DarkHorse InfoSec

HADES

Hidden Artifact Detection & EXIF Scanner - Enterprise Metadata Forensics Engine

PRODUCTION-READY | v1.1.0 GA

Court-ready metadata forensics for security teams, incident responders, and SOC operations. Zero-execution analysis, never runs target files.

15,468 Samples Validated
99.9% Peak Detection (Contagio)
0% Actionable False-Positive Rate
51+ MITRE Techniques
76 YARA Rules
26 Forensic Analyzers

Sample composition: MalwareBazaar 3,271 (98.7% detection) · Contagio 11,877 (99.9%) · Targeted Gootloader 9 (100%) · Clean corpus 311 (0% actionable FP, zero HIGH or CRITICAL FPs). Zero crashes, zero timeouts. Overall malware detection: 99.6%.

HADES is an enterprise metadata forensics engine built for security teams and incident responders. Validated against 15,468 real-world samples across four corpora with 98.7% detection on MalwareBazaar (3,271), 99.9% on Contagio (11,877), 100% on targeted Gootloader samples, and a 0% actionable false-positive rate on 311 clean files (zero HIGH or CRITICAL false positives). Zero crashes, zero timeouts. Multi-layer detection combines 76 YARA rules, ML ensemble models, behavioral analysis, 26 forensic analyzers, and deep format parsing across 45+ file types, without executing target files. Enterprise-grade two-axis scoring (confidence × severity) matches CrowdStrike/Palo Alto patterns, with court-ready evidence handling and automated response playbooks.

Install from Cloudsmith Feed It Something Nasty → View on GitHub

Get Started in 5 Minutes

Python 3.8+ and ExifTool required. Optional dependencies unlock enterprise features.

$ pip install hades-scanner --index-url https://dl.cloudsmith.io/basic/darkhorse-infosec/hades/python/simple/ # Core engine
$ pip install "hades-scanner[enterprise]" --index-url ... # + PostgreSQL, Redis, RBAC, SSO
$ pip install "hades-scanner[full]" --index-url ... # Everything
$ hades scan suspicious_file.jpg # Scan a file
$ hades scan -r /path/to/evidence/ # Recursive directory scan
$ hades serve --port 8666 # Start API server + dashboard
  • Python 3.8+, CPython on Linux, macOS, or Windows
  • ExifTool, Phil Harvey's ExifTool on PATH for metadata extraction
  • Optional: PostgreSQL, Redis, YARA, scikit-learn, Docker, installed via dependency groups

Capabilities

Metadata Forensics & Deep Format Analysis

Core scanning engine, extracts metadata from 200+ formats via 26 dedicated forensic analyzers. Deep-parses PDF (shadow attacks, filter chains), Office (macros, DDE, VBA stomping, hidden content), RTF (Equation Editor, template injection), archive structures (Zombie ZIP, RAR5/7z), and analyzes audio, video, email, and web file metadata for embedded threats.

Detection Layers:

  • 26 forensic analyzers: images, documents, archives, audio, video, email, web
  • Archive forensics: Zombie ZIP, concatenation, bombs, RAR5/7z headers
  • Document forensics: RTF, LNK, legacy Office, OneNote, VBA stomping
  • Audio/video: MP3 ID3, WAV, OGG, FLAC, MKV, MP4, AVI metadata
  • Email/web: phishing detection, CSV formula injection, HTML threats, EPS
  • Steganography: JPEG DCT analysis, palette stego, EOF data, tool signatures
  • 76 YARA rules + firmware analysis (UEFI, SPI flash, BadUSB, wipers)
$ hades scan -r /evidence --format json

ML Ensemble & Behavioral Analysis

Multi-model machine learning ensemble (Isolation Forest + Random Forest + optional XGBoost) with 25 statistical features including Shannon entropy and byte frequency analysis. Behavioral engine detects coordinated attack campaigns through IOC correlation and metadata pattern similarity.

Analysis Capabilities:

  • Weighted multi-model voting with labeled data management
  • Campaign detection via shared IOC correlation (union-find)
  • Metadata similarity scoring (Jaccard) and temporal clustering
  • GPS forensics with impossible travel detection
  • Auto-retraining on labeled datasets with CSV import/export

MITRE ATT&CK Mapping

Automatic mapping of detection findings to 51+ MITRE ATT&CK techniques across 11 tactics. Every finding is classified with technique IDs, tactic categories, and severity scores, ready for compliance reporting and threat intelligence correlation.

Coverage:

  • 51+ techniques: script injection, backdoors, steganography, polyglot, macros, encoding
  • 11 tactics: Initial Access through Impact
  • 52+ finding-to-technique mappings
  • API endpoint for technique lookup and tactic queries

Evidence Chain & Case Management

Forensic-grade evidence handling, SHA-256 hash-chained immutable audit log, case management with analyst notes, and self-verifying evidence export packages with HMAC-SHA256 signatures. Built for court-admissible forensics.

Forensic Features:

  • Append-only hash-chained audit log with tamper detection
  • Case CRUD with scan linking and analyst notes
  • Evidence export as self-verifying ZIP (includes verify script)
  • Chain of custody timeline
$ hades case create "IR-2026-001" $ hades case export CASE_ID

Automated Response Playbooks

Event-driven response automation with 10+ built-in playbooks covering phishing triage, malware analysis, BEC detection, ransomware response, and insider threat workflows. Actions include case creation, SIEM forwarding, Slack/Teams notification, evidence export, and file quarantine.

Playbook Engine:

  • Trigger conditions: threat score, YARA match, finding type, file extension, sender domain
  • Priority ordering with retry and exponential backoff
  • Per-action status tracking and execution history
  • Quarantine manager with audit trail
  • WebSocket broadcast for real-time dashboard updates

REST API, Dashboard & SDK

FastAPI server with authenticated endpoints, WebSocket live updates, and a 16-view browser-based dashboard. Python SDK with retry logic, webhook subscriptions, and SSE streaming for programmatic integration.

Interface Options:

  • FastAPI with async endpoints, Pydantic models, Swagger UI at /docs
  • 16-view dashboard: Scan, Monitor, Cases, Audit, MITRE, Rules, Playbooks, Alerts, Analytics, SIEM Connectors, Quarantine, and more
  • Python SDK: pip install hades-sdk (via Cloudsmith)
  • X-API-Key auth, rate limiting, CORS, WebSocket
$ hades serve --port 8666

Enterprise Security & Observability

Role-based access control with admin/analyst/viewer roles, SSO via OIDC and SAML, AES-256-GCM field-level encryption at rest, multi-tenant isolation, and full observability with Prometheus metrics and four pre-built Grafana dashboards.

Enterprise Features:

  • RBAC with permission matrix and API key rotation
  • SSO: OIDC JWT validation, SAML AuthnRequest, JIT user provisioning
  • AES-256-GCM encrypted storage with key management
  • Multi-tenant isolation with API key to tenant mapping
  • Prometheus metrics (20+), Grafana dashboards (4), Alertmanager

SIEM & Platform Integrations

Native SIEM connectors for Splunk HEC, Elasticsearch, and Microsoft Sentinel with batching, retry, and health checks. Format-based output in Syslog, CEF, STIX, LEEF, and ECS. Plus cloud storage scanning (S3, GCS, Azure), network sensors (Zeek, Suricata), email gateway, CI/CD pipelines, and Slack/Teams bots.

Integration Points:

  • Native SIEM: Splunk HEC, Elasticsearch bulk API, Sentinel Log Analytics
  • Cloud: AWS S3, Google Cloud Storage, Azure Blob Storage
  • Network: Zeek connector, Suricata connector, SMTP email gateway
  • DevOps: CI/CD scanning with SARIF output, GitHub/GitLab integration
  • Chat: Slack bot with Block Kit, Teams bot with Adaptive Cards

Deployment & Scaling

Deploy anywhere, standalone CLI, Docker containers, or Kubernetes with Helm charts and horizontal pod autoscaling. Async scan pipeline with persistent ExifTool process pool, distributed worker pool with Redis task queues, and two-tier scan caching.

Deployment Options:

  • Cloudsmith: pip install hades-scanner with 4 dependency groups (private registry)
  • Docker: multi-stage production image, Docker Compose stacks
  • Kubernetes: Helm chart with HPA, ServiceMonitor, Kustomize overlays
  • Distributed workers with Redis task queues and heartbeat monitoring
  • Two-tier cache (in-memory LRU + Redis), pipeline profiler
$ docker run -p 8666:8666 hades-scanner:1.1.0 $ helm install hades ./kubernetes/helm/hades/

Pricing

HADES is a proprietary platform with a free Community tier. Paid tiers are unlocked via license key activation.

Community

Free
  • 10 scans/month
  • Heuristic & IOC detection
  • Threat score & severity summary
  • Evidence chain
  • 10 MB file size limit
Try the Demo

Professional

$99/mo

$799/yr (save 33%)

  • 5,000 scans/month
  • 76 YARA rules & ML ensemble detection
  • All 26 forensic analyzers
  • Full findings, MITRE ATT&CK mapping
  • Batch scanning & SIEM export
  • Threat intelligence feeds
  • 100 MB file size limit
  • Priority email support
Monthly Annual (save 33%)

Team

$299/mo

$2,499/yr (save 30%)

  • 50,000 scans/month
  • Everything in Professional, plus:
  • RBAC (admin/analyst/viewer roles)
  • SSO (OIDC + SAML)
  • Cloud scanning (S3, GCS, Azure)
  • CI/CD pipeline integration
  • Slack & Teams bots
  • AES-256-GCM encrypted storage
  • 500 MB file size limit
Monthly Annual (save 30%)

Enterprise

Custom

Annual contract

  • Unlimited scans
  • Everything in Team, plus:
  • Multi-tenant isolation
  • SOAR integration
  • Kafka/NATS streaming
  • Unlimited file size
  • Dedicated support & custom SLA
Contact Sales

All paid plans include a 14-day free trial. Annual plans save up to 33%. Contact sales@darkhorseinfosec.com for volume discounts.

Frequently Asked Questions

Is HADES free to use?
Yes. The Community tier is completely free and includes heuristic & IOC detection, evidence chain, and threat scoring. Professional ($99/mo), Team ($299/mo), and Enterprise (custom annual) tiers add ML ensemble detection, YARA rules, RBAC, SSO, cloud scanning, and multi-tenant isolation. Annual plans save up to 33%.
Does HADES execute the files it scans?
No. HADES performs purely forensic analysis of file metadata and structure. It never executes, opens, or renders target files. This makes it safe to use on suspected malware without risk of detonation.
What are the system requirements?
Python 3.8+ and Phil Harvey's ExifTool installed on PATH. Optional dependencies (PostgreSQL, Redis, YARA, scikit-learn) are installed via pip dependency groups. HADES runs on Linux, macOS, and Windows.
Can HADES run in an air-gapped environment?
Yes. HADES has zero required network dependencies. Cloud threat intelligence, SIEM connectors, and other network features are optional. The core engine, YARA rules, and ML models all run locally.
What file types does HADES support?
HADES analyzes metadata across all major file format families: images (JPEG, PNG, GIF, BMP, TIFF, WebP, HEIF, SVG), documents (PDF, DOCX/XLSX/PPTX, RTF, legacy .doc/.xls/.ppt, OneNote), archives (ZIP, RAR, 7z with deep structural forensics), audio (MP3, WAV, OGG, FLAC, M4A), video (MKV, MP4, AVI, FLV), email (.eml, .msg), web files (HTML, CSV, EPS/PostScript), shortcuts (.lnk), fonts (TTF, OTF, WOFF), installers (MSI), Java/Android (JAR, APK), and firmware (UEFI, SPI flash, BIOS). Each format has a dedicated forensic analyzer with format-specific threat detection.
How does HADES differ from ExifTool alone?
ExifTool extracts metadata, HADES analyzes it for threats. HADES adds YARA-based threat detection, ML ensemble anomaly scoring, deep format analysis (PDF JavaScript, Office macros, polyglot files, Zombie ZIP attacks, VBA stomping, RTF exploits, LNK payloads, audio/video metadata threats, email phishing, CSV formula injection, HTML credential harvesting), behavioral campaign detection, MITRE ATT&CK mapping, court-ready evidence handling, and automated response playbooks on top of ExifTool's extraction capabilities.
What specific threats can HADES detect in file metadata?
HADES detects 44+ threat categories including: Zombie ZIP attacks (compression method mismatch), PDF shadow attacks (incremental update abuse), VBA stomping (source/p-code mismatch), RTF Equation Editor exploits (CVE-2017-11882), weaponized LNK shortcuts (PowerShell payloads, icon harvesting), OneNote embedded executables, CSV formula injection (=CMD, DDE), HTML credential harvesting and phishing, steganography (JPEG DCT analysis, palette manipulation), image decompression bombs, timestamp stomping (anti-forensic detection), archive bombs (ZIP, RAR, 7z), and many more. Every finding is mapped to MITRE ATT&CK techniques.
Does HADES integrate with my existing SIEM?
Yes. HADES includes native API connectors for Splunk HEC, Elasticsearch, and Microsoft Sentinel, plus format-based export in Syslog (RFC 5424), CEF (ArcSight), STIX 2.1, LEEF (QRadar), and ECS (Elastic). All connectors support batching, retry with exponential backoff, and health checking.
Case Study: Gootloader ZIP Evasion Detection
Gootloader concatenates 500-1,000 identical ZIP archives into a single file to evade hash-based detection, signature scanning, and automated sandboxes. Most scanners, including 7-Zip and WinRAR, cannot open these files. HADES detects them at CRITICAL (96/100) by analyzing ZIP structural anomalies: 100+ duplicate local file headers and end-of-central-directory records. Tested against 9 real Gootloader samples from MalwareBazaar, 9/9 detected, zero false negatives. Read the full case study →

Ready to detect hidden threats in your file metadata?

Install from Cloudsmith GitHub Book a Demo