seconds (the duration depends on the connection to the KTAE server and the size of the analyzed file). Once the plugin wraps up, a researcher can start digging into the highlighted code fragments. A double-click leads straight to the relevant section in the assembly or binary code (Hex view) for analysis. These extra data points make it easy to spot shared code blocks and track changes in a malware toolkit.<\/p>\n

By the way, this isn\u2019t the only IDA Pro plugin the GReAT team has created to make life easier for threat hunters. We also offer another IDA plugin<\/a> that significantly speeds up and streamlines the reverse-engineering process, and which, incidentally, was a winner in the IDA Plugin Contest 2024<\/a>.<\/div>\n

To learn more about the Kaspersky Threat Attribution Engine and how to deploy it, check out the official product documentation<\/a>. And to arrange a demonstration or piloting project, please fill out the form on the Kaspersky website<\/a>.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

What is the purpose of a local version of the Kaspersky Threat Attribution Engine, and how to hook it up to IDA Pro?<\/p>\n","protected":false},"author":2792,"featured_media":55351,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3051],"tags":[111,3023,2748],"class_list":{"0":"post-55350","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"tag-attacks","10":"tag-services","11":"tag-threat-intelligence"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/ktae-onprem-ida-pro-plugin\/55350\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/ktae-onprem-ida-pro-plugin\/30234\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/ktae-onprem-ida-pro-plugin\/25311\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/ktae-onprem-ida-pro-plugin\/13251\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/ktae-onprem-ida-pro-plugin\/30107\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/ktae-onprem-ida-pro-plugin\/31905\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/ktae-onprem-ida-pro-plugin\/30515\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/ktae-onprem-ida-pro-plugin\/41387\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/ktae-onprem-ida-pro-plugin\/14350\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/ktae-onprem-ida-pro-plugin\/23694\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/ktae-onprem-ida-pro-plugin\/33302\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/ktae-onprem-ida-pro-plugin\/30346\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/ktae-onprem-ida-pro-plugin\/35991\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/ktae-onprem-ida-pro-plugin\/35648\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/threat-intelligence\/","name":"threat intelligence"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/55350","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2792"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=55350"}],"version-history":[{"count":7,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/55350\/revisions"}],"predecessor-version":[{"id":55361,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/55350\/revisions\/55361"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/55351"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=55350"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=55350"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=55350"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}