The Toolkit
Minos guards the network, Carapace renders the web safely, and the Vault1337 duo dissects what gets through. Self-hosted, privacy-respecting tools built on a shared design system for analysts, researchers, and defenders.
DNS Sinkhole · Pi-hole Alternative
A modern, user-friendly DNS sinkhole written in Go — a single static binary with an embedded web UI, light enough for a Raspberry Pi. Every DNS query is judged against your blocklists and sentenced; allowed queries are forwarded upstream over encrypted DoH or DoT.
Visual Renderer for Insight
Optional sidecar service that renders each scanned URL using Chromium headless with JavaScript fully enabled but all network requests intercepted and blocked. This lets dynamic overlays — ClickFix, SocGholish, ClearFake, drainers — execute and render visibly in the screenshot, revealing the actual attack UI rather than a blank page. A verdict badge is composited onto every screenshot.
Malware Analysis Platform
Self-hosted platform for storing and statically analysing malware samples. Upload by file, URL, or SHA256 hash — Vault1337 pulls from VirusTotal or MalwareBazaar and runs 20+ analysis tools against the sample, with full JWT-secured API access.
Web Threat Scanner
Passive web threat scanner for analysing URLs for malicious behaviour. Entirely content-based — no reputation databases — so it detects zero-day campaigns, freshly registered phishing domains, and newly injected skimmers that reputation feeds haven't yet indexed.
Minos — DNS Sinkhole
Named for the judge of the underworld, Minos is a modern Pi-hole alternative written in Go — a single static binary with an embedded web UI, light enough for a Raspberry Pi Zero. Every DNS query that arrives is judged against your blocklists and sentenced; no exceptions, no appeals (well, except pardons).
Judges every query on :53 (UDP + TCP) against compiled hosts, plain, and AdBlock blocklists. Blocked queries show which list and rule condemned them — with a one-click pardon from the live log.
Per-device groups with extra rules, full bypass, or no DNS at all. One-click blocked services (TikTok, YouTube, Discord…) with schedules, plus provider-enforced Safe Search that can't be switched off.
Built-in response cache with request coalescing, serve-stale answers (RFC 8767), and automatic upstream failover — one dead resolver never slows the whole network.
Forwards upstream over DoH or DoT, and serves encrypted DNS to clients — DoT for Android Private DNS, DoH at /dns-query. Bring a certificate or let Minos fetch and renew one automatically via ACME.
Local DNS records for your LAN, conditional forwarding, and private reverse zones answered locally (RFC 6303) — internal lookups never leak to public resolvers.
Query charts, top blocked domains, and a live log over WebSocket. Prometheus /metrics with a Grafana dashboard, a documented REST API, Home Assistant recipes, and one-command Pi-hole/AdGuard import. No telemetry, ever.
Vault1337 — Malware Analysis Platform Private
Upload by file or URL, or pull directly from VirusTotal or MalwareBazaar by SHA256 hash. Stored by hash — original filenames never written to disk.
Strings, Hex, IOC extractor, YARA, ExifTool, LIEF (PE+ELF), Capstone disassembler, Mach-O, APK, .NET, PDF parser, OLE tools, Email parser, Zip extractor, and more.
Extract and manage 13+ indicator types. Every IOC links back to its source sample and auto-enriches against VirusTotal and AbuseIPDB. STIX 2.1 export ready.
Automatically maps analysis results and IOC types to ATT&CK techniques — 27 techniques across 10 tactics. Tactic-coloured badges with links to official technique pages.
Structured report cards for IPs and domains via VirusTotal, AbuseIPDB, Spur, and Shodan. Verdict banners derived from all sources combined.
Single-command Docker run or a full Compose stack with PostgreSQL and persistent volumes. Runs comfortably on a Raspberry Pi 5 in production.
Insight — Web Threat Scanner Private
58 checks — Magecart skimmers, keyloggers, ClickFix payloads, wallet drainers, blockchain C2 loaders, JSFuck/JJEncode/XOR obfuscation, ChaCha20 payloads, NDSW injection, AppleScript infostealers, and more.
33+ checks — phishing forms, OTP relay (AiTM), tampered GTM snippets, copyright impersonation, wallet extension injection, ClickFix CAPTCHA pages, WebDAV infrastructure, and more.
Typosquats and homographs of 30+ brands, DGA probability scoring, high-risk TLD detection, newly registered domain age checks, and abuse-platform hosting detection.
7 correlation rules that combine individual MEDIUM signals into HIGH/CRITICAL synthetic findings when combinations indicate coordinated attack infrastructure.
Why content-based detection?
Zero-day coverage — detects freshly deployed phishing pages and newly injected skimmers before any reputation database knows they exist
Campaign recognition — names the attack: ClickFix, SocGholish, Magecart, wallet drainer. Analysts can cross-reference threat intel reports directly
Evidence-first findings — every finding includes the actual payload, decoded string, or header value so analysts can make their own judgment
No API dependencies — fully self-contained, no rate limits, no external calls during analysis
The Analyst Workflow
Insight and Vault1337 are designed as a pipeline. A suspicious URL leads to a sample. A sample leads to IOCs. IOCs lead back to URLs. The tools close the loop.
Step 1
A suspicious link arrives — in email, a chat message, or a threat report. Submit it to Insight.
Step 2
Insight surfaces a malicious download. Pull it into Vault1337 by URL or SHA256.
Step 3
With full context in hand, export findings in analyst and platform-ready formats.
About
These tools started as hands-on learning exercises and grew into full-stack applications used in practice. Minos guards the home network as a DNS sinkhole on a Raspberry Pi, and Carapace renders suspicious pages safely — both open-source and on GitHub. Vault1337 runs on a Raspberry Pi 5 for personal malware research, and Insight is live at insight.vault1337.com for quick URL triage before visiting suspicious links.
Note: the Vault1337 and Insight repositories have been made Private until further notice. Their documentation, the live Insight scanner, and the Vault1337 Docker image remain available — any interest in source access should be made directly. Minos (Go, GPLv3) and Carapace (Rust) stay fully open-source.
Quick Links