VN#033

Author

Alicja Pawlowska
December 15, 2025

Hi Everyone,

Before we jump in, I wanted to say a quick thank you. Craig Silverman from Indicators recently published a roundup of new and updated OSINT and investigative tools, and I was really happy (to be honest a little surprised) to see myself mentioned among top OSINT voices.

This newsletter is something I create purely out of passion for OSINT, investigations, and sharing things I genuinely find useful in my work. Being listed alongside people I personally follow and learn from means a lot 💛 

A big welcome as well to everyone new who found this newsletter through Craig’s post.

👉 If you haven’t checked it out yet, I definitely recommend Craig’s list of top OSINT and digital investigative tools for 2025

Let’s get into latest updates.

Cybersecurity News 

  • Agentic Threat Hunting Framework (ATHF) introduced
    Created by Sydney Marrone, ATHF is a new markdown-based, plug-and-play framework designed for AI-assisted threat hunting, adding structure, memory, and context to investigations and helping teams move from ad-hoc hunting to repeatable methodology. Find out more.

  • New tool: Cybermonit 2.0 advances threat correlation and analysis

    Created by Paweł Śledź, Cybermonit 2.0 is now live, delivering deeper threat context through ransomware and APT group profiling, interactive attack maps, country-level dashboards, enhanced CVE and EPSS analysis, darknet monitoring, improved RSS feeds, and clearer EOL tracking while remaining fully open source and accessible beyond enterprise security tools.

Vulnerabilities & Exploits & Hacks

  • Legal tech AI leaks sensitive data at scale: A single misconfigured API was enough to expose over 100,000 confidential legal documents. The Filevine case highlights how fragile access controls can be in AI-powered SaaS platforms. Find out more.

  • Fake developer tools weaponize WordPress in under an hour: Project Discovery’s new AI model, “Neo,” autonomously reviews plugin source code, identifies vulnerabilities, and generates working exploits marking a new acceleration point for AI-driven offensive security. Find out more.

Threat Hunting & Malware

  • Centralized visibility into open-source supply-chain malware: The OpenSourceMalware platform aggregates malicious NPM, PyPI, and GitHub activity, helping defenders track compromised packages and ecosystem-wide campaigns in one place.

  • PyStoreRAT spreads through fake OSINT and GPT GitHub repos: A modular RAT campaign abuses developer curiosity by hiding loaders inside trending repositories, later deploying info-stealers and follow-up payloads.

    According to Hackread:

    List of Malicious GitHub Repositories

    https://github[.]com/setls/HacxGPT
    https://github[.]com/turyems/openfi-bot
    https://github[.]com/bytillo/spyder-osint
    https://github[.]com/gonflare/KawaiiGPT
    https://github[.]com/tyreme/spyder-osint
    https://github[.]com/gumot0/spyder-osint
    https://github[.]com/rizvejoarder/SoraMax
    https://github[.]com/Zeeeepa/spyder-osint
    https://github[.]com/aiyakuaile/easy_tv_live
    https://github[.]com/WezRyan/spyder-osint
    https://github[.]com/Zeeeepa/spyder-osint2
    https://github[.]com/Metaldadisbad/HacxGPT
    https://github[.]com/Manojsiriparthi/spyder-osint
    https://github[.]com/xhyata/crypto-tax-calculator
    https://github[.]com/turyems/Pharos-Testnet-bot
    https://github[.]com/adminlove520/VulnWatchDog
    https://github[.]com/shivas1432/sora2-watermark-remover

Acquisitions & Funding

  • OSINT firm doubles down on AI-driven digital risk protection: Social Links raised €2.6M to scale its AI-powered platform for fraud detection, online investigations, and brand threat intelligence, signaling growing investor confidence in automated OSINT and digital risk tools. Find out more.

📰Reports

  • Sanctions Wrapped 2025 (Upcoming 2026) — Annual report by Castellum.AI summarizing global sanctions trends, enforcement actions, and compliance insights from 2025, with early access available via email signup ahead of its January release. Report.

  • Open Source Investigation Handbook — Practical OSINT handbook by Al Jazeera Media Institute. Check it here.

Other

  • INTELEYE Flash Report: Sydney Terror Attack (14.12.2025) — A flash intelligence report examining the Bondi attack, including the attacker’s background, alleged online radicalization pathways, location intelligence, and potential offline links, supported by image correlations and movement analysis.

    • The reason I postponed this issue was that I wanted to wait for more information.

      Shortly after the event, SMS alerts were sent to people in nearby parts of the region.

    • The place where it happened.

      abc news

Espionage & Counterintelligence

  • US and Turkish foreign intelligence plan deeper cooperation from Northern Cyprus: U.S. and Turkey’s intelligence agencies are reportedly planning a secret base and closer collaboration out of the Turkish Republic of Northern Cyprus to monitor Middle East activity. Find out more.

  • Japan plans to establish a national intelligence bureau in 2026: The Japanese government is moving ahead with plans to create a centralized national intelligence bureau next year to enhance its foreign and security intelligence capabilities. Find out more.

  • Ukrainian nationals detained in Poland found with hacking gear and spy detectors: Ukrainian citizens travelling through Europe were detained in Poland, and authorities discovered them carrying sophisticated hacker equipment and spy-detection devices, highlighting ongoing covert tech mobility risks. Find out more.

  • Russian African Corps mercenaries in Mali accused of abuses: Former Wagner Group fighters now under Russia’s African Corps have been linked to kidnappings and killings of civilians in Mali. Find out more.

  • Berlin adopts new police law with expanded surveillance powers: Germany passed legislation granting police broader authorities, including entering homes and monitoring digital communications with tools like the “Staatstrojaner.” Find out more.

  • Russian military intelligence opens Telegram contact channel: Russia’s GRU reportedly launched a Telegram bot (@Russian_GRU_bot) as a communication and outreach channel with aligned actors abroad.

SOCMINT 

  • Reddit tests verified profiles
    Reddit has begun testing a new verified profile feature that adds a grey checkmark next to select users to improve transparency and help identify official accounts. Find out more.

  • Potato messenger gains traction for large secure groups
    Potato is an emerging secure messaging app that supports encrypted communication and group chats with up to 5,000 members. Find out more.

    • Recently I’ve spotted the app mentioned in one of the cybersecurity researcher job ads.

    • Potato is a Chinese developed messaging app and has also appeared in an Australian investigative report from last year, where it was reportedly used by an individual linked to alleged Chinese intelligence activity.

AI

  • Meta’s “Avocado” signals a potential shift in AI strategy
    Meta is reportedly developing a next-generation AI model codenamed Avocado, with insiders saying it may launch in early 2026 and could mark a move toward a more controlled, potentially monetized model rather than Meta’s traditional open-source LLaMA approach. Find out more.

  • ChatGPT’s ‘Adult Mode’ set for early 2026: OpenAI plans to debut an “adult mode” within ChatGPT in Q1 2026, designed to allow more mature conversations and broader content for verified adults while relying on advanced age‑prediction safeguards to keep minors protected. Find out more.

  • Google’s Nano Banana and Nano Banana Pro go viral: Google’s Gemini‑powered Nano Banana image generation and editing models continue to gain traction, offering photorealistic AI image editing.

    source: thread

  • Grokipedia positions itself as an AI encyclopedia rival: xAI’s Grokipedia an AI-generated online encyclopedia launched in late 2025 aims to compete with Wikipedia by delivering model-generated content, though early reporting has raised questions about accuracy, editorial sourcing, and potential bias.

OSINT Section

Tools

  • OSINT Checkbox (Beta starts 01.01.2026) — New investigative tool by a LEA OSINT analyst designed to streamline research workflows and spotting online activity.

  • OSINT by PimEyes  —is part of PimEyes’ family of tools. It is essentially a facial recognition / face search platform built on PimEyes technology but AI powered.

    • It looks like a new product from PimEyes. I came across it while searching for content for this newsletter. Has anyone here used it?

  • OSINT LLM — AI-powered OSINT assistant leveraging large language models for investigative queries and data collection.

Other

  • Epstein OSINT Database — The repository’s creator curated and consolidated previously released, publicly available materials into a single open-source database, offering a structured collection of documents, evidence, and research related to the Epstein case.

Privacy

  • Your face doesn’t have to be searchable forever: PimEyes offers an opt-out mechanism that lets individuals request the removal of their photos from its facial recognition search engine.

Google Updates

  • AI comes to Google Earth: Google has added AI-powered prompts to Google Earth Online, allowing users to interactively identify locations, landmarks, and geographic features.

  • Live video for emergency calls on Android: Android users can now share real-time video with emergency services, starting in the US and expanding to parts of Mexico and Germany.

  • Google launches Disco: Google introduced Disco, a new tool aimed at rethinking how users browse, explore, and discover content across the web.

Darkweb

Coinbase Cartel is a newly identified cyber extortion group that emerged on the dark web in September 2025. The group is actively targeting logistics companies, combining tactics associated with ShinyHunters and Lapsus$ while prioritizing stealthy data theft and extortion over traditional ransomware operations.

  • Key IOCs:

C2 / Infrastructure: affiliateshinysp1d3r[.]com

Email: shinycorp@tuta[.]com, shinygroup@tuta[.]com

More on their TTPs & Victim list includes, among others, Danish DSV and Japanese NTT.

their dashboard with victim list

more info from the Coinbase Cartel

Upcoming CyberSec / OSINT Events

Free

Webinars

  • Open Source Intelligence (OSINT) Workshop – RUSI — 22 January 2026, 17:30–19:30 GMT · In person, London. A hands-on workshop offering practical insight into investigative techniques and open-source intelligence methodologies as part of the NextGen community programme. More info here.

On demand

  • Watch: How Generative AI Can Accelerate Complex Investigations by tge JSI Telecom

    A brief walkthrough showing how AI-driven intelligence fusion can support cross-border narcotics smuggling investigations. Access here.

Trainings

Free

  • OSINT Field Notes – Free OSINT Educational Series (3rd Edition) by Benjamin Strick is a monthly educational newsletter focused on digital investigations, emerging OSINT techniques, and step-by-step workflows, with this edition covering topics such as X account location data, Google Nano Banana, 3D flight path tools, and extracting sanctions data from documents. You can read it here.

  • TraceLabs OSINT Exercises & Educational Series is a set of practical OSINT challenges hosted on TryHackMe, with completion badges issued by TraceLabs, designed around realistic investigative and missing-person scenarios. Challanges.

  • YouControl Academy – OSINT for Investigative Journalism is a free online course by the Ukrainian company YouControl, taught by Ashleigh Crause, and designed for investigative journalists, researchers, fact-checkers, and analysts, with additional training available in AML, compliance, cybersecurity, and financial monitoring.

    • YouControl is a Ukrainian company offering an OSINT and corporate due diligence tool focused on Ukrainian entities, with strong coverage of Russian companies and individuals; I use it frequently as a very handy tool.

  • Drone Journalism Course – academy.AFRICA is an online course that explores the fundamentals of drone journalism, including technical drone operations, newsroom applications, legal considerations, and storytelling through aerial footage. More information here.

  • Ransomware Defence Summer Bootcamp is a free, two-week, in-person bootcamp held at Amsterdam Business School from 22 June to 3 July 2026, aimed at graduate students and focused on analysing, defending against, and responding to ransomware threats, with an application deadline of 5 March 2026. Application link.

  • Foundations of Cybersecurity and AI (Live Online Course); April–June 2026 (12 weeks); Online (live); The course costs €299 to join, with free enrolment available to Dutch students through the Google.org Cybersecurity Seminars Program

    Cybersecurity Seminars Program: An introductory course covering key concepts, actors, and challenges at the intersection of cybersecurity and artificial intelligence.
    Submission deadline: 20 February 2026

🙃Bonus

  • Call for LEA Validators: ENACT invites law enforcement agencies to participate as validators at its 2025 Annual Event, taking place on 16–17 December 2025 in Lisbon, Portugal. Registration is still open.