Hi Everyone,

In this issue’s OSINT section, I focus on disinformation frameworks. Since March, I'll be monitoring and analyzing social media, tracking Russian propaganda related to the upcoming presidential election in Poland. Disinformation is an area where I have less experience, so I’m excited to dive deeper and expand my knowledge. Also I received information that my newsletter is going to spam for some of you. If it's happening to you as well, please reply to this email so we can fix it.

Solution to last week's OSINT challange 🇿🇦 

Thank you for all 7 responses.

The fastest to reply with the correct answer was Sandra – the newbie in OSINT and a student from my January OSINT workshop. Congratulation!!! 👏 👏 

Her answer: It’s a góralek skalny (english name it's a dassie)! Genetically, its brain resembles that of an elephant, its stomach structure is similar to a horse’s, and its teeth resemble those of a hippopotamus and a rhinoceros!

The correct answers: góralek skalny & elephant

Now, let’s dive in!

Cybersecurity News

• Black Basta Ransomware Gang exposed: Internal conflicts led to the downfall of Black Basta, a ransomware group behind 500+ breaches and $100M in damages. Their internal chats were leaked on Telegram, prompting FBI and CISA alerts. Cybersecurity firm Hudson Rock used over a million messages to create BlackBastaGPT, an AI tool for researchers to analyze the gang’s tactics, operations, and finances in seconds. Find out more.

• Exotic Phishing Scams Using LLMs: Phishing attacks are becoming harder to detect, as criminals leverage AI-generated emails with perfect grammar and convincing wording. Find out more.

Vulnerabilities & Exploits & Hacks

• 22 New Mac malware families in 2024: A breakdown of the latest threats, including stealers, ransomware, and backdoors, showing that macOS is no longer a "safe haven" from cyber threat. Find out more.

• OpenSSH Vulnerabilities – Patch Now! Two newly discovered flaws allow attackers to intercept traffic and take down servers. Fix CVE-2025-26466 - Denial-of-Service (DoS) can crash servers using the default configuration. Fix CVE-2025-26465 – Allows attackers to intercept traffic via Man-in-the-Middle (MitM) attacks if VerifyHostKeyDNS is enabled. Find out more.

Threat Hunting & Malware

• Telegram abused as C2 channel for New Golang backdoor: A newly discovered malware, controlled via Telegram, is suspected to be of Russian origin. Find out more.

• Zhong Stealer: A new threat to Crypto & Fintech
  A new infostealer is actively targeting fintech and cryptocurrency industries, with attackers leveraging advanced social engineering techniques. Find out more.

📰 Reports

• How to spot and analyze identity based disinformation – A practical guide to conducting OSINT investigations. Report.

• Ransomware in 2024: The Most Active Threats – A deep dive into the year’s most aggressive ransomware operation with over 530 victims. Report.

Espionage & Counterintelligence

• Elon Musk's Government Efficiency Department seeks access to the IRS’s Integrated Data Retrieval System (IDRS), containing sensitive U.S. taxpayer data. Find out more.

• Poland sentenced two Russians to 5.5 years for espionage and Wagner Group recruitment. They were arrested in Warsaw in August 2023. Article in polish. Find out more.

• Tel Aviv and Kyiv finalize a secret deal. Ukraine receives Soviet weapons captured from Hamas and Hezbollah, while Israel gains intel on Russian missiles now in Iran. Find out more.

• Iranian hacker group stole 2TB of sensitive Israeli police data. Find out more.

SOCMINT

• Instagram is testing a new feature – silent dislike, allowing users to express disapproval of comments under posts. If you don’t like a comment or find it irrelevant, you can dislike it silently. The dislike count won’t be visible, no one will know you disliked a comment, only Instagram will.

  

• X blocks links to signal.me: X is blocking Signal.me links, labeling them as harmful. These links let users share their Signal contacts. Other Signal url, like Signal.link and Signal.group, are not affected. Find out more.

• Linkedin tests new feature showing comment view counts: LinkedIn is testing a feature that displays the number of views each comment receives, providing authors with insights into their engagement levels.

OSINT

Key OSINT Frameworks for Digital Investigations & Counter-Disinformation

In OSINT job ads, certain frameworks are frequently mentioned as essential knowledge. Below, break down key frameworks, explaining their purpose, use cases, and important aspects to consider.

DISARM Framework

• Definition: An open-source tool for tracking and countering disinformation. It standardizes the classification of disinformation and enhances collaboration across sectors.

• Use Cases: Applying the DISARM Framework to a Cognitive Hacking Case from the Romanian Digital Space.

• Key Features: Inspired by MITRE ATT&CK, supports STIX and TAXII for data sharing.

• Resources: DISARM GitHub Repository, DISARM Foundation Walkthrough, DISARM in polish, DISARM Certificate (Analyst Course)

FIMI (Foreign Information Manipulation and Interference) EU

• Definition: Efforts by foreign actors to manipulate information within another nation’s media space. Identifying and analyzing foreign propaganda, especially from Russia and China.

• Use Cases: The use of FIMI in specific examples.

• Key Features: The FIMI framework focuses on Russian disinformation pillars, including governmental communications (e.g., official statements), state-funded media (e.g., RT, Sputnik), and proxy actors (e.g., troll farms), while countering Chinese disinformation through state media (e.g., Xinhua, CGTN) and proxy actors (e.g., social media campaigns).

• Resources: A recorded webinar on FIMI, Analysis of the FIMI framework, Analysis of the FIMI framework for Networked Defence

NATO’s ABC/ABCDE Attribution Framework

• Definition: These frameworks, developed by NATO’s Strategic Communications Center of Excellence (StratCom COE), provide a structured approach to attributing influence operations and disinformation campaigns to specific actors.

• Use Cases: It tracks state and non-state actors, supports NATO in countering hybrid threats. The ABCDE framework can be used to assess FIMI activities, such as classifying actors and methods used in disinformation.

• Resources: Page 6 in this Report. ABC in polish.

The ABCDE framework is a tool for analyzing and countering information manipulation, while FIMI refers specifically to foreign information manipulation and interference, often linked to state actors like Russia or China.

The Kill Chain Model of Disinformation

• Definition: Dissects disinformation campaigns from planning to impact, inspired by the cybersecurity kill chain concept.

• Use Cases: Tracks disinformation as an evolving attack, enabling targeted countermeasures.

• More Info: Beyond the Kill Chain – Booz Allen, The Kill Chain Model of Disinformation.

OSINT Tools

• Palver: WhatsApp monitoring for disinformation tracking
  Palver helps monitor public WhatsApp groups, offering filters for keywords, attachments, and trends. It was a key tool in Brazil’s 2022 election security efforts. More here.

• Apify: Apify is a platform for web scraping, data extraction, and automation, including across various social media platforms.

• Obsidian is now free for work, the Obsidian Commercial license is optional. Anyone can use Obsidian for work, for free. The full statement.

Google Updates

• Google Lens expands AI Overviews & adds screen search: Google Lens, used for 20 billion visual searches monthly, is rolling out screen search for iOS and expanding AI Overviews in Chrome. The update launches this week for English-language users in supported countries.

• Google Ads AI Images can now create people (adults) & faces.

• Career Dreamer is a new experiment from Grow with Google that uses AI to make career exploration easier and more personalized.

Darknet

• Spanish Police arrest 'lock4j' cybercriminal for attacks on NATO, US Army: Spanish authorities have arrested lock4j, a BreachForums member, for alleged cybercrime activities, including attacks on NATO and the U.S. Army.

• Key figures behind Phobos and 8Base ransomware gang arrested: Four Russian nationals from 8Base were arrested, 27 servers dismantled, and 400+ companies warned in a Europol-led crackdown. Separately, 4 European hackers were arrested in Phuket for deploying Phobos ransomware on 17 Swiss firms, stealing $16M in Bitcoin.  

Upcoming CyberSec / OSINT Events

Free

• Changing the narrative: Disrupting Disinformation
  On March 5, 2025, join for a free CPD event exploring misinformation, disinformation, and missing information. The session goes beyond fact-checking, considering context, bias, and media influences. More information.

CTF

• Capture the Flag (CTF) by Oscar Zulu OSINT Crew 🇫🇷 

  On March 14, 2025, the Oscar Zulu OSINT Crew hosts a CTF event in partnership with OSINT4Fun. Teams of up to 4 can compete for prizes.  Join on Discord for more info.

Paid

• OSINT Masterclass in Perugia, Italy – April 9, 2025
  Take part in a hands-on OSINT Masterclass before the International Journalism Festival, featuring experts from Centre for Information Resilience and Reuters. Register Here.

🙃Bonus

• Senior on-screen Hunter role at Channel 4’s Hunted
  Do you have experience managing a team of intelligence analysts? Channel 4’s Bafta-nominated series Hunted is expanding its senior on-screen hunter team! If you're interested in applying, please email your name and CV to [email protected]  This opportunity is based in the UK. More information.