Hi Everyone,

I often get asked what high quality OSINT training I recommend. So I asked i-intelligence if they’d consider offering a discount for this newsletter’s readers and they kindly said YES! (Even though they’ve never done that before).

I’m excited to share a 10% discount code you can use on all virtual courses by i-intelligence:
Code: APIINT10
🗓 Valid until 31 October 2025

I personally value the content their team delivers especially the OSINT trainings focused on Russian, Arabic, and Chinese sources.

Paolo Walcher, the trainer of their Arabic course, recently wrote:

That really stuck with me. Some days I work with all three of these languages; lately, I’ve been using at least one daily. In OSINT work, words can carry hidden power - they reveal political messaging, psychological warfare, and strategic intent.

🧾 The code is for all subscribers and has been included in the welcome email sent to new subscribers since this week - and I’m grateful that someone new signs up every day 🥳 

If you want to join as a group or discuss custom course options, feel free to DM me - happy to help coordinate or advise. I-intelligence also offers course bundles (various combinations of training packages).

Now, let’s dive into what’s been happening over the past weeks.

Cybersecurity News 

• Europol’s Operation Eastwood dismantled pro Russia hacktivist group NoName057(16). Arrests were made in several countries, including France, Spain, and Poland, with seven additional international arrest warrants issued six by Germany, mainly for Russian nationals, including two main organisers.

  The group coordinates DDoS attacks against Ukraine and NATO aligned states via its custom DDoSia platform and a vast volunteer network. Find out more.

  • Flavio Queiroz has been tracking this hacktivist coalition; on his GitHub, you can find this year maps.

Vulnerabilities & Exploits & Hacks

• Critical SharePoint Zero‑Day (CVE‑2025‑53770) “ToolShell”: Mass exploitation after a public tweet revealed a bypass for Microsoft’s patch, effectively reviving an old zero‑day. Find out more.

• Brave & Chrome VPNs: IP leaks, popunders, and CSP bypass - simple yet critical bugs impacted nearly all Chrome VPN extensions and Brave’s Tor window. Find out more.

• Tea: A new dating app in the US, previously mentioned in the last issue, designed for women to anonymously rate men. It gained popularity but recently suffered a serious data breach. Around 72,000 images were exposed, including 13,000 selfies and ID documents, as well as 59,000 photos from posts and messages. The data was stored on an outdated system and leaked on the 4chan forum.

  • In era of dating apps seems to be fading – and not just according to users (how many new running clubs have popped up in your area recently? 😅) but companies feels too. Bumble recently cut ~30% of its workforce (~240 jobs). I shared Tea in the previous issue because I found the concept interesting, but clearly, others did too.

  • Tea’s official statement: The company disclosed a breach impacting pre February 2024 user content confirming no emails or phone numbers were accessed. Find out more.

Threat Hunting & Malware

• LLM-Integrated Malware: First malware using a large language model (LAMEHUG) discovered by CERT-UA; linked to Russia’s APT28, leveraging Qwen2.5-Coder for real-time data exfiltration. Find out more.

📰 Reports

• CheckFirst: Mapping Russia’s little known FSB 16th SIGINT Center via commemorative badges reveals. Report.

• Recorded Future Insikt Group - Anatomy of DDoSia: NoName057(16)'s DDoS Infrastructure and Targeting. Report.

Espionage & Counterintelligence

• Russia terminates Military Cooperation agreement with Germany
  Moscow has formally withdrawn from a 1996 agreement on technical-military collaboration with Berlin. Find out more. (.ru)

• Italy launches new Underwater Security Agency
  Italy is set to establish a specialized agency dedicated to securing its subsea infrastructure and maritime security as threats to critical underwater systems grow. Find out more. (.it)

• Afghan data leak exposes UK Intelligence Operations
  A breach of UK Ministry of Defence data exposed over 19,000 Afghan applicants and more than 100 British intelligence personnel including MI6 and SAS officers. Find out more.

• UK trained Azerbaijani Intelligence Units after BP Oil deal
  Recently declassified documents reveal the UK trained Azerbaijani anti-terror officers shortly after BP signed a lucrative oil contract with the former Soviet state. Find out more.

• UK Foreign Office secretly funded YouTube Propaganda Network
  The UK Foreign Office secretly paid nearly £10 million to influencers through Zinc Network Ltd to produce pro‑UK content targeting Central and Eastern Europe. Find out more.

SOCMINT

• Polarsteps is like a mix between Snapchat Maps and Instagram highlights. For users with open profiles, it can reveal entire travel diaries. The app, developed in Amsterdam, is becoming increasingly popular across Europe. Last year, it already had significant traction in the APAC region, especially among Gen Z and Millennial travelers.

  • So far, I haven’t found any (legit) OSINT tools that allow deeper exploration of this app.

• Telegram: OCCRP reveals man-in-the-middle risks tied to Telegram’s infrastructure, reportedly controlled by a businessman linked to Russian intelligence services.

  • Amid reports that Telegram will open an office in Russia to comply with a new law requiring foreign platforms to localize or face being blacklisted, which WhatsApp is reportedly likely to be included on. Pavel Durov has denied the claim about opening an office.

• Micah Hoffman and Griffin Glynn (My OSINT Training) created a bookmarklet list of useful SOCMINT tools. 

AI

• Lumo by Proton: Proton has launched a new service Lumo, a privacy first AI chat app. Similar to ChatGPT, Lumo allows users to enjoy the benefits of AI without compromising their data or privacy.

  • In response to new surveillance laws in Switzerland, Proton is moving its infrastructure out of the country, and Lumo will be the first product to transition to this new setup.

• 👀 OpenAI Agent Mode, released on July 17, 2025, is available to ChatGPT Pro, Plus, and Team users, with planned expansion to Enterprise and Edu tiers. It functions as a virtual AI assistant capable of autonomous web interactions.

  The tool raises privacy concerns, as full functionality requires users to provide credentials for third-party services such as Google Drive, Linkedin, SharePoint, and email accounts, and to log into websites.

  Key capabilities include autonomous web browsing and scraping, including site navigation, form filling, and simulating user interactions; deep research across public websites, PDFs, and user-uploaded documents; and integration with external tools like Gmail, GitHub, and Google Drive. Always with user consent and oversight (they say). YouTube video to see how it works in practice, and an article after testing what does and doesn’t work. Chris from OSINT Combine shared his test with the Agent on how to analyze historical snapshots of a company website using waybackmachine.

• Chat2Geo: an open-source web app that provides a ChatGPT like experience for remote-sensing geospatial analysis, aiming to democratize access to advanced geospatial insights for users of all backgrounds.

• 👀 PoliLoom by the OpenSanctions. The tool will be a politician data extractor - still in development, but worth keeping an eye on. Github, Thread

OSINT

Tools

• Lookyloo: Tool to capture and analyze domain activity. Public version shares captures by default; can be disabled. Active recon may alert targets. Lookyloo Capture, GitHub

• HTML Inspector - Scans open webpage HTML to find: Comments in HTML/JavaScript, Filenames/paths of resources, robots.txt, ads.txt, sitemap, JSON-LD. Chrome Extension

• Offensive Security Cheatsheet offers a curated collection of core cybersecurity methods, covering OSINT, penetration testing, password cracking, red teaming, and more. Last updated in 2022.

Google Updates

• I spotted this thread on LinkedIn some time ago and thought it was super interesting to share with you.

  Google Earth reveals China’s secret Nuclear submarine base:
  Updated satellite imagery on Google Earth shows six nuclear submarines docked at China’s First Submarine Base near Qingdao, highlighting Beijing’s growing underwater nuclear capabilities. While insiders have known about this for decades, the public availability of such detailed imagery marks a new era of open-source intelligence. Additional submarine clusters are visible at Dongjia Wan bay, Hainan Island, and Yulin Support Base, with precise coordinates accessible via Apple Maps and Google Earth. This transparency underscores how military secrecy is increasingly exposed by satellite surveillance and open-source tools. (LinkedIn, Twitter, NTI)

• Google Trends API Released: Google has launched an alpha version of the Google Trends API, providing researchers, journalists, and developers with direct access to search trend data.

Darknet

• XSS Forum Takedown likely domain only: The notorious XSS cybercrime forum (formerly DaMaGeLaB) was seized by French authorities in close cooperation with their Ukrainian counterpart and Europol after 13 years of operation. The forum's administrator was arrested in Kyiv on July 22, 2025, in a joint French-Ukrainian operation coordinated by Europol. Despite generating over $7 million in criminal profits through ransomware, stolen credentials, and cyberattacks.

  • XSS managed to resurface within 24 hours via mirror and .onion domains, raising questions about the effectiveness of the takedown.

• Operation Grayskull Success: The FBI concluded Operation Grayskull, dismantling four dark web CSAM (Child Sexual Abuse Material) sites and securing sentences for 18 offenders.

• BlackSuit Ransomware Disrupted: Federal authorities seized BlackSuit ransomware's dark web infrastructure in Operation Checkmate, targeting the group linked to Chaos ransomware that has repeatedly rebranded to evade law enforcement.

Upcoming CyberSec / OSINT Events

Doxing as a new tool in Russian Influence Operations (Frontstory[.]pl/ Vquare[.]org/ ICCT) - In the last issue, I shared the wrong link to a webinar. Apologies for that.

Free

• Organized Crime and Violent Extremism in the Western Balkans – Online talk on organized crime and extremism organized by the Global Initiative against Transnational Organized Crime
  Date: July 30, 2025, 15:00 CET, Talk details

• Constangy & S-rm Cyber Academy Webinar – Thinking Like a Threat Actor: Inside the Mind of a Cybercriminal
  Date: July 31, 09:00 PT / 11:00 CT / 12:00 ET More info here.

• Open Data Camp 10 – Free 2-day unconference on open data, AI, and civic tech. Date: September 27–28, 2025, University of Edinburgh Business School, Organized by ODCamp team. More info here.

• RooCon 2025 – Free conference on cyber threat intelligence & attribution
  Date: November 5–6, 2025, Sydney. 🦘RooCon25 Call for Papers is open. Their X profile.

Other

• Something a bit different this time - I’ll be leading an OSINT workshop at Pol'and'Rock Festival! 😄 - Great Orchestra of Christmas Charity Foundation
  Together with the FRONTSTORY, and VSquare.

  We’ll walk through our recent investigation into JuicyFields — a supposed medical cannabis investment platform that turned out to be a massive international scam, ending in a Europol operation and arrests across Europe.

  During the session, we’ll focus on that Polish angle and share:

  • how we gathered open-source leads and pieced the story together,

  • which OSINT tools helped us most,

  • how we protect our identities and digital safety during sensitive investigations,

  • and what verifying unexpected (and often strange) information really looks like in practice.

You can read the full investigation in Polish or English. We also recorded a podcast (in Polish) — but YouTube subtitles in English are available if you're curious: 🎧 Listen here.

We'll be around throughout the festival — stop by to meet our teams, join our workshops, and check out a few surprises 🎁 
📍 OSINT Workshop in Polish: 2 August 2025 at 6:00 pm - See you there!

Paid

• EU Security Summer School – Warsaw, Sept 16–20, 2025
  A 5-day intensive program on European security and crisis diplomacy, covering hybrid warfare, cyber threats, nuclear governance, and conflict resolution. Includes expert workshops, simulations (e.g., European Council crisis negotiation), and visits to institutions like Frontex. Open to anyone 18+ interested in EU affairs and global security, no experience required. Fee: €500 (apply by July 31 for a partial scholarship at €350). Application Deadline: August 10. Register here.

🙃Bonus

This time, something for the Polish folks! Piotr has been building RED Academy for a while. Now and has just released a new course - The RED Academy Phishing with Gophish Course. This fully online, on-demand course teaches you how to run effective phishing campaigns, bypass email security mechanisms, and build phishing infrastructure that is resistant to detection. A 50% discount is now available, valid until 3 August 2025.