Post

Threat Intelligence Analysis: Lespion — OSINT Investigation of an Insider Threat

Posted
By El OMARI Zakaria
5 min read
Threat Intelligence Analysis: Lespion — OSINT Investigation of an Insider Threat

Platform: CyberDefenders Challenge: Lespion Category: Threat Intelligence / OSINT Difficulty: Easy Tools: Google Maps, Google Image Search, CyberChef, GitHub Achievement: Proof of Completion

1. Executive Summary

Incident Type: Insider Threat / Credential Exposure / Cryptomining

Subject: Émilie Marseille (EMarseille99)

A corporate network was compromised and brought offline. Digital forensic responders identified a single internal user account as the primary suspect. This challenge required a full OSINT investigation: identifying the insider by tracing their online alias, recovering plaintext credentials from a public GitHub repository, locating their physical workplace and personal travel history through image geolocation, and identifying the cryptominer they deployed on corporate infrastructure.

Indicators of Compromise (IOCs)

TypeIndicatorDescription
GitHub UsernameEMarseille99Primary alias, starting pivot point
Real NameÉmilie MarseilleIdentified via social media cross-referencing
Instagram Handle@emarseille99Personal Instagram account
EmployerSoftware Consultants Inc.Identified via office.jpg geolocation
Exposed API KeyaJFRaLHjMXvYZgLPwiJkroYLGRkNBWHardcoded in GitHub Login Page.js
Encoded PasswordUGljYXNzb0JhZ3VldHRlOTk=Base64 password found in GitHub repository
Decoded PasswordPicassoBaguette99CyberChef Base64 decode result
CryptominerXMRigForked repository found on GitHub profile
Office LocationBirmingham, UKGoogle Lens identification of office.jpg
Webcam LocationIndiana, USAUniversity of Notre Dame via WebCam.png

MITRE ATT&CK Mapping Overview

TacticTechniqueID
Credential AccessCredentials in Code (GitHub public repo)T1552.001
DiscoverySocial Media OSINTT1592
DiscoveryImage Geolocation (GEOINT)T1591
CollectionData from Public SourcesT1213
ImpactResource Hijacking — XMRig CryptominerT1496

2. Phase 1: Initial Triage — Artifact Overview (Introduction)

Objective: Understand what artifacts have been provided and establish the investigation starting point.

The lab archive contains three key files that serve as the starting points for different investigative threads:

Lab archive contents showing three artifacts: Github.txt (a URL pointing to a GitHub profile), office.jpg (a photo of a city street for geolocation), and WebCam.png (a live webcam feed image for geolocation).

  • Github.txt — A URL: https://github.com/EMarseille99 — the primary alias pivot
  • office.jpg — A street-level photograph for geolocation (physical workplace)
  • WebCam.png — A live webcam feed screenshot for geolocation (second location)

3. Phase 2: GitHub Credential Leak (Questions 1–4)

Objective: Investigate the GitHub profile to identify the subject’s real name, programming language used, and extract any exposed credentials.

Navigating to https://github.com/EMarseille99 reveals a public GitHub profile. A repository named Project-Build---Custom-Login-Page immediately stands out. Opening the repository and reviewing Login Page.js exposes two critical secrets embedded directly in the source code:

GitHub repository Project-Build---Custom-Login-Page showing Login Page.js file with a hardcoded API key on line 1: aJFRaLHjMXvYZgLPwiJkroYLGRkNBW — a textbook secret scanning failure.

GitHub showing a Base64-encoded string embedded in the Login Page HTML: UGljYXNzb0JhZ3VldHRlOTk= — an obfuscated credential left in a public repository.

The file extension (.js) confirms the project’s frontend language as JavaScript. Using CyberChef’s From Base64 recipe to decode the embedded string UGljYXNzb0JhZ3VldHRlOTk= immediately returns the cleartext password:

CyberChef From Base64 recipe decoding UGljYXNzb0JhZ3VldHRlOTk= to reveal the plaintext password PicassoBaguette99 in under one second.

Analyst Note: Base64 is not encryption — it is encoding. A credential “hidden” in Base64 provides zero security. Secret scanning tools (GitHub Advanced Security, Gitleaks, TruffleHog) must be integrated into every CI/CD pipeline to catch these exposures before code reaches a public repository.

Answer Q1

What is the real name of the threat actor?

Émilie Marseille

Answer Q2

What is the programming language used in the login page project?

JavaScript

Answer Q3

What is the API key found in the repository?

aJFRaLHjMXvYZgLPwiJkroYLGRkNBW

Answer Q4

What is the plaintext password recovered from the repository?

PicassoBaguette99

4. Phase 3: Cryptominer Discovery (Question 5)

Objective: Identify the cryptomining tool found on the subject’s GitHub profile.

Scrolling through the full GitHub profile reveals more than just the login page repository. A public fork of a well-known open-source project appears:

GitHub profile of EMarseille99 showing a forked XMRig repository — an open-source Monero CPU/GPU cryptocurrency miner — indicating the subject was using corporate resources for cryptomining.

XMRig is the most widely deployed Monero (XMR) CPU miner in the threat landscape. It is used both by legitimate miners and by malware authors who bundle it into cryptojacking campaigns. Finding a fork of this repository on a corporate suspect’s profile strongly corroborates the network anomalies that triggered the investigation.

Answer Q5

What cryptomining software is found on the threat actor’s GitHub?

XMRig

5. Phase 4: Social Media OSINT — Cross-Platform Correlation (Questions 6 & 7)

Objective: Correlate the GitHub alias across social media platforms and use Instagram posts for geolocation intelligence.

A Google search for the username EMarseille99 surfaces accounts across Instagram, GitHub, and Steam — all confirmed as the same individual through profile photo matching and consistent naming conventions.

Google search results for EMarseille99 showing correlated accounts across Instagram, GitHub, and Steam Community — confirming the alias belongs to a single individual: Émilie Marseille.

The Instagram profile (@emarseille99) contains travel photographs. Two posts provide geographic intelligence:

Instagram post from @emarseille99 with caption mentioning a once-in-a-lifetime holiday, showing the iconic Marina Bay Sands hotel and skyline of Singapore in the background.

Google Image Search Lens analysis of the second Instagram photo confirming the image shows the Dubai skyline with the Burj Khalifa clearly visible in the background.

Answer Q6

What city is the suspect currently in based on their Instagram?

Singapore

Answer Q7

What city was the suspect previously in based on their Instagram?

Dubai

6. Phase 5: GEOINT — Office & Webcam Locations (Questions 8 & 9)

Objective: Use Google Image Search / Lens to geolocate the office.jpg and WebCam.png artifacts.

Office Location

The office.jpg photograph shows directional street signage referencing the Bull Ring shopping centre, the Hippodrome Theatre, and an ODEON cinema — distinctive landmarks of the Birmingham New Street area.

office.jpg showing street direction signs in Birmingham city centre pointing to Bull Ring, Hippodrome Theatre, and New Street Station — distinctive landmarks for geolocation.

Google Image Search AI result confirming the office.jpg photo shows the exterior area of Birmingham New Street station in Birmingham, United Kingdom.

Webcam Location

The WebCam.png image shows a live EarthCam feed titled “A View from the Dome” overlooking a distinctive university campus with a prominent basilica.

WebCam.png showing an EarthCam live feed titled A View from the Dome overlooking the University of Notre Dame campus in South Bend, Indiana, USA.

Google Image Search AI confirmation that the webcam image shows a panoramic view of the University of Notre Dame campus in South Bend, Indiana, taken from the dome of the main building.

Analyst Note: Image geolocation (GEOINT) is a legitimate and powerful forensic discipline. Architectural styles, street signage, skyline features, and identifiable landmarks can precisely locate a subject. Tools like Google Image Search, Google Lens, and Yandex Images are the primary resources for this technique.

Answer Q8

What city is the suspect’s office located in?

Birmingham

Answer Q9

What is the state in which the webcam is located?

Indiana

7. Conclusion

The Lespion investigation demonstrates how a single GitHub username — paired with systematic OSINT tradecraft — can build a comprehensive threat profile of an insider. Key findings:

  1. Initial Pivot: Github.txt provided the alias EMarseille99 → Full name, social media, and credential exposure discovered within the same repository.
  2. Credential Exposure: API key and Base64-encoded password (PicassoBaguette99) committed to a public GitHub repository.
  3. Cryptominer: XMRig fork on the suspect’s GitHub confirms motive for the network anomalies.
  4. Geolocation: office.jpg → Birmingham, UK; WebCam.png → Indiana, USA; Instagram → Singapore and Dubai.
  5. Platform Correlation: EMarseille99 alias confirmed across GitHub, Instagram, and Steam.

Key Takeaways for the SOC:

  1. GitHub is a treasure trove for threat intelligence — both for defenders hunting exposed secrets and for investigators building insider threat profiles. Implement automated secret scanning on all company repositories.
  2. Username correlation across platforms can quickly build a complete person profile from a single alias. Tools like Sherlock automate this cross-platform search.
  3. Image geolocation is a forensic discipline — don’t overlook the intelligence value of photographs. Metadata, landmarks, and architectural context can provide precise location intelligence.
  4. Cryptomining is often the first detectable signal of an insider threat monetizing their privileged network access. Monitor for anomalous CPU load patterns and outbound connections to mining pool endpoints.

Analysis Date: April 18, 2026 Analyst: El OMARI Zakaria

CTF Write-ups, Threat Intelligence, OSINT
cyberdefenders osint insider-threat github instagram geolocation cyberchef xmrig cryptomining sherlock
This post is licensed under CC BY 4.0 by the author.