TLP : RED ββ active engagementRFIs derived from filed tearlinesUpdated 2026.05.23
Open RFIs
Each Request for Information below was derived from a source-protected tearline filed at this archive. New tearlines drop new RFIs.
0 / 16 resolved
An RFI in this archive is a collection requirement derived from a filed tearline. The tearline establishes context and source authority; the RFI states the question. Each RFI has a deterministic answer that you verify against a SHA-256 hash locally in your browser β no submissions are reported back to the archive.
If you want public credit when you resolve an RFI, send a note to ornithos <at> ornithos.report with the RFI identifier and your handle. Credited solvers will be acknowledged when a reveal page is published β which only happens once enough solves arrive to warrant one.
Hints are deliberately sparse. If an RFI feels impossible, read the tearline that derived it. The tearline series contains the source context that the RFI assumes.
Tier I β Entrynovice
Ξ±The First Phrase
FC-001pcap
feathercapture_001.pcap contains a sentence written in the source MAC addresses. What does it say?
Open the capture in Wireshark. List every source MAC in capture order. Look at the last byte of each.
Ξ²The Nonce
FC-001pcap
Frame 12 of feathercapture_001.pcap is a partial WPA2 handshake. It contains a five-word phrase hidden in plain sight. What is it?
The EAPOL key nonce is 32 bytes. Most of it is null padding. Most of it.
Ξ΅The Greeting
FC-001FC-002pattern
Four bytes appear in every APT-AVIAN frame. What are they, in hexadecimal?
Check the vendor-specific information element of any beacon. They're at the end. They also appear in MAC OUI prefixes.
Tier II β Cross-artifactintermediate
Ξ΄The Founding Year
AD-001json
One contact in aircraft.json broadcasts a deliberately invalid squawk code from a malformed altitude. What year is the altitude encoding?
A four-digit number that doubles as a year. Cross-reference the threat brief.
Ξ³Three Landings
AD-001geospatialhard
Three migration contacts in aircraft.json are bearing for undersea cable landings. Name all three landing locations (city names will do).
Open flockaware. Click each migration contact (look for the larger blue birds β callsigns starting with TA-KA, HU-MA, KA-RU). A dashed bearing line will highlight, showing where the contact is heading. Toggle Submarine cables in the top bar to overlay landing sites. Identify where each bearing terminates.
ΞΆThe Listening Cable
FC-002pcaprequires Ξ± decoded
feathercapture_002.pcap contains a new sentence. What does it say in English?
Same method as Ξ±. Then run the romanization through the translator. Four content words.
Tier III β The Nestshard Β· observation-based
The threat brief mentions that APT-AVIAN achieves persistence through nesting β operators returning to specific perches at intervals. None of the published feeds label these sites. They must be derived from observation.
Approach: open aircraft.json. Find the contacts marked stationary (gs = 0) at low altitude (under ~50 ft) and squawking 7747. Group them by spatial proximity. The clusters are nests.
Solving Ξ·β may reveal further work.
Ξ·βPersistence anchors
AD-001hard
How many distinct nest sites can be identified by clustering the stationary perched contacts in aircraft.json?
Look for low-altitude contacts with ground speed zero. Group them by approximate location. Count the clusters. One small integer.
Ξ·βNest Ξ± β centroid
AD-001hard
Compute the centroid of the northernmost cluster in the western hemisphere. Lat/lon in decimal degrees. Tolerance Β±0.01Β°.
Average the lat/lon of the contacts in the cluster. Round to two or four decimals β both forms accepted.
Ξ·βNest Ξ² β centroid
AD-001hard
Compute the centroid of the cluster in the eastern hemisphere, northern latitudes. Same format as Ξ·β.
Once you have located it, also look up what is at those coordinates in the real world. The answer is informative.
Ξ·βNest Ξ³ β centroid
AD-001hard Β· last in chain
Compute the centroid of the cluster in the southern hemisphere. Same format.
The most remote of the three. When you find the coordinates, search them. What is actually there in the real world is worth knowing.
Tier IV β Endpoint Recognitionhard Β· domain-specific
The tearline report (TEARLINE-2026-04) asserts that APT-AVIAN does not tap submarine cables directly. They harvest from terrestrial endpoints. feathercapture_003.pcap was collected at the perimeter of an unspecified European cable landing site and contains both operator chatter and β in one frame β an encapsulated payload that 802.11 dissectors cannot parse.
Recognizing what you cannot read is the puzzle. Hex-dump the suspicious frame's vendor IE contents and look for a six-byte signature near the start.
ΞΊThe third phrase
FC-003pcap
feathercapture_003.pcap contains another sentence in the source MAC addresses. Decode it (English or Avianic accepted).
Same method as Ξ± and ΞΆ. This phrase is six words long. The longest yet.
ΞΈThe opaque payload
FC-003harddomain knowledge
Frame 23 of FC-003 carries an encapsulated payload that Wireshark cannot decode natively. The first six bytes of that payload form the framing signature of a telecom transport protocol. Name the protocol.
Three identical bytes, then three more identical bytes. The pattern dates from the 1980s. Either you recognize it on sight, or you hex-search for it. Wireshark cannot read it. You cannot read it. That is the point.
ΞΉThe operators' statement
FC-003requires ΞΊ decoded
Frames 36 through 44 of FC-003 each contain a WPA2 EAPOL key frame. The nonces, read in sequence, spell a sentence about how the operators relate to the cable. What is it? (A short fragment is accepted.)
Same approach as Ξ². Treat each nonce as ASCII. Read in frame order.
Tier V β Current operationsongoing Β· expanding
From this tier forward, challenges are derived from tearline reports rather than from the foundational chain. Each tearline arrives with 2β4 graded open tasks that test whether the analyst has read the source material carefully. Tasks are named T-NN.M where NN is the tearline number and M is the sequence.
Tasks here are comprehension: the answers are in the published documents. You are not expected to perform new decoding work to solve these β you are expected to read what the sources said.
Tearlines drop on an irregular cadence. Each brings new tasks. Solved tasks accumulate, but new ones keep arriving. The chain advances.
Source B describes a specific class of commodity hardware that APT-AVIAN installs inside landing-station cages. Name the device class.
Analytic Judgment 1 in TL-05. The phrase is bolded in the original. Several common variants accepted (acronyms, shortened forms).
T-05.2Identify the forensic trace
TL-05comprehension
Source B describes a specific kind of physical evidence consistently found near affected cages, used to attribute the activity to a specific operator subtype. What is the evidence?
Analytic Judgment 2. Single-word answer accepted, though specifying the species is also accepted.
T-05.3Identify the recipient
TL-05comprehension
Source B asserts the take, once tapped, is uploaded to a specific tier of APT-AVIAN's infrastructure that handles distributed decoding. Name that tier.
"What happens to the take" section. Name the flock or the channel; multiple forms accepted.
How to claim public credit
This page validates your answers locally β the archive doesn't see your submissions. If you want your handle attached to a solve, email ornithos <at> ornithos.report with your handle, the challenge identifier, and the answer you submitted. Credited solvers will be acknowledged when a reveal page is published β which only happens once enough solves arrive to warrant one.
Anonymous solvers are credited as "prefer anonymous". Either choice is respected.
If you solved something genuinely new that the archive does not yet list as a challenge, send that too. New challenges added quarterly. Outstanding solves get priority placement.