This study addresses a critical gap in cybersecurity research by systematically examining the relationship between malware developers’ coding behaviors and their cognitive styles, an aspect largely overlooked in prior work that predominantly focuses on attack techniques. For the first time, code metrics are employed as behavioral proxies, integrating static application security testing (SAST) with software engineering measures—such as cyclomatic complexity, use of abstraction mechanisms, and vulnerability distributions—to comparatively analyze leaked malware samples against benign open-source projects. The findings reveal that malicious code tends to be smaller in scale, lacks documentation, exhibits higher function complexity, employs fewer abstraction mechanisms, and contains vulnerability types typically avoided by legitimate developers. These patterns reflect distinct motivational drivers, risk tolerance, and development priorities among malware authors, underscoring a strategy prioritizing efficiency and stealth over maintainability, thereby offering a novel empirical foundation for profiling cybercriminal behavior.

Malware research primarily studies the results, the methods, and the impact. Even from an offensive security perspective, what is examined is the method, not the development strategy of the offender. This study investigates the behavioral signatures and coding patterns embedded in the malware source code. By analyzing a large corpus of leaked malware code and comparing it with carefully selected benign open-source software, we apply static application security testing and compute multiple software metrics. Based on cognitive psychology and criminological theories, our work interprets differences in code structure and quality as behavioral indicators, reflecting distinct motivational structures, risk tolerances, and development strategies of malware authors compared to benign software developers. Our findings reveal that malware code is generally smaller, less documented, and exhibits higher cyclomatic complexity per function, with reduced use of abstraction mechanisms such as classes and closures. Vulnerability analysis further reveals that malware exhibits more issues of the types that benign code typically avoids, suggesting a minimal investment in secure development practices. These patterns imply a development style optimized for expedience, operational secrecy, and evasion rather than long-term maintainability. Nonetheless, the code quality metrics indicate that it does not deviate significantly from benign software enough to be distinctive. By framing code metrics as proxies for behavioral signals and strategic choices, we demonstrate how quantitative software analysis can enrich behavioral cybersecurity research, offering new insights into the practices and priorities of malware developers. Our results pave the way for further research in the behavioral profiling of cyber offenders.