Open-source security tools for analysts, researchers, and defenders.

Vault1337 Insight Carapace
Python Django React License

The Toolkit

Three Tools. One Security Workflow.

Vault1337, Insight, and Carapace are companion tools built on the same stack and design system. Together they cover the full analyst workflow — from suspicious URL to dissected sample.

Vault1337

Malware Analysis Platform

Self-hosted platform for storing and statically analysing malware samples. Upload by file, URL, or SHA256 hash — Vault1337 pulls from VirusTotal or MalwareBazaar and runs 20+ analysis tools against the sample, with full JWT-secured API access.

  • 20+ static analysis tools — Strings, Hex, YARA, LIEF, Capstone, OleTools, dnfile, and more
  • IOC extraction, MITRE ATT&CK mapping, STIX 2.1 export, PDF report generation
  • IP & domain intelligence via VirusTotal, AbuseIPDB, Spur, and Shodan
  • Runs on a Raspberry Pi 5 — single Docker command deployment

Insight

Web Threat Scanner

Passive web threat scanner for analysing URLs for malicious behaviour. Entirely content-based — no reputation databases — so it detects zero-day campaigns, freshly registered phishing domains, and newly injected skimmers that reputation feeds haven't yet indexed.

  • 59 JavaScript threat checks — skimmers, keyloggers, ClickFix, wallet drainers, drainer configs, blockchain C2, JSFuck/JJEncode/XOR obfuscation
  • 33+ HTML checks — phishing forms, OTP relay, hidden iframes, fake CAPTCHA, tampered GTM, drainer injection
  • Domain intelligence — typosquats, homographs, DGA, newly registered domains
  • Context collapse engine — correlates signals into CRITICAL synthetic findings

Carapace

Visual Renderer for Insight

Optional sidecar service that renders each scanned URL using Chromium headless with JavaScript fully enabled but all network requests intercepted and blocked. This lets dynamic overlays — ClickFix, SocGholish, ClearFake, drainers — execute and render visibly in the screenshot, revealing the actual attack UI rather than a blank page. A verdict badge is composited onto every screenshot.

  • Safe Chromium render — JS enabled, network intercepted and blocked, dynamic overlays captured
  • Detects drive-by downloads, eval() chains, clipboard hijacks, and exfiltration at render time
  • Risk score (0–100) and structured threat flags fed directly into Insight findings
  • Browser-grade technology detection and mobile screenshot (375×844 iPhone viewport) support

Vault1337 — Malware Analysis Platform

Static Analysis, Your Way

Flexible Ingestion

Upload by file or URL, or pull directly from VirusTotal or MalwareBazaar by SHA256 hash. Stored by hash — original filenames never written to disk.

20+ Analysis Tools

Strings, Hex, IOC extractor, YARA, ExifTool, LIEF (PE+ELF), Capstone disassembler, Mach-O, APK, .NET, PDF parser, OLE tools, Email parser, Zip extractor, and more.

IOC Tracking

Extract and manage 13+ indicator types. Every IOC links back to its source sample and auto-enriches against VirusTotal and AbuseIPDB. STIX 2.1 export ready.

MITRE ATT&CK Mapping

Automatically maps analysis results and IOC types to ATT&CK techniques — 27 techniques across 10 tactics. Tactic-coloured badges with links to official technique pages.

IP & Domain Intelligence

Structured report cards for IPs and domains via VirusTotal, AbuseIPDB, Spur, and Shodan. Verdict banners derived from all sources combined.

Docker Ready

Single-command Docker run or a full Compose stack with PostgreSQL and persistent volumes. Runs comfortably on a Raspberry Pi 5 in production.

Full Documentation

Insight — Web Threat Scanner

Content-Based Detection. No APIs Required.

JavaScript Threat Engine

58 checks — Magecart skimmers, keyloggers, ClickFix payloads, wallet drainers, blockchain C2 loaders, JSFuck/JJEncode/XOR obfuscation, ChaCha20 payloads, NDSW injection, AppleScript infostealers, and more.

HTML Structural Analysis

33+ checks — phishing forms, OTP relay (AiTM), tampered GTM snippets, copyright impersonation, wallet extension injection, ClickFix CAPTCHA pages, WebDAV infrastructure, and more.

Domain Intelligence

Typosquats and homographs of 30+ brands, DGA probability scoring, high-risk TLD detection, newly registered domain age checks, and abuse-platform hosting detection.

Context Collapse Engine

7 correlation rules that combine individual MEDIUM signals into HIGH/CRITICAL synthetic findings when combinations indicate coordinated attack infrastructure.

Why content-based detection?

Zero-day coverage — detects freshly deployed phishing pages and newly injected skimmers before any reputation database knows they exist

Campaign recognition — names the attack: ClickFix, SocGholish, Magecart, wallet drainer. Analysts can cross-reference threat intel reports directly

Evidence-first findings — every finding includes the actual payload, decoded string, or header value so analysts can make their own judgment

No API dependencies — fully self-contained, no rate limits, no external calls during analysis

Full Documentation

The Analyst Workflow

Better Together

Insight and Vault1337 are designed as a pipeline. A suspicious URL leads to a sample. A sample leads to IOCs. IOCs lead back to URLs. The tools close the loop.

Step 1

Scan the URL

A suspicious link arrives — in email, a chat message, or a threat report. Submit it to Insight.

  • Identifies ClickFix, phishing forms, skimmers
  • Flags typosquats of known brands
  • Detects malicious downloads referenced on the page
  • Verdict: MALICIOUS / SUSPICIOUS / CLEAN

Step 2

Analyse the Sample

Insight surfaces a malicious download. Pull it into Vault1337 by URL or SHA256.

  • Run PE/ELF/Mach-O/APK/document analysis
  • Extract IOCs — IPs, domains, persistence paths
  • Map to MITRE ATT&CK techniques
  • Auto-enrich IOCs via VirusTotal & AbuseIPDB

Step 3

Export & Act

With full context in hand, export findings in analyst and platform-ready formats.

  • STIX 2.1 bundle for threat intel platforms
  • PDF report for incident documentation
  • Feed domain IOCs back into Insight for pivot scanning
  • All data stays on your infrastructure

About

About the Projects

These tools started as hands-on learning exercises and grew into full-stack applications used in practice. Vault1337 runs on a Raspberry Pi 5 for personal malware research. Insight is live at insight.vault1337.com for quick URL triage before visiting suspicious links. Carapace runs alongside Insight as an optional visual renderer.

All code is open-source under the MIT License. The shared design system, stack (Django + DRF + React + Vite + Tailwind), and security philosophy mean all three tools feel like one product.

GitHub Profile @DanDreadless

Quick Links