RECENT POSTS
- AIL v6.3 – Passive SSH Integration for Onion Correlation and Deanonymization
- AIL 6.2: Smarter Analysis, Search and Enhanced User Experience
- The Art of Pivoting - How You Can Discover More from Adversaries with Existing Information
- AIL Project v6.1 released with new features including unsafe filter for Tor crawling, many bugs fixed and Telegram attachment analysis (2025-02-06)
- AIL Project v6.0.1 - Improved usability in social network monitoring and many bugs fixed
- AIL Project v6.0: Improved Dark Web Analysis with a New Dashboard
- AIL Framework v5.9 Released – New Features such as dom-hash correlation, improvements and many bug fixes
- First release of onion-lookup version 0.1 - gathering metadata from Tor onion addresses
- AIL Framework v5.8 Released – New Features such as QR code extraction, improvements and fixes
- AIL Project version 5.7 released with many improvements with 2FA support, multi-organisation support, improved chat monitoring and more.
- All posts ...
AIL v6.3 – Passive SSH Integration for Onion Correlation and Deanonymization
Jul 16, 2025 • AIL Project Team
We’re excited to release AIL Framework v6.3 which includes Passive SSH integration, enabling correlation of SSH keys across onion services, IPs, and domains. This helps identify shared infrastructure and supports onion deanonymization efforts. Multiple bugs were fixed and many improvements were included.
Key Feature: Passive SSH Integration for Onion Correlation
AIL now integrates with Passive SSH, allowing:
- SSH key correlation across IPs, domains, and onion services.
- A new SSH key object with sidebar display and linking.
- Passive SSH search and lookup within AIL.
- New IP object to correlate IPs and SSH keys.
This enables deanonymization of onion services through infrastructure fingerprinting based on shared SSH keys.
Notable Changes
Onion Module
- Reduced redundant duplicate checks.
- Only print task UUID when a new task is created.
- Fixed exceptions for invalid URLs and
Nonedomains.
QR Code Extraction
- Added support for color-inverted QR codes.
IP & Domain Handling
- New IP object with SSH key correlation.
- Print deanonymized hostnames.
- Replaced and removed FAUP with
psl_faup. - Improved domain parsing (including missing schemes).
Image Engine
- Added domain description functionality.
- Improved progress logging and display.
Language Handling
- Avoid sending unsupported languages to LibreTranslate.
- Added support for
be(Belarusian). - Improved language selection and translation handling in UI.
Tracker & Stats
- Added heatmap: matches by year.
- Option to avoid duplicate notifications.
- New function to get AIL-wide stats.
ZMQImporter
- Content filtering by
feeder_nameand pattern. - Improved debug messages and output.
API
- Added endpoint: get onions grouped by month.
Fixes
- Removed all uses of FAUP and migrated to python
psl_faup. - Fixed:
- Domain extraction and parsing bugs.
- IP-to-SSH key correlation.
- Sidebar rendering for IPs and SSH keys.
- Retro hunt filters and metadata cleanup.
- CE Detector retagging behavior.
- Various UI issues (icons, sparkline removal, template bugs).
- Updater version tagging and leftover debug output.
Funding
MISP-LEA, a collaborative endeavor between Shadowserver and CIRCL, is a 24-month initiative funded by the European Union. The project’s central aim is to establish operational and enduring MISP and AIL instances dedicated specifically to law enforcement agencies. This setup will facilitate a smoother exchange of evidence between law enforcement agencies and improve the onset of collaborative investigations. For this purpose, the system will ingest data from Shadowserver’s ransomware and C2 infrastructure tracking.
Law enforcement agencies willing to discover and leverage the MISP-LEA platform can apply on the misp-lea.org website.
Follow us
- Mastodon @ail_project@infosec.exchange
- LinkedIn https://www.linkedin.com/company/ail-project