惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

D
Docker
Simon Willison's Weblog
Simon Willison's Weblog
H
Help Net Security
F
Fortinet All Blogs
H
Heimdal Security Blog
S
Schneier on Security
L
LangChain Blog
博客园 - Franky
酷 壳 – CoolShell
酷 壳 – CoolShell
NISL@THU
NISL@THU
P
Palo Alto Networks Blog
J
Java Code Geeks
博客园 - 【当耐特】
The Last Watchdog
The Last Watchdog
W
WeLiveSecurity
www.infosecurity-magazine.com
www.infosecurity-magazine.com
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
V
Vulnerabilities – Threatpost
I
InfoQ
Recorded Future
Recorded Future
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
C
CERT Recently Published Vulnerability Notes
T
Tenable Blog
腾讯CDC
C
Check Point Blog
量子位
M
MIT News - Artificial intelligence
GbyAI
GbyAI
罗磊的独立博客
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
B
Blog
小众软件
小众软件
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
C
CXSECURITY Database RSS Feed - CXSecurity.com
Stack Overflow Blog
Stack Overflow Blog
P
Proofpoint News Feed
P
Privacy & Cybersecurity Law Blog
V2EX - 技术
V2EX - 技术
T
Threatpost
Engineering at Meta
Engineering at Meta
Attack and Defense Labs
Attack and Defense Labs
T
Tailwind CSS Blog
S
Securelist
The Cloudflare Blog
博客园 - 叶小钗
L
LINUX DO - 最新话题
T
Troy Hunt's Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
爱范儿
爱范儿

Intel 471 Blog

TeamPCP Supply Chain Attacks Turning Geopolitical Tension into Actionable Intelligence CVE-2025-68613: Zerobot botnet exploits critical vulnerability impacting n8n AI orchestration platform Introducing Cyber Threat Exposure Bundle: A Unified Approach to External Risk CVE-2026-20127: Critical Cisco SD-WAN vulnerability exploited in wild Handala Threat Group OpenClaw: A viral AI assistant and a magnet for infostealer malware and ClickFix trickery Israeli, US strikes against Iran triggers a surge in hacktivist activity CVE-2026-1731: Finding a critical RCE in an age of AI-driven vulnerability research Born to bypass MFA: Taking down Tycoon 2FA The UK Cyber Security Resilience Bill How AI and the human advantage beat tomorrow’s threats Winter Olympics 2026: Hacktivism Surges Ahead of Protests and Suspected Sabotage How Threat Hunting and “Good” Metrics Help The Business Likely fake ransomware operator 0APT causes panic — Our analysis Hunting APTs: from state policy to TTPs CrazyHunter Ransomware DevMan Ransomware Introducing HUNTER Tuning: a New Tool for Driving Behavioral Threat Hunt Detections Battling check fraud in the U.S. Gootloader Malware Update Shai-Hulud Worm 2.0 New FvncBot Android banking trojan targets Poland White Paper Preview: Black "Fraud Day” and Beyond — The Key Cyber Threats Facing the Retail Sector this Holiday Season Threat hunting case study: Detecting IAB activity Using deception to extract cyber threat intelligence Lynx Ransomware Qilin Ransomware Group ClickFix: Tricking users into installing infostealers Cybercrime Takedowns: Trust, Partnerships and Focus How card fraud is powered by underground card checkers Tracking down The Com Turning Chaos into Clarity: The Next Phase of Intel 471’s Geopolitical Intelligence Solution The FBI’s Group 78: Covertly fighting ransomware? How threat actors bypass multifactor authentication Crimson Collective In a digital age, US paper check fraud flourishes How you can defend against AI-driven fraud and phishing Detecting cybercriminal activity on Telegram NPM - Shai-Hulud Worm Threat hunting case study: ToolShell AMOS Stealer How AI can (and can’t) help in threat hunting The Phrack leak: Examining an APT’s workstation How initial access offers power intrusions and ransomware Drawing value from cyber threat intelligence “Pig-Butchering” Scams: The Dark Side of Social Engineering and Why Terminology Matters After disruption, XSS cybercrime forum faces loss of trust Update: Salt Typhoon Bridging the CTI Gap: New Exposure Modules on Verity471 Deliver Market-Disrupting Views of Threats Introducing Verity471: Cyber Threat Intelligence Ready to Operationalize FileFix Social Engineering Technique Guided Threat Hunts Takes Your Behavioral Threat Hunting to the Next Level Defending against doxing CVE-2025-53770 - Microsoft Sharepoint Mass Exploitation (ToolShell) Threat hunting case study: Lumma infostealer Pro-Russian hacktivism: Shifting alliances, new groups and risks mommy Access Broker NATO summit commences in tandem with tense cyber, kinetic conflict A look at ‘Tinker,’ Black Basta’s phishing fixer, negotiator Threat hunting case study: DragonForce Two critical challenges facing CTI teams and how to overcome them: Intel 471’s additional insights into the SANS 2025 CTI Survey Android malware trends: Stealthier, easier-to-use Fingerprinting threat actors by their anonymity techniques DanaBot malware disrupted, threat actors named Intel 471 brings HUNTER behavioral threat hunts to Google Security Operations SANS 2025 CTI Survey: It’s Business Time for Cyber Risk How an alleged Russian hacker slipped away Threat hunting case study: Medusa ransomware CVE-2025-31324 - SAP NetWeaver Vulnerability DragonForce Ransomware Managing a cyber crisis LabHost: A defunct but potent phishing service Understanding and threat hunting for RMM software misuse Threat-hunting case study: Windows Management Instrumentation abuse VanHelsing Ransomware An in-depth look at Black Basta's TTPs Six Key Takeaways From the SANS 2025 Threat Hunting Survey Update: Medusa Ransomware Writing high-quality IDS detection rules Threat hunting case study: RMM software Update: LockBit Ransomware Zservers: Bulletproof hosting for online crime Update: Black Basta Ransomware and Threat Group Black Basta exposed: A look at a cybercrime data leak BadPilot Campaign The evolution of Russian cybercrime Android trojan TgToxic updates its capabilities Threat hunting case study: SocGholish DeepSeek AI poses cybersecurity risks Law enforcement hammered cybercrime in 2024. Is it working? Remote Monitoring and Management (RMM) Abuse How threat actors are using artificial intelligence Threat hunting case study: PsExec How ransomware may trend in 2025 What 2025 May Hold for Cybersecurity Bring Your Own Hunts to HUNTER ‘Tis the Season to Be Alert for Cyber Threats: 5 Unjoyful Holiday Tactics Collecting Useful CTI from Underground Markets Expanding source coverage: adding Signal chats to threat intelligence
Iran’s domestic espionage: Lessons from recent data leaks
2020-07-08 · via Intel 471 Blog

By the Intel 471 Global Research Team.

In the last decade, Iran has undergone a quiet revolution. Since the“Green Movement” uprising in 2009, more Iranians have dared to openly oppose their regime. The reasons include accusations of elections tampering, global sanctions, increased inflation, heavy investment of state funds in the nuclear and arming programs, and ambitious regional policies in Lebanon, Syria, Iraq, Yemen and others, amid a deteriorating socioeconomic situation of the average Iranian.

There was a lot of talk in the past about Iran’s espionage measures and offensive cyber activities targeting other countries. However, growing domestic unrest prompted the Iranian regime to invest more resources in developing espionage capabilities aimed against its own citizens. Additionally, the regime carried out tough measures against civil uprisings such as cutting off the internet in the country for long periods of time and killing hundreds of protestors.

During the past year, a number of online activists have leaked what they claim to be inside information about the regime’s surveillance methods, in an attempt to expose the unethical tactics used by Iranian security forces. Among the top whistleblowers are operators of the Lab Dookhtegan (translated in Persian as “stitched lips”) Telegram channel and an activist named Masoud Molavi. Molavi, assassinated by Iranian agents in November 2019, was a former cybersecurity official behind the Black Box Telegram channel that was responsible for many notable leaks of Iranian government information.

The series of leaks uncovered hundreds of documents that offer a glimpse into the way Iran is spying on its own people. According to the leaked information, the Islamic Revolutionary Guard Corps (IRGC) and the Iranian Ministry of Intelligence Services (MOIS) developed numerous tools, malicious software, surveillance systems and data analysis platforms, in order to control citizens in Iran and abroad. Much of this activity allegedly was conducted in the Rana Intelligent Computing Institute, an organization working under the Iranian MOIS, involved in internal espionage by developing unique tools and gaining access to a variety of foreign countries’ infrastructure.

Tools and Techniques used for Domestic Espionage

According to the information shared by these whistleblowers, Iran is heavily investing in the development of customized tools and malicious software for domestic espionage. For example, the Iranian regime developed a surveillance system dubbed Abi, which allegedly was used to spy on political activists, human rights lawyers, regime opponents and protesters by intercepting Bluetooth communications. According to an Iranian blog called Arezooyenatamam, (translated in Persian as ‘an unfinished dream”), this system has been installed on pickup trucks posted in strategic locations in Iran such as university campuses or protest centers.

A screenshot from the Abi system monitoring of Sharif University

A screenshot from the Abi system monitoring of Sharif University

The Iranian regime also developed customized malware used for stealing information from citizens. One example found in those leaks was called WinspySuite, a remote access and information stealing malware that reportedly was used specifically to spy on suspects arrested by the regime. Internally referred to as Peyvand, the malware allegedly was loaded onto a target’s computer via a USB flash drive during interrogations or sent via a malicious link to a victim’s email address. The regime also developed a remote access tool for Android and iPhone mobile devices as part of a project dubbed Project 220. The malware purportedly was able to steal sensitive data from a victim’s device, including call data, text messages, contacts and locations.

A screenshot from the Winspy Suite control panel

A screenshot from the Winspy Suite control panel

Another malware project dubbed Project 420 aka Dolphin developed, deployed and controlled an undisclosed mobile malware capable of collecting and analyzing information about the activities of individuals and groups on social media networks including Facebook, Twitter, and Instagram, and on messaging applications such as Telegram.

According to leaked information, the regime not only developed tools for stealing sensitive data from its citizens, but also created designated platforms for the collection and analysis of the data. A system dubbed Payamak was developed to store and analyze text messages from targeted subjects. A software called Seraj was used as an analytical search engine for data on suspects, employees, intelligence operations and arrests related to the MOIS. Another system mentioned in reports dubbed Shojreh includes a mapping of family relations of Jewish people in Iran and abroad.

Additionally, the IRGC and MOIS gained unauthorized access to legitimate services or websites to spy on Iranian citizens. For example, the MOIS would compromise Iran’s National Library computer network seeking to obtain personal information about users, mainly students and political prisoners, and their topics of interest. The MOIS allegedly also abused this access to send phishing emails with malicious attachments from the library’s official email account.

Tracking Iranians Abroad

In addition to all of the above, the Iranian government is making great efforts to monitor citizens going abroad by surveying and analyzing location data obtained from Iranian cellular operators with a system called Pouya, and by compromising the infrastructure of foreign companies.

A screenshot from the Pouya system

A screenshot from the Pouya system

In 2019, an unknown activist or group of activists launched a site called “Vagheyatepenhaan” (translated in Persian as ‘the hidden facts’) to expose Iranian regime espionage-related activity. The site contains a large section about espionage enterprises outside Iran that was conducted to monitor the movement of Iranians traveling abroad. According to this information, the regime gained access to computer systems of numerous airline companies in Bahrain, Dubai, India, Indonesia, Malaysia, Pakistan, the Philippines, Qatar, Saudi Arabia, Thailand and the United Arab Emirates (UAE) for data collection on flights of Iranian citizens. In another case, leaked documents showed the government worked on a project that aimed to compromise hotel websites in the Republic of Georgia, a neighboring country and a popular holiday destination for Iranians.

While they can be considered revealing, It should be noted that these leaks provide a very narrow window into the full extent of the Iranian regime’s priorities. However, the information disclosed provides evidence that as time goes by, motivation to expose these activities likely will remain high.