diff --git a/pkgs/tools/security/flare-floss/default.nix b/pkgs/tools/security/flare-floss/default.nix
new file mode 100644
index 00000000000..954dd07d6ab
--- /dev/null
+++ b/pkgs/tools/security/flare-floss/default.nix
@@ -0,0 +1,46 @@
+{ lib
+, python2
+, fetchFromGitHub
+}:
+python2.pkgs.buildPythonPackage rec {
+  pname = "flare-floss";
+  version = "1.7.0";
+
+  src = fetchFromGitHub {
+    owner = "fireeye";
+    repo = "flare-floss";
+    rev = "v${version}";
+    sha256 = "GMOA1+qM2A/Qw33kOTIINEvjsfqjWQWBXHNemh3IK8w=";
+  };
+
+  propagatedBuildInputs = with python2.pkgs; [
+    pyyaml
+    simplejson
+    tabulate
+    vivisect
+    plugnplay
+    viv-utils
+    enum34
+  ];
+
+  checkInputs = [
+    python2.pkgs.pytestCheckHook
+  ];
+
+  disabledTests = [
+    # test data is in a submodule
+    "test_main"
+  ];
+
+  pythonImportsCheck = [
+    "floss"
+    "floss.plugins"
+  ];
+
+  meta = with lib; {
+    description = "Automatically extract obfuscated strings from malware";
+    homepage = "https://github.com/fireeye/flare-floss";
+    license = licenses.asl20;
+    maintainers = teams.determinatesystems.members;
+  };
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 74aac662d8e..90bd41ae0fe 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -404,6 +404,8 @@ in
 
   find-cursor = callPackage ../tools/X11/find-cursor { };
 
+  flare-floss = callPackage ../tools/security/flare-floss { };
+
   prefer-remote-fetch = import ../build-support/prefer-remote-fetch;
 
   global-platform-pro = callPackage ../development/tools/global-platform-pro/default.nix { };