diff --git a/README.md b/README.md
index 0d698d8..946f043 100644
--- a/README.md
+++ b/README.md
@@ -33,6 +33,7 @@ The following taxonomies are described:
 - [NATO Classification Marking](./nato)
 - [Open Threat Taxonomy v1.1 (SANS)](./open-threat)
 - [OSINT Open Source Intelligence - Classification](./osint)
+- [Stealth Malware Taxonomy as defined by Joanna Rutkowska](./stealth-malware)
 - [The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used.](./pap)
 - [TLP - Traffic Light Protocol](./tlp)
 - Vocabulary for Event Recording and Incident Sharing [VERIS](./veris)
diff --git a/stealth-malware/README.md b/stealth-malware/README.md
new file mode 100644
index 0000000..b52a266
--- /dev/null
+++ b/stealth-malware/README.md
@@ -0,0 +1,35 @@
+# Stealth Malware Taxonomy
+
+## Malware Types
+
+All malware samples should be classified into one of the categories listed in the table below.
+
+<dl>
+<dt>Type 0</dt>
+<dd>No OS or system compromise. The malware runs as a normal user process using only official API calls.<dd>
+
+<dt>Type I</dt>
+<dd>The malware modifies constant sections of the kernel and/or processes such as code sections.<dd>
+
+<dt>Type II</dt>
+<dd>The malware does not modify constant sections but only the dynamic sections of the kernel and/or processes such as data sections.<dd>
+
+<dt>Type III</dt>
+<dd>The malware does not modify any sections of the kernel and/or processes but influences the system without modifying the OS. For example using hardware virtualization techniques.<dd>
+</dl>
+
+# Machine-parsable Stealth Malware Taxonomy
+
+The repository contains a [JSON file including the machine-parsable tags](machinetag.json)
+along with their human-readable description. The software can use both
+representation on the user-interface and store the tag as machine-parsable.
+
+~~~~
+stealth_malware:type="II"
+~~~~
+
+Based on:
+
+https://vxheaven.org/lib/pdf/Introducing%20Stealth%20Malware%20Taxonomy.pdf
+
+
diff --git a/stealth-malware/machinetag.json b/stealth-malware/machinetag.json
new file mode 100644
index 0000000..4a06789
--- /dev/null
+++ b/stealth-malware/machinetag.json
@@ -0,0 +1,37 @@
+{
+  "namespace": "stealth_malware",
+  "description": "Classification based on malware stealth techniques. Described in https://vxheaven.org/lib/pdf/Introducing%20Stealth%20Malware%20Taxonomy.pdf",
+  "version": 1,
+  "refs": [
+    "https://vxheaven.org/lib/pdf/Introducing%20Stealth%20Malware%20Taxonomy.pdf"
+  ], 
+  "predicates": [
+    {
+      "value": "type",
+      "expanded": "Stealth techninque type"
+    }
+  ],
+  "values": [
+    {
+      "predicate": "type",
+      "entry": [
+        {
+          "value": "0",
+          "expanded": "No OS or system compromise. The malware runs as a normal user process using only official API calls."
+        },
+        {
+          "value": "I",
+          "expanded": "The malware modifies constant sections of the kernel and/or processes such as code sections."
+        },
+        {
+          "value": "II",
+          "expanded": "The malware does not modify constant sections but only the dynamic sections of the kernel and/or processes such as data sections."
+        },
+        {
+          "value": "III",
+          "expanded": "The malware does not modify any sections of the kernel and/or processes but influences the system without modifying the OS. For example using hardware virtualization techniques."
+        }
+      ]
+    }
+  ]
+}