diff --git a/stealth_malware/README.md b/stealth_malware/README.md
new file mode 100644
index 0000000..b52a266
--- /dev/null
+++ b/stealth_malware/README.md
@@ -0,0 +1,35 @@
+# Stealth Malware Taxonomy
+
+## Malware Types
+
+All malware samples should be classified into one of the categories listed in the table below.
+
+
+- Type 0
+- No OS or system compromise. The malware runs as a normal user process using only official API calls.
-
+
+
- Type I
+- The malware modifies constant sections of the kernel and/or processes such as code sections.
-
+
+
- Type II
+- The malware does not modify constant sections but only the dynamic sections of the kernel and/or processes such as data sections.
-
+
+
- Type III
+- The malware does not modify any sections of the kernel and/or processes but influences the system without modifying the OS. For example using hardware virtualization techniques.
-
+
+
+# Machine-parsable Stealth Malware Taxonomy
+
+The repository contains a [JSON file including the machine-parsable tags](machinetag.json)
+along with their human-readable description. The software can use both
+representation on the user-interface and store the tag as machine-parsable.
+
+~~~~
+stealth_malware:type="II"
+~~~~
+
+Based on:
+
+https://vxheaven.org/lib/pdf/Introducing%20Stealth%20Malware%20Taxonomy.pdf
+
+
diff --git a/stealth_malware/machinetag.json b/stealth_malware/machinetag.json
new file mode 100644
index 0000000..83e7f48
--- /dev/null
+++ b/stealth_malware/machinetag.json
@@ -0,0 +1,37 @@
+{
+ "namespace": "stealth_malware",
+ "description": "Classification based on malware stealth techniques. Described in https://vxheaven.org/lib/pdf/Introducing%20Stealth%20Malware%20Taxonomy.pdf",
+ "version": 1,
+ "refs": [
+ "https://vxheaven.org/lib/pdf/Introducing%20Stealth%20Malware%20Taxonomy.pdf"
+ ],
+ "predicates": [
+ {
+ "value": "type",
+ "expanded": "Stealth technique type"
+ }
+ ],
+ "values": [
+ {
+ "predicate": "type",
+ "entry": [
+ {
+ "value": "0",
+ "expanded": "No OS or system compromise. The malware runs as a normal user process using only official API calls."
+ },
+ {
+ "value": "I",
+ "expanded": "The malware modifies constant sections of the kernel and/or processes such as code sections."
+ },
+ {
+ "value": "II",
+ "expanded": "The malware does not modify constant sections but only the dynamic sections of the kernel and/or processes such as data sections."
+ },
+ {
+ "value": "III",
+ "expanded": "The malware does not modify any sections of the kernel and/or processes but influences the system without modifying the OS. For example using hardware virtualization techniques."
+ }
+ ]
+ }
+ ]
+}