ornithos.report — The Avian Threat Archive

Editor's note

Eighteen months of work is collected here. None of it is hidden. All of it is in plain sight.

If you find more than what is written, that was always the point.

— ornithos

The Disclosure

Public-facing documents on the vulnerability and the actor behind it.

Network diagram of the Bird-in-the-Middle attack surface. Shows operator subtypes intercepting client→datacenter traffic across utility infrastructure.

SVG · CVE-2026-31337 View →

Matrix Tier 1

ATT&CK for Avian Operators

A MITRE-style tactic/technique matrix for APT-AVIAN. Twenty-four techniques across eight tactics, plus operator subtype profiles and detection indicators.

SVG · ATT&CK-AV v1.0 View →

Brief Tier 1

Campaign FEATHERFALL

Threat intelligence briefing covering the most recent observed APT-AVIAN campaign across North American urban centers. TTPs, IOCs, three notable incidents.

Doc · TI-2026-0523-AVIAN Read →

"I assumed for a long time that the murmurations were beautiful coincidence. The day I plotted the centroid against the cell-tower locations, I stopped sleeping at the window." — field notes, 2024

II.

The Script

Avianic — a featural writing system in active use among the operators.

Reference Tier 1

Avianic Alphabet

Reconstructed alphabet chart. Glyphs combine posture (consonant), wing (vowel), and tail (intent tone). Sample lexicon and one full transliterated sentence included.

SVG · Featural script Study →

Tool Tier 2

The Avianic Translator

A working dictionary. Type English, get rendered glyphs. Type romanized Avianic, get the English gloss. Built for reading intercepted transmissions.

HTML · 78 entries Open tool →

Analysis Tier 2

Glyph–Byte Correspondence

A protocol-layer breakdown showing how Avianic glyphs map to the byte structure of intercepted murmuration packets. The script is featural at the byte level too.

SVG · Annotated capture View →

III.

Intercepted Transmissions

Captures from across the spectrum. Decode at your own pace. Solutions are not provided.

2026.06.20 TL-05 TEARLINE-2026-05 — field technician account (Source B) · revises TL-04 INTEL

2026.06.22 FC-003 feathercapture_003.pcap — wireless capture, European cable landing perimeter OPEN

2026.06.18 TL-04 TEARLINE-2026-04 — endpoint targeting hypothesis (redacted) INTEL

2026.06.15 FC-002 feathercapture_002.pcap — wireless capture, Tuckerton MAREA perimeter OPEN

2026.06.03 FC-001/R FC-001 — Decoded — community solve and credits REVEAL

2026.03.14 TL-03 TEARLINE-2026-03 — persistence anchors discovery INTEL

2026.02.20 TL-02 TEARLINE-2026-02 — operator movement vectors INTEL

2026.01.25 TL-01 TEARLINE-2026-01 — initial APT-AVIAN characterization INTEL

2026.04.12 FC-001 feathercapture_001.pcap — wireless capture, Tokyo SOC perimeter SOLVED

2026.04.12 AD-001 aircraft.json — ADS-A feed snapshot, dump1090 schema OPEN

— pending — WV-001 audio sample, suspected spectrogram-encoded queued

— pending — IQ-001 raw IQ samples, 1090 MHz, Tuckerton NJ queued

      ⌁ subscribe · atom feed
    

"Every capture published here has already been read by the subject of the capture. We are not the analysts of this material. We are the audience." — field notes, 2025

IV.

The Actor

A summary dossier on APT-AVIAN.

APT-AVIAN

aliases: The Flock · ornithos collective · "the birds"

APT-AVIAN is the most prolific threat actor currently tracked. The actor maintains complete physical access to global telecommunications infrastructure through what threat researchers term ornithological cover — appearing to be ordinary wildlife while conducting active SIGINT operations.

First observed activity dates to 1947, coinciding with the suspected origin of the actor's operational deployment. State-level backing is suspected but unattributed.

The actor operates across all observed urban environments and shows no signs of degradation, retirement, or operational tempo decline. Defensive posture should assume continuous compromise.

First seen	1947 (suspected)
Region	Global · all urban environments
Est. population	~50 billion active nodes
Sponsorship	classified — Truman-era origin
Cover	Natural fauna
Operating freq.	Full RF spectrum; primary murmuration C2 in 2-8 kHz audible band
Attribution conf.	HIGH
Mitigation	No effective patch · Anti-perch hardware (partial)
Status	ACTIVE

For The Field

Working tools for decoders, analysts, and anyone learning to read the flock.

Typeface Tier 2

Avianic.ttf

A working TrueType font. Drop it in your system and any ASCII becomes Avianic. Print labels in glyphs, render documents in the script, annotate captures in the field. Open license.

TTF · 4.7 KB · v0.1 Download →

Tracker Tier 2

flockaware.live

Live ADS-A surveillance map. Renders the murmuration ring, migration tracks, and the ghost contact. Click any contact for ICAO, position, squawk, and analyst notes. Cable-landing alignment is plotted.

HTML · Leaflet · Snapshot 04.12 Open map →

Raw feed Tier 3

aircraft.json — raw snapshot

The underlying ADS-A feed in dump1090's standard schema. Drop into any readsb / tar1090 install. The map above is one rendering; build your own.

JSON · dump1090 schema Download →

A note to the reader

This archive is driven by tearlines. The work is distributed.

Every collection requirement in this archive arrives the same way it would in a working intelligence environment: a tearline is filed, the source context is established, and the unanswered questions in the report are issued as RFIs. When a new tearline drops, new RFIs open. When operators move, the archive moves.

No single analyst can resolve every RFI in this archive. The captures want a packet analyst. The migration vectors want geospatial reasoning. The audio captures (forthcoming) will want an SDR operator. The Avianic glyphs already have one independent reading and need others. The tearline series is the entry point; the open RFIs are the engagement.

Read the tearlines →

VI.

Submissions

If you have an observation of the actor, or a decode of any artifact here.

Submissions are accepted by email, posted publicly at the curator's discretion, and credited (or anonymised) on request. Decodes, sightings, captures, and re-creations are all welcome. Do not send original photographs of suspected operators — they have been known to recognise themselves in JPEG metadata.

ornithos <at> ornithos.report

PGP key on request. Replies may be delayed by migration patterns.