[{"content":"","date":"26 May 2026","externalUrl":null,"permalink":"/tags/geopolitics/","section":"Tags","summary":"","title":"Geopolitics","type":"tags"},{"content":"","date":"26 May 2026","externalUrl":null,"permalink":"/","section":"home","summary":"","title":"home","type":"page"},{"content":"","date":"26 May 2026","externalUrl":null,"permalink":"/tags/intelligence/","section":"Tags","summary":"","title":"Intelligence","type":"tags"},{"content":"","date":"26 May 2026","externalUrl":null,"permalink":"/tags/osint/","section":"Tags","summary":"","title":"OSINT","type":"tags"},{"content":"","date":"26 May 2026","externalUrl":null,"permalink":"/posts/","section":"Posts","summary":"","title":"Posts","type":"posts"},{"content":"","date":"26 May 2026","externalUrl":null,"permalink":"/tags/","section":"Tags","summary":"","title":"Tags","type":"tags"},{"content":"","date":"26 May 2026","externalUrl":null,"permalink":"/tags/technopolitics/","section":"Tags","summary":"","title":"Technopolitics","type":"tags"},{"content":" Overview # I have have worked on the development of the viral World Monitor application, focusing on the integration of cyber threat intelligence into a geospatial analysis environment. The objective behind this work is to bridge infrastructure-level threat data with broader contextual intelligence, allowing cyber activity to be interpreted not only as isolated indicators, but also as part of larger operational and geopolitical patterns.\nOne of the recurring limitations within modern cyber threat intelligence is fragmentation. Malware infrastructure, infected hosts, indicators of compromise, and Advanced Persistent Threat (APT) activity are often distributed across separate platforms, feeds, and analytical layers. Tactical indicators tend to be consumed independently, while strategic attribution remains disconnected from the infrastructure generating those signals in real time.\nThe current work on World Monitor attempts to reduce that separation by introducing spatial visibility and contextual correlation directly into the platform’s mapping environment.\nCyber Threat Infrastructure Layer # The first major addition focused on integrating live cyber threat infrastructure data throughout the platform’s global map interface. This includes malware-associated hosts, infected IP addresses, and additional contextual metadata designed to improve immediate situational awareness during analysis. Mostly Malware-as-a-Service / Ransomware-as-a-Service infrastructure displayed throughout the entire map.\n1.0 identifies whether the infrastructure is operating as a malware host 1.1 visualizes infected or compromised IP addresses 1.2 displays country-level ccTLD attribution 1.3 displays last-seen activity using full dd/mm/year formatting alongside 24-hour clock timestamps 1.4 displays infrastructure criticality scoring for prioritization purposes By embedding this information directly into a geospatial interface, infrastructure activity becomes easier to contextualize geographically and temporally rather than remaining confined to static feeds or isolated threat reports. This implementation improves the ability to correlate infrastructure activity across geographic regions and operational timelines within a unified analytical environment.\nThe second major addition focused on integrating Advanced Persistent Threat intelligence directly into the platform’s geospatial analysis interface. The implementation was designed to provide contextual attribution, operational behavior mapping, and threat actor profiling capabilities alongside live infrastructure visualization.\nThe implemented features currently include APTs.\nAdvanced Persistent Threats # Advanced Persistent Threats (mostly geopolitical/state-linked, criminal, ideological, private offensive, ambiguous and/or unknown threat actors)\n2.0 integrated the full MITRE ATT\u0026amp;CK APT group framework (159 mapped APT groups) 2.1 added country-of-origin attribution alongside threat activity classification 2.2 added direct hyperlinks to the corresponding MITRE ATT\u0026amp;CK group pages for each specific APT 2.3 added summarized intelligence descriptions based on MITRE ATT\u0026amp;CK framework data 2.4 added commonly observed attack techniques associated with each threat actor 2.5 added lists of the most likely targeted sectors and industries (e.g. finance, retail, telecommunications, government infrastructure) The integration of Advanced Persistent Threat intelligence improves attribution-oriented analysis by enabling direct correlation between threat actors, operational methodologies, targeted sectors, and geographic activity distribution. This reduces reliance on fragmented external intelligence sources while improving contextual visibility during investigative workflows.\nConclusion of integration # The second stage of development focused on integrating structured APT intelligence into the platform. This implementation incorporates the full MITRE ATT\u0026amp;CK APT framework, currently covering 159 threat groups across geopolitical, criminal, ideological, private offensive, ambiguous, and unattributed categories.\nThe integration includes:\nCountry-of-origin attribution Threat activity classification Direct references to official ATT\u0026amp;CK group pages Summarized descriptions derived from MITRE documentation Common attack techniques and operational patterns Typical targeting sectors and industries Rather than treating APT groups as purely abstract intelligence entities, the platform attempts to position them within a more operationally observable environment, linking higher-level strategic threat actor profiles with infrastructure-level indicators and activity patterns.\nSpatial Context in Cyber Threat Intelligence # One of the more interesting observations throughout this work has been how differently cyber threat data behaves once it is mapped spatially.\nMost threat intelligence pipelines prioritize isolated indicators: IP addresses, domains, hashes, malware samples, or signatures. While useful operationally, these indicators often lack broader contextual framing when viewed independently. At the same time, strategic intelligence surrounding threat actors and campaigns is frequently analyzed separately from the infrastructure producing observable activity.\nGeospatial correlation introduces another analytical layer. Infrastructure concentration, regional clustering, temporal synchronization, routing proximity, and operational overlap become significantly more visible when threat data is contextualized spatially rather than remaining purely feed-based.\nThe broader goal of this integration is not simply visualization, but faster analytical transition from raw indicators toward attribution, prioritization, and operational awareness. By combining tactical infrastructure telemetry with structured threat actor intelligence, analysts can move more efficiently between low-level signals and higher-level investigative reasoning.\nThe underlying data sources currently include public intelligence provided through MITRE ATT\u0026amp;CK, AbuseIPDB, URLhaus, and multiple public C2 intelligence feeds. Here is an example of a single APT in Brazil\u0026rsquo;s capital (keep in mind that all other features are deactivated for visual focus on the target):\nMalteiro is a financially motivated criminal group that is likely based in Brazil and has been active since at least November 2019. The group operates and distributes the Mispadu banking trojan via a Malware-as-a-Service (MaaS) business model. Malteiro mainly targets victims throughout Latin America (particularly Mexico) and Europe (particularly Spain and Portugal).\nThis is just one of the several dozens, reaching hundreds APTs localized and centralized within World Monitor and a feature I found to be essential for anyone looking to understand global intelligence better.\nYou can find my Github contributions right here: Github/WorldMonitor\n","date":"26 May 2026","externalUrl":null,"permalink":"/posts/worldmonitor/","section":"Posts","summary":"","title":"WorldMonitor: Integrating Cyber Threat Intelligence Into Geospatial Analysis","type":"posts"},{"content":" What is Bellingcat? # Bellingcat is an independent investigative collective of researchers, investigators and citizen journalists brought together by a passion for open source research.\nFounded in 2014, they have pioneered the use of open source research methods to investigate a variety of subjects of public interest. These range from the shooting down of flight MH17 over eastern Ukraine to police violence in Colombia and the illegal wildlife trade in the UAE. Their research is regularly referenced by international media and has been cited by several courts and investigative missions.\nThey design and share verifiable methods of ethical digital investigation. By publishing walkthroughs to open source research methods and holding tailored training sessions on their use for journalists, human rights activists and members of the public, they’re broadening the scope and application of open source research.\nWith over 30 staff and contributors in more than 20 countries, we operate in a unique field where advanced technology, forensic research, journalism, transparency and accountability come together.\nThey believe in the need for collaboration and have partnered with news organisations across the globe. Likewise, Bellingcat’s Global Authentication Project (GAP) seeks to harness the power of the open source community by nurturing and encouraging a network of volunteer investigators.\nHow do their open source challenges work? # The complexity of these investigations reinforced something fundamental about the maturity of the modern internet: meaningful analysis requires depth of understanding before interpretation. Each challenge required a combination of advanced OSINT and analytical techniques across multiple domains.\nMultispectral Sightings # Exact question: Multispectral imagery can be useful for many different types of investigations, do you know what we used it for here? On what date was this satellite imagery captured? (Answer format: DD/MM/YYYY).\nThis investigation revolved around geolocation under heavily altered multispectral imagery tied to a very narrow timeframe. Traditional visual anchors became unreliable almost immediately, forcing the analysis toward environmental consistency, temporal constraints, and indirect spatial correlation rather than recognizable landmarks. The challenge highlighted how geolocation increasingly depends less on obvious identifiers and more on understanding how environments behave under transformed or degraded visual conditions.\nStarted by watching “Webinar - Advanced Use of Copernicus Browser” by “Copernicus Data Space Ecosystem” on Youtube. Learned how to demodify specific layer visualizations. Found what appeared to be a forest fire. Found the date by correlating Google Search reverse searches and reading articles. Tools used: # Copernicus Browser Youtube Breaking News # Exact question: Some days are more eventful than others on this big street. Why was this street in the news this year? What are the two last words of the title of the Al Jazeera article that used a photo taken from the same location as its header image?\nAt first glance, this appeared deceptively simple: identifying relevant information hidden within a large volume of nearly identical links and reports. In practice, the real difficulty came from filtering signal from noise while dealing with non-intuitive geolocation cues and fragmented contextual references. The investigation became less about searching directly and more about constructing exclusion criteria until only a plausible chain of attribution remained.\nReverse searched the image, found it\u0026rsquo;s city and exact location. Dorked “aljazeera.com” + “Kathmandu” Remembered that the precision on this challenge is to find the location and from there, find news containing that street but more crowded. Bruteforce-checked all the articles until I found one that had two pictures explictly aligned with the bridge shown in the original content. Found the last two words of the title of the article. Tools used # TinEye Google dorking Lost in Translation # Exact question: Some conversations can be difficult to understand when you don\u0026rsquo;t speak the language. Even if you do, without context, it can be hard to track down. In which city was this audio recorded?\nThis was arguably the most conceptually unusual challenge. The task centered around analyzing extremely limited and difficult-to-obtain audio recordings before arriving at a final question that initially seemed almost unreasonable: determining the city in which the recording was captured.\nRealised during my first time hearing the audio that both languages spoken were korean and russian. Analyzed regions in which those may occur more often (no verifiable outcomes) Went back to the first step, clipped the audio in half (part korean and part russian). Went to an online translator from mp3 to txt. and did that with both audio files. Got the translation for both sides, the results: Russian (translated): “Recently you have been conducting very active foreign policy activities. I thought it would be best to meet you not in Pyongyang but here, because you can rest a bit here. Also, you are the first foreign guest of our city, and I am very pleased that we are meeting here. The ambassador came first. He conveyed a message of cooperation and friendship between our countries.” Got a glitched yet interesting outcome “Ambassador Hستتpassali” At the same time I found the glitch, I also realised I could\u0026rsquo;ve enum the amount of Ambassadors that have visited DRPK. Found a list containing diplomats and ambassadors that have visited North Korea, but didn\u0026rsquo;t stricly stay in Pyongyang. Checked correctly the city first try after confirming which previous ambassador had visited the person speaking korean in the audio. Tools used: # Google Maps Windows ClipChamp Google Translate AudioToText Software The solution depended on combining environmental audio analysis, linguistic inference, contextual elimination, and subtle infrastructural indicators. It demonstrated how intelligence attribution often emerges from weak signals that appear meaningless in isolation but become useful when layered together systematically.\nClimate Question # Exact question: The United Nations Climate Change Conference, COP30, took place in Belém, Brazil this year. What’s the first name of the person who asked the first audience question in the pictured session?\nThis challenge focused on obfuscated open-source data reconstructed through frame-by-frame analysis. The investigation required identifying fragments of foreign-language speech and correlating them against contextual indicators surrounding the 2025 United Nations COP30 timeframe.\nFound several hours of footage on Youtube of the COP30 being held in multiple places across a few days. Considered how long each question was taking to be absorbed, interpreted and properly answered I found a pattern: questions and answers take at least 30 seconds. Decided to skip every video I watched by skipping 5 by 5 seconds by clicking on the right key. Did that for around 30h worth of footage. Didn\u0026rsquo;t find a frame of that exact board. Decided to do the same but reframed my starting point. Found a specific government-based (Brazil) link which contained lots of short-to-intermediate length videos. Checked all of them and almost got tricked, then, got the correct answer afterwards. Tools used: # Google/Youtube Patience Focus The right key on the keyboard What made the exercise compelling was the necessity of moving between visual analysis, temporal reconstruction, translation inference, and geopolitical context simultaneously. No single method produced the answer independently.\nThe Frozen North # Exact question: The Frozen North. A vessel looms through the clouds. This vessel is docked at an icy port, we’re lucky to even be able to see it through a gap in the clouds. But where is it and what is the vessel? What is the IMO number of the pictured vessel?\nThe most technically disorienting challenge involved a combination of reverse timeframing, maritime intelligence analysis, and unconventional geolocation across Arctic Circle ports and vessels. The investigation incorporated vessel tracking logic, IMO attribution, reverse URL analysis, and timeline reconstruction under incomplete information.\nImmediately reverse searched the image (only found a bunch of forest fires news, nothing that seemed fitting) Zoomed in and out several times and realised a few patterns Realised it was a port in a freezing region. Lightning quick word insights came to mind: arctic, vessel, port, IMO, sub-arctic, military bases, research bases. Picked Russia as the biggest challenge within the context of something like this actually making sense - one of the very few knots that could be tied logically. Found “Terra de Alexandra” to the west of Russia, seemingly dettached. Recognized the port. (green: port entrance pathway. red: in/out of materials. yellow: road pathway) Recognized the base centre. Used vessel format, type and functionality as seen in the pictures. Went for my tools on maritime intelligence research to check if there was any calls on that port specifically. Realised the URL hid the date. Conffirmed, right ship and location. Found the vessel under the IMO number 8904434. Tools used: # Google Lens Google Earth Planet Explorer WarSanctions All of these challenges took me in between 20 to 60 minutes to complete.\nThis is a great view into the world of intelligence gathering, analysis and conclusion. Challenges like these strengthen my analytical techniques by correlating and attributing intelligence for structured reasoning.\n","date":"26 May 2026","externalUrl":null,"permalink":"/posts/bellingcat/","section":"Posts","summary":"","title":"Bellingcat’s Archive 2025: How I completed all challenges in one day","type":"posts"},{"content":"","date":"26 May 2026","externalUrl":null,"permalink":"/categories/","section":"Categories","summary":"","title":"Categories","type":"categories"},{"content":"","date":"26 May 2026","externalUrl":null,"permalink":"/categories/cybersecurity-engineering-projects/","section":"Categories","summary":"","title":"Cybersecurity Engineering Projects","type":"categories"},{"content":"","date":"26 May 2026","externalUrl":null,"permalink":"/categories/geopolitical-intelligence-analysis/","section":"Categories","summary":"","title":"Geopolitical Intelligence Analysis","type":"categories"},{"content":"","date":"24 May 2026","externalUrl":null,"permalink":"/tags/cybersecurity/","section":"Tags","summary":"","title":"Cybersecurity","type":"tags"},{"content":"","date":"24 May 2026","externalUrl":null,"permalink":"/tags/engineering/","section":"Tags","summary":"","title":"Engineering","type":"tags"},{"content":"This project was not built to chase anonymity, nor to aestheticize the deep web. It exists as a practical exercise in understanding how threat infrastructure behaves when removed from indexed space.\nTOR hidden services impose constraints that are easy to describe but harder to internalize without direct contact: limited visibility, asymmetric information, fragile operational security, and an environment where small configuration choices leave disproportionate analytical traces. Within a Cyber Threat Intelligence (CTI) workflow, these constraints are not theoretical; they define what can and cannot be observed, inferred, or attributed.\nBy deploying and hardening a minimal onion service, I was less interested in hosting content than in observing the boundaries of exposure: what remains visible despite protocol protections, how infrastructure decisions imply operator intent, and where anonymity degrades into identifiable pattern. This mirrors the conditions analysts face when examining leak sites, marketplaces, and auxiliary services across non-indexed networks.\nThe service is intentionally static, non-interactive, and limited in scope, it is meant to be boring. This is not an attempt to simulate immediate threat activity or operational risk, but to understand the surface that threat actors themselves can often misunderstand. Anonymity here is treated not as a property of the network, but rather as a function of discipline, tradeoffs, and failure modes.\nFrom an intelligence perspective, the service is sparse but not opaque. An analyst could still form provisional hypotheses based on what is absent as much as what is present: interaction patterns, response consistency, content stability, update cadence, and the balance between simplicity and hardening. These signals are weak in isolation and easily misread, which is precisely the point. Tor constrains inference; it does not eliminate it.\nA parallel risk in this environment is analytical overreach. The presence of a hidden service alone does not imply sophistication, affiliation, or malicious intent. Part of the exercise is recognizing where attribution pressure exceeds available evidence, and where confidence must remain explicitly bounded. In practice, much of CTI work occurs in this space: reasoning under constraint, resisting narrative completion, and documenting uncertainty as a first class output.\nIn intelligence work, familiarity with an environment is not measured by proximity to it, but by the ability to reason about its limits. This project reflects that orientation by remaining controlled, observant, and deliberately narrow, with the aim of clarifying how deep web threat landscapes actually operate, not how they are mythologized.\nFor those interested in accessing the artifact itself, the non-interactive onion service is available here:\nrv2ijwmksml5brayc6lev6zptjqimeu3ypapxrurwavdjtdwjueaqvad.onion\nKey Tools Used:\nTor Network for hosting the hidden service. [REDACTED] for programming. [REDACTED] for security. Log Analytics to track incoming connections and understand a different kind of network flow. Here is a quick look at the architecture: ","date":"24 May 2026","externalUrl":null,"permalink":"/posts/dw-project/","section":"Posts","summary":"","title":"I set up my resume on the deep web as a cyber threat intelligence project","type":"posts"},{"content":"","externalUrl":null,"permalink":"/authors/","section":"Authors","summary":"","title":"Authors","type":"authors"},{"content":"","externalUrl":null,"permalink":"/series/","section":"Series","summary":"","title":"Series","type":"series"}]