TEARLINE-2026-01 · ornithos.report

TLP : RED ∙∙ AVCON ∙∙ NO-FLOCK

Document TEARLINE-2026-01 Originator ████████████████████████ Date acquired 2026.01.14 Date received 2026.01.22 Pages 1 of 1 (tearline) Distribution ornithos archive only

Initial characterization of the actor designated APT-AVIAN

First-light analysis from a single-source capture at a Tokyo perimeter, with operator chatter recovered in the clear.

Source description (sanitized): A ██████████ analyst with monitor-mode access to the wireless perimeter of a ██████████████████ in Tokyo's central business district. The capture was obtained incidentally while triaging an unrelated probe-request flood. The analyst observed traffic structurally inconsistent with any commercial Wi-Fi protocol and preserved a fifteen-minute window for offline analysis. Source identity and employer are protected. Veracity rated high; the capture file itself is canonical and has been published in this archive as FC-001.

Summary

The capture demonstrates the existence of a coordinated wireless protocol whose framing borrows 802.11 conventions but whose semantic content does not. Every frame in the capture is structurally legal and parseable by standard tooling. The frames are, however, not about Wi-Fi — they are about something else, using Wi-Fi as a carrier. The analyst conducting the triage made three observations within the first hour that established the find as worth pursuing.

Source MAC addresses across the capture follow a fixed OUI prefix (ca:fe:fe:a7) inconsistent with any IEEE-registered manufacturer.
The trailing byte of each source MAC, taken in capture order, spells a short legible phrase in ASCII. The phrase is not English. It uses two- and three-character syllabic units separated by hyphens.
A WPA2 EAPOL key frame in the capture contains, in the nonce field, a five-word English sentence in plain ASCII. The sentence is taunting in tone.

The combination of these three signals, in a single fifteen-minute window, is not consistent with accidental traffic, hardware malfunction, or any known red-team tooling. The signals are intentional. Whoever produced them wanted them found.

Channel selection is geographically self-locating

One of the three beacon frames in the capture is broadcast on 802.11 channel 14. Channel 14 is reserved in IEEE 802.11b and is legal to operate only within Japan. No 5 GHz equivalent exists. The channel is essentially never used in commercial deployments. Its presence in the capture is a self-locating fingerprint: the capture was taken in Japan, and the operator transmitting on that channel was physically present in Japan at the moment of capture.

This rules out a remote-attack hypothesis. APT-AVIAN, at the time of FC-001, was operating at the perimeter of a target. Wireless range for 802.11b is on the order of tens of meters. The operators are physically there.

Three independent encodings, one phrase

The phrase decoded from the MAC trailing bytes is approximately █████████████████. The source-protected version of this tearline contains the literal phrase. The phrase is in a language the analyst designated Avianic after observing parallel uses of the same syllabic units in subsequent material. A reconstructed alphabet, glyph table, and translator are published in this archive's main dossier.

Of operational note: every frame carrying the OUI prefix ca:fe:fe:a7 ends its vendor-specific information element with the same four bytes. These bytes appear to function as a protocol greeting — a fixed signature attached to every APT-AVIAN frame across all subsequent captures we have reviewed. Whether the signature is intentional advertising, a checksum, or both is unresolved.

What was learned about the operators

Beyond the captured content itself, three behavioral observations were recorded during the triage:

Inter-packet timing across the capture is non-uniform, with a repeating five-interval pattern matching the call rhythm of Sturnus vulgaris in coherent flock vocalization. This is verifiable by FFT analysis of the timing sequence.
Probe-request SSIDs name fictional networks with consistent themes — corvids, flocks, perches, nests. One probe request asks for an SSID literally named ornithos-test-do-not-connect. The same SSID has been observed in two subsequent captures from unrelated geographies. It appears to function as a calibration beacon.
No retransmissions. No frame is repeated. Every frame is unique. This is inconsistent with normal wireless traffic, where collisions and acknowledgements produce frequent retransmissions. The capture appears to have been composed as much as captured.

— ∙ tearline ∙ —

Collection requirements (downstream)

This tearline drops three Requests for Information against the FC-001 capture. All three are entry-difficulty and verifiable client-side.

RFIs derived from this report

→ RFI-α — Decode the phrase carried in the MAC trailing-byte sequence.
→ RFI-β — Recover the English phrase in the WPA2 EAPOL nonce.
→ RFI-ε — Identify the four-byte protocol greeting appearing in every APT-AVIAN vendor IE.

Editor's note (ornithos)

FC-001 is the entry point. None of the work that follows in this archive — the geospatial migration analysis, the nest-pattern recovery, the operator typology, the cable-endpoint thesis published in TEARLINE-2026-04 — would have existed without this single fifteen-minute capture from a Tokyo office tower.

If you are reading this archive for the first time and want a place to start, start here: open FC-001 in Wireshark, read the source MAC column top-to-bottom, and look at the WPA2 nonce. Those are the first three answers.

TLP : RED ∙∙ AVCON ∙∙ NO-FLOCK