Independent Security Research

We break things
to understand
how they work.

HexRoot is an independent security research group. We dig deep into vulnerabilities, malware, and the underlying mechanics of systems — not to exploit, but to understand, document, and defend.

hexroot ~ research
root@hexroot:~$ whoami
independent_security_researcher

root@hexroot:~$ cat mission.txt
// Research. Disclose. Defend.
No black hats here.
Only deep curiosity.

root@hexroot:~$ ls research/
0day/  malware/  OT_ICS/
AI_sec/  forensics/

root@hexroot:~$
CVE+Coordinated Disclosures
0dayOriginal Research
OSSOpen Tools Released
100%Defensive Focus
What we do

Research Areas

From architectural vulnerabilities to firmware analysis — we follow the signal wherever it leads.

Vulnerability Research
0-Day Discovery & Responsible Disclosure
Original vulnerability research with full responsible disclosure to vendors and CVE submission. We find it, document it, and make sure it gets fixed.
Malware Analysis
Reverse Engineering & Threat Intelligence
Static and dynamic analysis of malware samples, behavioral profiling, IOC extraction and STIX 2.1 output. We dissect threats so defenders can build better tools.
OT / ICS Security
Critical Infrastructure Research
Industrial control systems, SCADA protocols, and operational technology security. The attack surface nobody wants to touch — we do.
AI Security
Adversarial ML & Model Security
Prompt injection, adversarial attacks, model extraction, and the security implications of AI systems deployed in critical and high-stakes contexts.
Digital Forensics
Incident Analysis & Evidence Integrity
Forensic acquisition, chain of custody, artifact analysis, and memory forensics. When something breaks, we reconstruct what happened and why.
Privacy Engineering
Metadata Leakage & Protocol Analysis
Deep analysis of communication protocols, metadata exposure, and architectural privacy failures in systems that claim to be secure.
Open Tools

Built in the open.

Tools we build for our own research — released for evaluation to researchers and organisations that share our approach.

hexroot-honeypot · v1.0 · 2026 LIVE
Honeypot Intelligence Platform

We see
who's
scanning you.

A production-grade honeypot covering IT, SCADA/ICS, IoT and Medical protocols — with real-time semantic threat intelligence, CVE feed matching, YARA binary scanning, and a multi-tab analyst dashboard. No LLM. No cloud. No noise.

spaceballs.hexroot.pl · live
$ systemctl status hexroot-sensor
● active · 28 listeners · 9 protocols

$ curl /api/stats | jq .
"total_events": 9103,
"unique_ips": 443,
"threat_level": "CRITICAL"

[CRITICAL] Campaign 4454d9f7
 state-sponsored · Modbus/ICS · 8.5/10
[HIGH] CVE-2017-9841 · 13 attempts
$
Sensor
28 Protocol Listeners
IT, SCADA/ICS (Modbus, DNP3, OPC-UA, EtherNet/IP), IoT (MQTT, ADB, TR-069), Medical (DICOM, HL7), DNS. Fake banners per protocol. Rust/Tokio core.
Intelligence
Semantic Feed — No LLM
Deterministic rule engine generates English threat assessments directly from sensor data. Campaigns, actor profiles, CVE matches, credential attack tracking.
CVE
CISA KEV + NVD Feed
1,700+ CVEs. HTTP path and payload matching. Auto-update every 24h. Hot-reloaded by correlator without restart.
YARA
Binary Scanner
9 built-in rules: Mirai, Cobalt Strike, Meterpreter, Log4Shell, Ransomware. External .yar rules supported. Automatic scan every 5 minutes.
LAN
Fake LAN Layer
SMB with NTLM capture, LDAP fake AD, IPP printer lure, NetBIOS/NBNS name service. Detects lateral movement and internal reconnaissance.
Analyst
ThreatBook Workbook
Standalone HTML analyst tool. Import reports, write Markdown analysis, IOC tables, actor profiles. Export to PDF or Markdown. No server needed.
Honeypot Intelligence Platform

Vediamo
chi vi
sta scansionando.

Un honeypot di livello produzione che copre protocolli IT, SCADA/ICS, IoT e Medical — con threat intelligence semantica in tempo reale, matching CVE feed, scansione YARA e una dashboard analitica multi-tab. Nessun LLM. Nessun cloud. Nessun rumore.

spaceballs.hexroot.pl · live
$ systemctl status hexroot-sensor
● attivo · 28 listener · 9 protocolli

[CRITICO] Campagna 4454d9f7
 state-sponsored · Modbus/ICS · 8.5/10
[ALTO] CVE-2017-9841 · 13 tentativi
$
Sensore
28 Listener di Protocollo
IT, SCADA/ICS (Modbus, DNP3, OPC-UA, EtherNet/IP), IoT (MQTT, ADB, TR-069), Medical (DICOM, HL7), DNS. Banner fake per protocollo. Core Rust/Tokio.
Intelligence
Feed Semantico — No LLM
Motore di regole deterministico genera valutazioni delle minacce direttamente dai dati del sensore. Campagne, profili attori, match CVE.
CVE
CISA KEV + NVD Feed
1.700+ CVE. Matching su path HTTP e payload. Aggiornamento automatico ogni 24h. Hot-reload senza riavvio del correlatore.
YARA
Scanner Binario
9 regole integrate: Mirai, Cobalt Strike, Meterpreter, Log4Shell, Ransomware. File .yar esterni supportati. Scan automatico ogni 5 minuti.
LAN
Fake LAN Layer
SMB con cattura NTLM, LDAP fake AD, stampante IPP lure, NetBIOS/NBNS. Rileva lateral movement e ricognizione interna.
Analista
ThreatBook Workbook
HTML standalone per l'analista. Import report, analisi Markdown, tabelle IOC, profili attori. Export PDF o Markdown. Nessun server necessario.
Honeypot Intelligence Platform

Widzimy
kto was
skanuje.

Produkcyjny honeypot obejmujący protokoły IT, SCADA/ICS, IoT i medyczne — z semantyczną analizą zagrożeń w czasie rzeczywistym, dopasowywaniem CVE feed, skanowaniem YARA i wielozakładkowym dashboardem analitycznym. Żadnego LLM. Żadnej chmury. Żadnego szumu.

spaceballs.hexroot.pl · live
$ systemctl status hexroot-sensor
● aktywny · 28 listenerów · 9 protokołów

[KRYTYCZNY] Kampania 4454d9f7
 sponsorowany przez państwo · Modbus/ICS
[WYSOKI] CVE-2017-9841 · 13 prób
$
Sensor
28 Listenerów Protokołów
IT, SCADA/ICS (Modbus, DNP3, OPC-UA, EtherNet/IP), IoT (MQTT, ADB, TR-069), Medical (DICOM, HL7), DNS. Fałszywe banery per protokół. Rdzeń Rust/Tokio.
Analiza
Semantyczny Feed — Bez LLM
Deterministyczny silnik reguł generuje czytelne oceny zagrożeń bezpośrednio z danych sensora. Kampanie, profile aktorów, dopasowania CVE.
CVE
CISA KEV + NVD Feed
Ponad 1 700 CVE. Dopasowywanie ścieżek HTTP i ładunków. Automatyczna aktualizacja co 24h. Hot-reload bez restartu korelatora.
YARA
Skaner Binarny
9 wbudowanych reguł: Mirai, Cobalt Strike, Meterpreter, Log4Shell, Ransomware. Zewnętrzne pliki .yar. Automatyczny skan co 5 minut.
LAN
Fake LAN Layer
SMB z przechwytywaniem NTLM, fałszywe AD LDAP, przynęta IPP drukarki, NetBIOS/NBNS. Wykrywa lateral movement i wewnętrzny rekonesans.
Analityk
ThreatBook Workbook
Samodzielny HTML dla analityka. Import raportów, analiza Markdown, tabele IOC, profile aktorów. Eksport PDF lub Markdown. Bez serwera.
Sensor
Rust Tokio
Correlator
Python asyncio
API
Python FastAPI
Dashboard
JS D3.js
Database
SQLite WAL
CVE feed
CISA KEV + NVD
Binary scan
YARA 4.x
Processes
systemd

Available on evaluation only.

HexRoot Honeypot is not a public download. Access is granted after evaluation — consistent with our policy on all tools and research. Send an email describing your context and intended use.

Request access
rootkill · v1.1 · 2026 ACTIVE
Perpetual Threat Surface Scanner

Map the
criminal
infrastructure.

RootKill is a defensive threat surface scanner designed to continuously map IP ranges of known bullet-proof hosting providers and identify active C2 servers, phishing infrastructure, webshells, and backdoors — before they are used against you. No feeds of known IOCs. No shared data. No cloud. It finds what nobody has catalogued yet.

rootkill · scan #8
$ rootkill scan --group frantech
● 384 subnets /24 · rate 1000pps

host:2856 HIGH:2 MED:19

[HIGH:100] 107.189.5.2 — c2
 CS_TEAMSERVER · HAVOC · MSF ports
[HIGH:98] 107.189.18.31 — phishing
 favicon_hash · brand_lookalike · SAN
[MED:85] 107.189.21.191 — c2
$
Scanner
masscan-based — Internet Speed
4-phase pipeline: pure scan at full rate, enrichment, analysis, report. Scan the entire internet on a specific port in minutes. Stores everything in SQLite — reanalysable without rescanning.
Candle Engine
Deterministic Analysis — No ML
JARM fingerprinting (14 C2 exact + prefix), TLS cert structural anomalies, HTTP malleable C2 path detection, favicon murmur3 hash matching, banner analysis. Fully deterministic — no false positives from probabilistic models.
YARA
Pattern Matching on Raw Data
YARA engine applied to raw TCP banners, HTTP bodies, TLS cert fields. Built-in rules for Cobalt Strike, Sliver, Havoc, Metasploit, phishing kits, webshells. Custom rules directory for external sources.
Known Good DB
Automatic False Positive Elimination
Deterministic whitelist of known legitimate devices: Fritz!Box, SonicWALL, Cisco ASA, Fortinet, Palo Alto, MikroTik, Ubiquiti, Synology, QNAP, Hikvision, SoftEther VPN, embedded firmware patterns. Zero manual intervention.
Threat Intel
Targeted Use Case
Scan a specific port across the entire internet, enrich only the responding hosts, analyse with Candle. Result: a real-time worldwide map of a specific C2/ransomware infrastructure. Something no commercial feed provides.
Analyst
Full Reporting Pipeline
Per-scan reports: summary.txt with findings and triggered rules, hosts_full.txt with every IP — ports, banners, TLS, JARM, HTTP — findings.json for external processing. grep-friendly. CSIRT-ready.
p0f Integration
OS Fingerprinting & Spoofing Detection
Passive OS detection via p0f. 8 Candle rules evaluate OS consistency, uptime, NAT presence, link type, and fingerprint spoofing — a C2 operator running Windows on a "Linux" server is flagged.
Pipeline
4 Independent Phases
Phase 1: masscan pure scan → DB. Phase 2: TLS/JARM/HTTP/p0f enrichment. Phase 3: Candle+YARA analysis. Phase 4: report generation. Each phase is independently rerunnable. Update rules → rerun Phase 3 only.
Daemon
Perpetual Scheduled Scanning
Per-group schedule configuration. Each CIDR group runs on its own interval — government ranges every 6h, bullet-proof ASNs every 24h. systemd service, auto-restart, log rotation. Designed for 24/7 unattended operation.
Perpetual Threat Surface Scanner

Mappa
l'infrastruttura
criminale.

RootKill è uno scanner difensivo della superficie di attacco progettato per mappare continuamente i range IP di provider bullet-proof noti e identificare server C2 attivi, infrastruttura phishing, webshell e backdoor — prima che vengano usati contro di te. Nessun feed di IOC noti. Nessun dato condiviso. Nessun cloud. Trova quello che nessuno ha ancora catalogato.

rootkill · scan #8
$ rootkill scan --group frantech
● 384 subnet /24 · rate 1000pps

host:2856 HIGH:2 MED:19

[HIGH:100] 107.189.5.2 — c2
 CS_TEAMSERVER · HAVOC · MSF ports
[HIGH:98] 107.189.18.31 — phishing
 favicon_hash · brand_lookalike · SAN
[MED:85] 107.189.21.191 — c2
$
Scanner
Basato su masscan — Velocità Internet
Pipeline a 4 fasi: scan puro a piena velocità, enrichment, analisi, report. Scansiona l'intero internet su una porta specifica in pochi minuti. Tutto salvato in SQLite — rianalizzabile senza riscansionare.
Candle Engine
Analisi Deterministica — No ML
JARM fingerprinting (14 C2 exact + prefix), anomalie strutturali cert TLS, rilevamento path C2 malleable HTTP, favicon murmur3 hash, analisi banner. Completamente deterministico — nessun falso positivo da modelli probabilistici.
YARA
Pattern Matching sui Dati Grezzi
YARA applicato a banner TCP raw, body HTTP, campi cert TLS. Regole integrate per Cobalt Strike, Sliver, Havoc, Metasploit, kit phishing, webshell. Directory custom per regole esterne da sorgenti pubbliche.
Known Good DB
Eliminazione Automatica Falsi Positivi
Whitelist deterministica di device legittimi noti: Fritz!Box, SonicWALL, Cisco ASA, Fortinet, Palo Alto, MikroTik, Ubiquiti, Synology, QNAP, Hikvision, SoftEther VPN, pattern firmware embedded. Zero intervento manuale.
Threat Intel
Caso d'Uso Mirato
Scansiona una porta specifica su tutto internet, fa enrichment solo sugli host che rispondono, analizza con Candle. Risultato: mappa mondiale in tempo reale di una specifica infrastruttura C2/ransomware. Qualcosa che nessun feed commerciale fornisce.
Analista
Pipeline di Report Completa
Per ogni scansione: summary.txt con finding e regole attivate, hosts_full.txt con ogni IP — porte, banner, TLS, JARM, HTTP — findings.json per processamento esterno. Grep-friendly. Pronto per CSIRT.
p0f
Fingerprinting OS e Rilevamento Spoofing
Rilevamento passivo OS via p0f. 8 regole Candle valutano consistenza OS, uptime, NAT, tipo di link e spoofing del fingerprint — un operatore C2 che fa girare Windows su un server "Linux" viene segnalato.
Pipeline
4 Fasi Indipendenti
Fase 1: masscan puro → DB. Fase 2: enrichment TLS/JARM/HTTP/p0f. Fase 3: analisi Candle+YARA. Fase 4: generazione report. Ogni fase è rieseguibile indipendentemente. Aggiorna le regole → riesegui solo la Fase 3.
Daemon
Scansione Perpetua Schedulata
Schedule configurabile per gruppo. Ogni gruppo CIDR gira sul proprio intervallo — range governativi ogni 6h, ASN bullet-proof ogni 24h. Servizio systemd, auto-restart, rotazione log. Progettato per operazione 24/7 non presidiata.
Scanner
masscan
Engine
Python asyncio
Analysis
Candle Engine
YARA
yara-python 4.x
TLS/JARM
cryptography
OS detect
p0f passive
Database
SQLite WAL
Daemon
systemd

Available on evaluation only.

RootKill is not a public download. Designed for CSIRT teams, threat intelligence researchers, and security organisations. Access is granted after evaluation of context and intended use.

Request access
Work With Us

Want to
cooperate?

We collaborate with researchers, security teams, and organisations that share our commitment to responsible, defensive security work.

Access to our codebase and research is granted on evaluation only.
No exceptions. No shortcuts. Just send us an email and we'll talk.

Responsible Disclosure Joint Research Academic Collaboration Threat Intelligence Sharing No Offensive Contracts No Black Hat