Sources & Methods Newsletter #24 - June 2025

Well we're nearly half-way through 2025. 😮‍💨 Kicking off June sharing a new tool of my own, synapse-claude, and looking forward to SLEUTHCON this Friday! I'll be attending remotely and suffering from FOMO from all the posts by folks attending in-person.

Thanks for reading,

Matthew Conway (@mattreduce)

📁 Sources

OSINT Treasure Trove - Extensive bibliography (or reading list, if you like) of written works on open source intelligence. The list is indexed by author, year, keyword, and more. Dare I say it deserves a place in the bookmarks bar on your browser?

📰 Information

Cisco Talos - Defining a new methodology for modeling and tracking compartmentalized threats #tracking

Recorded Future - Fusion Center Thinking (eBook) #crossdomain #program

Scott J. Roberts - LLM SATs FTW #tradecraft #SATs #AI

Datadog - The obfuscation game: MUT-9332 targets Solidity developers via malicious VS Code extensions #malware #crypto

Mandiant - Mark Your Calendar: APT41 Innovative Tactics #APT41 #PRC #C2

Vertex Project - It's All Connected: Align and Validate Your Tactical and Strategic Intelligence #tooling

Koifsec - Practical Cyber Deception — Introduction to “Chaotic Good” #deception

Unit 42 - Threat Group Assessment: Muddled Libra (Updated May 16, 2025) #cybercrime

SANS - 2025 CTI Survey #industry #surveys

🛠 Tools

synapse-claude

github.com/srcmtd/synapse-claude

Here's a tool of my own this month: a Rapid Power-Up for Vertex Synapse that integrates with Claude AI. So far, you can ask Claude questions without breaking your focus and leaving Synapse:

storm> claude.ask "What are some malicious uses of AppleScript/JXA?"
Sending prompt to Claude...
Claude Response:
==================================================
AppleScript and JXA (JavaScript for Automation) can be abused for various malicious activities:

**System Access & Persistence**
- Keylogging via accessibility features and input monitoring
- Screen capture and recording without user awareness
...

Next, I plan to support summarizing reports and translating articles with Claude. So you could use a trigger to automatically summarize new threat reports as they come in. You could also translate content you're collecting in another language such as articles, forum posts, or Telegram messages. Stay tuned!

Cradle

github.com/prodaft/cradle

A new open source threat intelligence platform from Prodaft that supports collaborative analysis, entity/relationship visualization, and report generation. Deployable via Docker and Compose, it has a Python and Django backend with an Electron/React frontend, Redis and Postgres datastores.

Attribution to IP

github.com/curated-intel/Attribution-to-IP

Not so much a tool as it is a collection of many tools and information sources, compiled to help you find the owner or user of an IP address.

pycti-mcp

github.com/ckane/pycti-mcp

MCP server that allows you to work with OpenCTI from an AI system like ChatGPT or Claude. The project is brand new, so far you can use it to look up observables already stored in OpenCTI.

markitdown

github.com/microsoft/markitdown

An unexpected new tool from Microsoft, this Python library converts Office documents and other types of files to Markdown for easier indexing and text analysis. You might find this useful if you want to pre-process slideshows and Word docs before adding them to an LLM's context, or a database with full-text search capabilities.

📆 Events

SLEUTHCON

📍Arlington, VA, US and online
📆 June 6th, 2025
🏢 Hyatt Regency Crystal City
🔗 https://www.sleuthcon.com/

Underground Economy

📍 Strasbourg, FR
📆 September 1-4th, 2025
🔗 https://www.team-cymru.com/gate/underground-economy-2025

RISE Malaysia

📍 Putrajaya, MY
📆 December 9-10th, 2025
🔗 https://www.team-cymru.com/events