Open Source Signal #022 / Сигнал відкритих джерел

Editorial frame

What this is: A weekly tool radar for public-interest OSINT. Each item explains what the tool, dataset or workflow does, why it matters for Ukrainian accountability work, how to use it safely, and where its limits are.

What this is not: Doxxing, stalking, credential hunting, leaked-database abuse, private-person deanonymization, unsafe facial recognition, live targeting, active exploitation, or tools that facilitate harm against private people.

Rubric map

🧰 Toolbox

🛡️ Investigator OPSEC

🧾 Sanctions & Entity Data

🌐 Infrastructure Signals

🧭 Tradecraft

🧰ToolboxІнструментарій

#01

MISP 2.5.39 sharpens analyst dashboards, STIX workflows and multi-user safety

Source: MISP Project · 5 June 2026

What happened

MISP released version 2.5.39 with dashboard and analyst-workflow improvements, STIX interoperability updates and multiple security fixes. The release notes recommend upgrading, especially for multi-user deployments and instances that rely on dashboards, event templates, TAXII, LDAP mixed authentication or STIX import/export workflows.

Why it matters

MISP is a practical way to keep technical indicators, source references, confidence labels and sharing rules from becoming a haunted accordion of tabs. For Ukrainian accountability teams, it can structure phishing infrastructure, hostile-document IOCs, suspicious domains and repeat infrastructure patterns targeting journalists, NGOs or civic projects.

How to use it

Use MISP only for reviewed technical indicators: domains, IPs, hashes, malware-family leads, phishing infrastructure and source-linked observables. Apply taxonomies, confidence labels, TLP-style handling, source references and internal sharing groups before any external export.

Limits

IOCs are leads, not attribution verdicts. Do not use MISP to circulate private-person data, leaked credentials, unverified Telegram allegations, speculative attribution or operational targeting instructions.

MISP 2.5.39 посилює analyst dashboards, STIX workflows і безпеку multi-user інстансів

Джерело: MISP Project · 5 червня 2026

Що сталося

MISP випустив версію 2.5.39 з покращеннями dashboards, analyst workflows, STIX interoperability і кількома security fixes. Release notes рекомендують оновлення, особливо для multi-user deployments та інстансів, що спираються на dashboards, event templates, TAXII, LDAP mixed authentication або STIX import/export workflows.

Чому це важливо

MISP — практичний спосіб не перетворити technical indicators, source references, confidence labels і sharing rules на проклятий акордеон вкладок. Для українських accountability teams це допомагає структурувати phishing infrastructure, hostile-document IOCs, suspicious domains і повторювані infrastructure patterns проти журналістів, NGO або civic projects.

Як це застосувати

Використовуйте MISP лише для reviewed technical indicators: domains, IPs, hashes, malware-family leads, phishing infrastructure і source-linked observables. Перед external export застосовуйте taxonomies, confidence labels, TLP-style handling, source references і internal sharing groups.

Обмеження

IOCs — це leads, а не attribution verdicts. Не використовуйте MISP для поширення private-person data, leaked credentials, unverified Telegram allegations, speculative attribution або operational targeting instructions.

mispiocthreat-intelligencestixinvestigator-opsec

🧰ToolboxІнструментарій

#02

OpenCTI 7.260604.0 adds ingestion controls and retention-policy work

Source: OpenCTI Platform · 4 June 2026

What happened

OpenCTI released version 7.260604.0. The release includes configurable URI deny lists for ingestions, retention-policy work, richer markdown/editor capabilities, dashboard and task fixes, and improvements around metadata exposure.

Why it matters

OpenCTI is useful when an investigation needs a knowledge graph of entities, observables, sources, reports, confidence levels, first/last-seen dates and relationships. For accountability work, it can keep cyber, sanctions, propaganda and infrastructure leads connected without pretending that a graph is a judge in a powdered wig.

How to use it

Use it as a structured case-knowledge layer: ingest only reviewed sources, mark confidence, separate observed infrastructure from attribution, and link every claim to a primary report, archive, dataset or case note. Apply retention rules for sensitive or time-limited investigative data.

Limits

A CTI graph is not proof by itself. Do not publish personal data, leaked databases, speculative attribution, home addresses, family data or targetable operational details from graph outputs.

OpenCTI 7.260604.0 додає ingestion controls і роботу з retention policies

Джерело: OpenCTI Platform · 4 червня 2026

Що сталося

OpenCTI випустив версію 7.260604.0. У релізі є configurable URI deny lists для ingestions, робота з retention policies, розширені markdown/editor capabilities, fixes для dashboards/tasks і покращення довкола metadata exposure.

Чому це важливо

OpenCTI корисний там, де розслідуванню потрібен knowledge graph з entities, observables, sources, reports, confidence levels, first/last-seen dates і relationships. Для accountability-роботи це допомагає поєднати cyber, sanctions, propaganda та infrastructure leads без ілюзії, що граф — це суддя в перуці.

Як це застосувати

Використовуйте це як structured case-knowledge layer: ingest лише reviewed sources, маркуйте confidence, відділяйте observed infrastructure від attribution і прив’язуйте кожен claim до primary report, archive, dataset або case note. Для sensitive чи time-limited investigative data застосовуйте retention rules.

Обмеження

CTI graph сам по собі не є доказом. Не публікуйте personal data, leaked databases, speculative attribution, home addresses, family data або targetable operational details із graph outputs.

opencticase-managementthreat-intelligenceknowledge-graphretention

🧰ToolboxІнструментарій

#03

misp-stix 2026.6.1 makes MISP/STIX conversion more reproducible

Source: MISP Project · 1 June 2026

What happened

The MISP project released misp-stix 2026.6.1. The release reworks STIX 2 import routing, improves full TLP marking support, expands patterning-language handling and removes sources of run-to-run variation so the same input can produce byte-identical output.

Why it matters

Reproducibility is the drawbridge of evidence handling, not decorative bunting. When investigators transform indicators between MISP and STIX, deterministic conversion helps preserve auditability and reduces unexplained object drift during editorial, partner or legal review.

How to use it

Use misp-stix for export/import between MISP, STIX bundles and partner systems. Save the original input, converter version, command or API path, output hash and validation notes alongside the case file.

Limits

Format conversion does not validate the truth of the indicator. A clean STIX object can still contain stale infrastructure, bad attribution, unlawfully collected data or a claim that needs separate corroboration.

misp-stix 2026.6.1 робить MISP/STIX conversion більш відтворюваною

Джерело: MISP Project · 1 червня 2026

Що сталося

MISP project випустив misp-stix 2026.6.1. Реліз переробляє STIX 2 import routing, покращує full TLP marking support, розширює patterning-language handling і прибирає джерела run-to-run variation, щоб той самий input міг давати byte-identical output.

Чому це важливо

Reproducibility — це підйомний міст evidence handling, а не декоративні прапорці. Коли дослідники перетворюють indicators між MISP і STIX, deterministic conversion допомагає зберегти auditability і зменшує незрозумілий object drift під час editorial, partner або legal review.

Як це застосувати

Використовуйте misp-stix для export/import між MISP, STIX bundles і partner systems. Разом із case file зберігайте original input, converter version, command або API path, output hash і validation notes.

Обмеження

Format conversion не підтверджує правдивість indicator. Акуратний STIX object усе одно може містити stale infrastructure, bad attribution, unlawfully collected data або claim, який потребує окремої корроборації.

stixmispreproducibilitytlpauditability

🛡️Investigator OPSECБезпека дослідника

#04

TruffleHog 3.95.5 is a defensive secret-leak scanner for investigation workspaces

Source: Truffle Security · 2 June 2026

What happened

TruffleHog released version 3.95.5 with detector and scanning improvements, including GitLab OAuth, Box, SpectralOps, AWS AppSync and database-detector changes, plus fixes for duplicate matches, GitHub redirect handling, HTML decoding and obfuscated APK parsing.

Why it matters

Investigative teams often handle repos, dumps from their own infrastructure, logs, notebooks, scripts, scraped pages and hostile attachments. Defensive secret scanning helps prevent accidental exposure of API keys, bot tokens, cloud credentials, archive credentials or source-protection infrastructure.

How to use it

Run it only on material you own or are authorised to audit: team repositories, private scripts, exported logs, CI configs, intake folders and evidence-processing workspaces. Record scan scope, tool version, date, findings triage and remediation actions; rotate exposed credentials rather than merely deleting them.

Limits

Do not scan other people’s repositories, leaked datasets, private accounts or stolen material to hunt credentials. Secret scanning is a defensive hygiene workflow, not a key-hunting ferret in a false moustache.

TruffleHog 3.95.5 — оборонний secret-leak scanner для investigative workspaces

Джерело: Truffle Security · 2 червня 2026

Що сталося

TruffleHog випустив версію 3.95.5 з detector/scanning improvements, зокрема GitLab OAuth, Box, SpectralOps, AWS AppSync і database-detector changes, а також fixes для duplicate matches, GitHub redirect handling, HTML decoding і parsing obfuscated APKs.

Чому це важливо

Investigative teams часто працюють із repos, dumps власної інфраструктури, logs, notebooks, scripts, scraped pages і hostile attachments. Defensive secret scanning допомагає не злити API keys, bot tokens, cloud credentials, archive credentials або source-protection infrastructure.

Як це застосувати

Запускайте його лише на матеріалах, якими володієте або які маєте право аудитити: team repositories, private scripts, exported logs, CI configs, intake folders і evidence-processing workspaces. Фіксуйте scan scope, tool version, date, findings triage і remediation actions; exposed credentials треба rotate, а не просто видаляти.

Обмеження

Не скануйте чужі repositories, leaked datasets, private accounts або stolen material для пошуку credentials. Secret scanning — це defensive hygiene workflow, а не тхір для полювання на ключі у фальшивих вусах.

trufflehogsecret-scanningopseccredential-hygieneworkspace-security

🧾Sanctions & Entity DataСанкції та дані про суб’єкти

#05

OpenSanctions Default gives a freshly processed entity-screening layer

Source: OpenSanctions · last processed 6 June 2026

What happened

OpenSanctions Default shows a 6 June 2026 processing timestamp for its broad screening dataset. The dataset aggregates entities from hundreds of sources, including sanctions lists, criminal-context lists, political office holders, corporate and securities data, vessels, aircraft, cryptocurrency wallets and Ukraine-related sanctions sources.

Why it matters

For Ukrainian accountability work, entity screening helps connect names, companies, vessels, aircraft, sanctioned actors, war-enabling firms and politically exposed persons without starting from a naked Google search and a hopeful whistle. It is especially useful as a lead layer for sanctions research and collaborator-network triage.

How to use it

Use OpenSanctions as a lead and screening layer: query names, aliases, companies, identifiers, vessels or aircraft, then cross-check every relevant hit against the original source, official sanctions decision, corporate registry, archive and independent reporting. Preserve match confidence and false-positive notes.

Limits

A dataset match is not guilt, conviction or proof of war-crimes responsibility. Avoid publishing unnecessary personal data; distinguish sanctioned, listed, politically exposed, investigated, charged and convicted as separate statuses.

OpenSanctions Default дає свіжо оброблений шар entity screening

Джерело: OpenSanctions · останнє опрацювання 6 червня 2026

Що сталося

OpenSanctions Default показує timestamp обробки 6 червня 2026 для свого broad screening dataset. Датасет агрегує entities із сотень джерел, зокрема sanctions lists, criminal-context lists, political office holders, corporate/securities data, vessels, aircraft, cryptocurrency wallets і Ukraine-related sanctions sources.

Чому це важливо

Для української accountability-роботи entity screening допомагає поєднувати names, companies, vessels, aircraft, sanctioned actors, war-enabling firms і politically exposed persons без голого Google search і оптимістичного свистка. Це особливо корисно як lead layer для sanctions research і collaborator-network triage.

Як це застосувати

Використовуйте OpenSanctions як lead and screening layer: шукайте names, aliases, companies, identifiers, vessels або aircraft, а кожен релевантний hit звіряйте з original source, official sanctions decision, corporate registry, archive і independent reporting. Зберігайте match confidence і false-positive notes.

Обмеження

Dataset match не є guilt, conviction або proof of war-crimes responsibility. Не публікуйте зайві personal data; розділяйте sanctioned, listed, politically exposed, investigated, charged і convicted як різні statuses.

opensanctionssanctions-researchentity-resolutionscreeningukraine-accountability

🌐Infrastructure SignalsІнфраструктурні сигнали

#06

anci-oiv-resolver shows a passive disclosure-audit workflow

Source: arXiv · 4 June 2026

What happened

A new paper introduced a passive OSINT audit of Chilean critical-infrastructure operators and released anci-oiv-resolver under Apache 2.0 to reproduce the operator-domain mapping layer. The study focuses on disclosure contactability, RFC 9116 security.txt channels, email-authentication posture and public web-stack indicators.

Why it matters

Accountability work depends on institutions that store evidence, humanitarian records, case files, media archives and sensitive source material. A passive disclosure-readiness checklist can help partners see whether they are reachable when something breaks, leaks or starts smoking politely in the corner.

How to use it

Adapt the method as a non-invasive institutional checklist: official domain list, security.txt, vulnerability-disclosure contact, DMARC/SPF/DKIM posture, HTTPS basics, observation date and reproducibility notes. Keep the work passive and document every assumption.

Limits

Do not convert this into active vulnerability scanning, exploit testing, public shaming or naming individual administrators. The Chilean legal and institutional context does not transfer automatically to Ukraine.

anci-oiv-resolver показує passive disclosure-audit workflow

Джерело: arXiv · 4 червня 2026

Що сталося

Нова стаття представила passive OSINT audit операторів критичної інфраструктури Чилі й випустила anci-oiv-resolver під Apache 2.0 для відтворення operator-domain mapping layer. Дослідження фокусується на disclosure contactability, RFC 9116 security.txt channels, email-authentication posture і public web-stack indicators.

Чому це важливо

Accountability-робота залежить від інституцій, які зберігають evidence, humanitarian records, case files, media archives і sensitive source material. Passive disclosure-readiness checklist допомагає партнерам зрозуміти, чи з ними можна зв’язатися, коли щось ламається, тече або чемно димить у кутку.

Як це застосувати

Адаптуйте метод як non-invasive institutional checklist: official domain list, security.txt, vulnerability-disclosure contact, DMARC/SPF/DKIM posture, HTTPS basics, observation date і reproducibility notes. Роботу тримайте пасивною й документуйте кожне припущення.

Обмеження

Не перетворюйте це на active vulnerability scanning, exploit testing, public shaming або naming individual administrators. Чилійський legal and institutional context не переноситься автоматично на Україну.

passive-osintsecurity-txtcritical-infrastructuredisclosureinstitutional-security

🧭TradecraftМетодика

#07

Public-records workflows are boring enough to be useful

Source: The OSINT Newsletter · 4 June 2026

What happened

The latest OSINT Newsletter issue focuses on public records and government databases as a repeatable investigation workflow. It highlights jurisdiction selection, official open-data portals, court records, business registrations, licensing databases and cross-referencing.

Why it matters

Public records can anchor investigations that start with noisy Telegram posts, propaganda clips or claims about collaborators and occupation-linked networks. Registries, court records, procurement records, sanctions lists and corporate filings often provide slower but stronger connective tissue.

How to use it

Start every registry workflow with jurisdiction: country, region, municipality, agency, record type, access rules, update cycle and search fields. Cross-reference names, companies, dates, addresses, directors, procurement IDs, sanctions entries and archived pages before writing conclusions.

Limits

Public records can be outdated, misindexed, incomplete or legally restricted. Avoid private-person doxxing, home-address publication, family targeting and claims that turn a registry match into guilt.

Workflow публічних реєстрів достатньо нудний, щоб бути корисним

Джерело: The OSINT Newsletter · 4 червня 2026

Що сталося

Новий випуск The OSINT Newsletter присвячений public records і government databases як repeatable investigation workflow. Він розбирає jurisdiction selection, official open-data portals, court records, business registrations, licensing databases і cross-referencing.

Чому це важливо

Public records можуть заземлювати розслідування, що починаються з шумних Telegram posts, propaganda clips або claims про collaborators та occupation-linked networks. Registries, court records, procurement records, sanctions lists і corporate filings часто дають повільнішу, але міцнішу connective tissue.

Як це застосувати

Починайте кожен registry workflow з jurisdiction: country, region, municipality, agency, record type, access rules, update cycle і search fields. До висновків cross-reference names, companies, dates, addresses, directors, procurement IDs, sanctions entries і archived pages.

Обмеження

Public records можуть бути outdated, misindexed, incomplete або legally restricted. Уникайте private-person doxxing, публікації home addresses, family targeting і claims, які перетворюють registry match на guilt.

public-recordsregistriesworkflowcross-referencingtradecraft