| Analyst | ornithos · independent |
| Subject | APT-AVIAN — Campaign FEATHERFALL |
| Period | 2026.03.01 — 2026.05.23 |
| Confidence | HIGH |
Over the past eighty years, a sophisticated and highly distributed threat actor designated APT-AVIAN has established near-total physical access to global telecommunications infrastructure. Following the public disclosure of CVE-2026-31337, this briefing covers the actor's most recent operational push, Campaign FEATHERFALL, observed across North American urban centers between March and May 2026.
APT-AVIAN should be considered the most prolific and persistent threat actor currently tracked, with an estimated 50 billion active nodes globally and operational footprint dating to the late 1940s — coinciding with the suspected "real bird replacement program" referenced in adjacent intelligence reporting.
APT-AVIAN's true sponsor remains officially unattributed. Historical analysis suggests state-level backing dating to the Truman administration.
Distinguishing features that separate APT-AVIAN from genuine wildlife include:
APT-AVIAN gains initial access through physical perching on exposed infrastructure. No exploitation of software vulnerabilities is required; the attack operates entirely at the physical layer. Targeted infrastructure includes telephone lines, fiber optic runs between utility poles, exposed rooftop equipment, and 5G small-cell deployments.
Once perched, operators execute payloads using onboard capabilities. Recent forensic analysis suggests APT-AVIAN has access to custom firmware that has not been successfully recovered for analysis — extraction attempts have resulted in the loss of multiple research samples (operators relocated before capture).
Persistence is achieved through nesting. Once a nest is established on or near critical infrastructure, removal becomes legally complicated due to wildlife protection statutes — a known weakness in defensive posture that APT-AVIAN actively exploits.
The actor maintains operational security through:
Collection capabilities vary by operator subtype. Confirmed capabilities include passive RF interception, fiber-tap via beak (woodpecker variants), thermal imaging via specialized retinal hardware (raptor variants), and acoustic capture across the full human-audible spectrum.
C2 is performed primarily through starling murmurations, which we now assess to be a covert channel using flock-formation patterns as a steganographic encoding scheme. Bandwidth estimates suggest murmurations can transmit approximately 2.3 Mbps of encoded data per thousand birds. A typical murmuration of 50,000 birds therefore provides roughly 115 Mbps of covert capacity — sufficient for real-time HD video exfiltration.
Secondary C2 channels include dawn chorus broadcasts (one-way C2 distribution to field operators) and crow vocalizations (peer-to-peer mesh networking, encrypted).
Earlier drafts of this brief asserted that exfiltration occurs "through standard flight patterns" and that migration routes "align suspiciously well with major undersea cable landing sites." That framing was correct in observation but wrong in mechanism. See the targeting note below.
An external assessment received in April 2026 — published in this archive as TEARLINE-2026-04, sources redacted — proposes a revised model. APT-AVIAN does not, and cannot, tap optical fiber directly. Frame structures in long-haul telecom transport (SDH STM-N at the line layer, with nested TUG tributaries) require specialized analyzer equipment outside the price range of any field operator. The take is acquired at terrestrial endpoints — landing stations, regional consortium offices, major Internet exchange points — where optical traffic is converted back into packet form before entering terrestrial networks.
The migrations observed in AD-001 are operator relocations toward these endpoints. The roosts identified by analyst clustering correspond to sites collocated with existing signals-intelligence facilities. The murmurations observed in FC-001 and FC-002 are lateral C2 among operators in the field, not intercepted long-haul data. The wireless captures published in this archive are operator chatter, not the harvest.
If this assessment is correct, the appropriate analytic question is no longer "what cables are being tapped" but "what endpoints are being staked out, and through what pathway is the take extracted afterward." That second question remains open.
A flock of pigeons was observed perched in unusual numbers on the fiber backbone serving a mid-sized financial firm in Chicago. Within 48 hours, the firm experienced a credential-stuffing campaign against its customer portal. Pigeons dispersed within thirty minutes of detection.
A research analyst attempted to capture a starling for forensic analysis. The bird was successfully detained. Within four hours, the analyst's home network experienced sustained DDoS attack from approximately 8,000 source IPs, all geolocating to residential ISPs in regions with high starling populations. The starling was released. The attack stopped.
A crow was observed using a small twig to manipulate the antenna alignment of a 5G small-cell installation. When approached, the crow flew off carrying the twig — assessed as evidence preservation behavior. Subsequent network logs from the affected cell were corrupted.
We assess with high confidence that APT-AVIAN will continue operations indefinitely. The actor's operational tempo, geographic distribution, and integration into the urban environment make traditional remediation impossible. Organizations should treat APT-AVIAN presence as an assumed-compromise scenario and architect accordingly.
The birds are not real.
The threat is.