Questions?

KlaroSkope automates script deobfuscation, steganography detection, and browser extension analysis. What traditionally took analysts hours now takes seconds.

The Problem We Solve

Why deobfuscation matters

Attackers hide payloads in obfuscated scripts, steganographic images, and malicious browser extensions. A single dropper might chain Base64 encoding, XOR obfuscation, and compression across 20+ layers, or embed C2 URLs in image pixel data using LSB encoding.

Security teams face a choice: spend hours manually reversing each sample, or skip analysis entirely and risk missing critical IOCs. KlaroSkope eliminates this trade-off across all four vectors.

Getting Started

KlaroSkope is a malware analysis platform for security professionals. It combines script deobfuscation (130+ techniques), steganography detection (12 techniques), browser extension forensics (V3 manifest), and PDF document analysis in a single tool. Submit any sample and get decoded plaintext, extracted IOCs, MITRE ATT&CK mapping, YARA/Sigma rules, and analysis reports.
Scripts: Base64, hexadecimal, XOR, ROT13, GZIP, zlib, URL encoding, HTML entities, PowerShell encodings, esoteric JavaScript (JSFuck, JJEncode, AAEncode), and more. Steganography: LSB pixel encoding, EXIF metadata injection, PNG chunk abuse, IDAT payloads, polyglot files, EOF appended data, alpha channel encoding, and 5 more techniques. Extensions: V3 manifest analysis, permission risk scoring, embedded JS deobfuscation. All detection is automatic with recursive decoding through 20+ layers.
KlaroSkope is tested against real-world malware samples with high accuracy. The quality scoring system ensures you only see confident results, and flags low-confidence outputs for manual review.
Submitted samples are processed in memory and not permanently stored. We do not share your data with third parties. See our Privacy Policy for complete details.

Built For Security Teams

From SOC to threat intel

SOC Analyst

Challenge: Alert queue flooded with obfuscated PowerShell scripts

Decode scripts instantly, extract C2 domains, pivot to related threats
Incident Responder

Challenge: Need to understand script capabilities during active incident

Get plaintext code + MITRE ATT&CK mapping in seconds, not hours
Detection Engineer

Challenge: Writing YARA/Sigma rules from scratch is time-consuming

Auto-generated rules from decoded content. Tune and deploy
Threat Intel Researcher

Challenge: Extracting IOCs from obfuscated samples manually

Automatic IOC extraction: URLs, IPs, domains, hashes, registry keys

Features & Outputs

Every analysis provides decoded plaintext with syntax highlighting, IOCs (URLs, domains, IPs, file paths, registry keys, hashes), MITRE ATT&CK mapping, YARA rule templates for file/memory detection, Sigma rule templates for SIEM/log detection, and analysis reports. For images, you also get per-technique stego scan results with entropy analysis and payload hex previews. For extensions, you get manifest risk scoring and per-file deobfuscation results.
The generated YARA and Sigma rules are templates that require manual review, adaptation, and testing before production deployment. Creating effective detection rules is a complex, iterative process that KlaroSkope actively improves. We recommend validating rules in a test environment, tuning for your specific infrastructure, and monitoring for false positives. Suggestions for rule improvements are always welcome at security@klaroskope.com.
YARA rules detect patterns in files, memory, or network streams. Sigma rules detect patterns in logs and translate to SIEM queries (Splunk, Elastic, Sentinel, etc.). KlaroSkope generates both so you can deploy detection wherever you need it.
Yes. You can copy individual outputs (decoded text, rules) or download everything as a ZIP file (Hunter tier and above).

How It Works

Multi-vector analysis pipeline

1

Classify & Route

Magic-byte detection identifies input type (script, image, extension, or PDF) and routes to the correct analysis vector automatically.

2

Decode & Extract

Scripts: 130+ techniques peel layers iteratively with quality scoring. PDFs: structure analysis, JS extraction, embedded stego. Images: 12 stego techniques scan for hidden payloads. Extensions: manifest parsing + JS deobfuscation.

3

Chain & Report

Extracted payloads feed back into the deobfuscation engine recursively. IOCs, MITRE ATT&CK mapping, and YARA/Sigma rules are generated from all layers.

Technical Details

The current limits are 3MB for pasted text and 10MB for file uploads. Most obfuscated scripts are well under this.
KlaroSkope applies 130+ decoding techniques iteratively with quality scoring to prevent over-decoding. It handles chains like Base64 → XOR → GZIP → Base64, stopping when it reaches readable plaintext. For steganography, extracted payloads are automatically fed back into the deobfuscation engine for recursive analysis.
If deobfuscation doesn't produce readable output, you'll see the quality score and partial results. The system preserves intermediate layers so you can see what was successfully decoded.

Deobfuscation Coverage

Comprehensive technique support

Encoding
Base64, Hex, URL, ASCII85, Base32
Compression
GZIP, zlib, bzip2, LZMA, LZNT1
XOR / Ciphers
Single/multi-byte XOR, RC4, ChaCha20
PowerShell
9 decoders: tick, format, variables
Esoteric JS
JSFuck, JJEncode, AAEncode
PHP/VBS/Python
Webshells, Chr() chains, exec()
Steganography
LSB, EXIF, PNG chunks, IDAT, polyglot, EOF, alpha channel
Extensions
V3 manifest, permission risk, JS deobfuscation
PDF Analysis
JS extraction, kit attribution, form fields, embedded files, stego
Batch/Bash
Caret escapes, ANSI-C quoting

130+ decoding techniques across 33 modules. 12 stego techniques. 20+ layers deep. Recursive decoding with quality scoring.

Pricing & Plans

The Community tier includes ALL analysis features: script deobfuscation (130+ techniques), steganography detection (12 techniques), browser extension forensics, PDF document analysis, IOC extraction, MITRE ATT&CK mapping, YARA/Sigma rules, and reports. The limit is 5 analyses per month. Experience the full product before upgrading.
All tiers include the same analysis features: deobfuscation, steganography, extension analysis, everything. The difference is volume: Community (5/month, free), Analyst (75/month, £99/month), Hunter (250/month + bulk export, £149/month), Operations (custom volume). Annual billing saves 17%.
Yes. Annual billing saves approximately 17% compared to monthly.
Yes. Change your tier anytime. Changes take effect on your next billing cycle.
Yes. The Operations tier includes custom volume, self-hosted deployment, and dedicated support. Contact sales@klaroskope.com for details.

Security & Privacy

Yes. All processing uses HTTPS. Samples are processed in isolated containers, retained for 90 days, then automatically deleted. For maximum isolation, the Operations tier offers self-hosted deployment.
We may use samples from free tiers to improve detection capabilities. Samples from paid tiers (Analyst, Hunter, Operations) are never used for product improvement. See our Privacy Policy for details.
Infrastructure is located in the EU. The web application runs on Cloudflare's global edge network.
No. All analysis is static: pattern matching and decoding algorithms only. No code is ever executed. Safe to use on production workstations.

Static Analysis Only

Safe by design

KlaroSkope never executes code. All analysis (script decoding, steganography extraction, extension parsing) uses pattern matching and decoding algorithms only. Safe to use on production workstations. No sandbox required, no infection risk.

Get Support

Email support@klaroskope.com. Analyst tier and above receive priority response.
Bugs: support@klaroskope.com. Security vulnerabilities: security@klaroskope.com.
Yes. Email contact@klaroskope.com with suggestions.

Ready to try it?

5 free analyses per month. No credit card required.