Shadow Alerts – The Sophistication of Modern Targeted Spyware

Throughout the prolonged period of regional hostilities, and specifically following the escalations with Iran, a targeted cyber-espionage campaign has been identified leveraging cynical social engineering to deploy spyware on Israeli Android devices.

The campaign utilizes mass SMS phishing that exploits public distress, compelling users to install a malicious application masquerading as the official “Red Alert” (Tzeva Adom) early-warning system.

The malware, identified by the package name com[.]red[.]alertx, is a prime example of strategic typosquatting. To establish total user trust, the application provides a fully functional interface, including authentic siren alerts, localized maps, and a comprehensive database of Israeli municipalities.

This front-end facade is designed to manipulate users into granting invasive permissions without scrutiny. Beneath this operational exterior, the system functions as an active intelligence-gathering tool, utilizing custom obfuscation techniques specifically engineered to bypass standard signature-based detection and heuristic analysis.

While initial findings attribute the core infrastructure to the Hamas-affiliated group APT-C-23 (Arid Viper), recent iterations of the spyware reveal the direct involvement of leading Iranian threat actors. This partnership has resulted in a significant leap in the malware’s technical sophistication, characterized by hardened evasion mechanisms and more resilient (C2) architectures.

This operational methodology, first observed after the October 7th attacks and refined during the “12-Day War” with Iran, has now reached its most advanced stage. This report provides a detailed technical analysis of the latest builds, the encryption methods employed, and the evolving synergy between regional threat groups operating against the Israeli theatre.

Anatomy of a Clone

The application implements an exceptionally thorough and meticulous impersonation of the legitimate “Red Alert” (Tzeva Adom) system. Every visible layer, from iconography and auditory assets to user interface and localized data, is engineered to be indistinguishable from the genuine application. This high-fidelity mimicry is a calculated effort to neutralize user suspicion during the high-stress window of installation.

At the visual level, the malware utilizes direct asset theft from the original platform, including the iconic red circle and white broadcast tower launcher icon.
This continuity extends deep into the application’s architecture, where specific layout files mimic complex features such as “Location Alerts,” “Secondary Notifications,” and “Shelter Exit Timers” To ensure broad demographic appeal and credibility across the Israeli theatre, the developers integrated full Right-to-Left (RTL) support with dedicated Hebrew (layout-iw/) and Arabic (layout-ar/) directories.

The deception is further reinforced through functional geographic integration.
By leveraging Google Maps alongside a custom polygon overlay system, the malware can render accurate alert zone boundaries. If a user cross-references the app with real-world events, the interface provides a convincing illusion of authentic, live data from the Home Front Command.

Eventually, the auditory component serves as a critical pillar of this social engineering strategy. The application contains a library of 24 sound files, including the actual tzevaadom.mp3 siren used in Israel’s early-warning infrastructure.

By providing a spectrum of tones, ranging from the primary alarm to “calm” status updates, the malware reinforces a false sense of security, ensuring the user keeps the application active while the spyware silently exfiltrates data in the background.

Modular Espionage - Spyware Architecture

The spyware module is encapsulated entirely within classes2.dex under the androidx.activity.yuma namespace, a deliberate naming convention chosen to blend seamlessly with legitimate AndroidX library components.
The malware’s internal architecture follows a sophisticated, modular Collector → Queue → Upload pattern, ensuring efficient data exfiltration while maintaining a low footprint.

The class hierarchy reveals a highly organized functional division, despite the use of dictionary-word obfuscation to hinder manual analysis.

The primary execution flow is managed through a series of specialized Runnables, the bestrut class is responsible for harvesting SMS messages, contact lists, and the inventory of installed applications, the border class facilitates continuous GPS tracking via the system’s LocationManager and LocationListener interfaces, and the unblest class focuses on account theft through AccountManager and unique ID.

Initialization is triggered through a sequence of executor-dispatched tasks.
The primary entry point spawns a dedicated permission-request thread (myopes), which monitors the user’s responses. Once the requisite permissions are granted, the malware initiates its core data collectors alongside an infinite upload loop managed by the overhot class.

This loop cyclically iterates through categorized data, packaging and transmitting files to the Command and Control (C2) endpoint.

The orchestration of these components is handled by functional wrappers such as Bravado() and Wauchle(). These methods encapsulate the Executor.execute(Runnable) logic, dispatching the permission-acquisition flow and the upload loop onto separate thread pool executors.

This multi-threaded approach ensures that the malicious background activities remain decoupled from the primary UI, allowing the “Red Alert” facade to function smoothly while exfiltration occurs in parallel.

Adversarial Resilience - Encryption & Obfuscation

All sensitive strings within the malware, including API endpoints, field names, and internal content URIs, are protected by a consistent, two-stage cryptographic process. This mechanism is designed to thwart static analysis and prevent the discovery of the threat actor’s infrastructure through simple string-searching tools.

The decryption pipeline follows a structured sequence:

1. Base64 Decoding: The ciphertext, stored as an encoded string, is first processed through the android.util.Base64 utility class.

2. Cyclic XOR Transformation: Each byte of the resulting data is then XOR-encrypted with a character from a static 32-byte key string.

Across the decompiled source code, 281 unique encrypted strings were identified.
This extensive use of obfuscation covers every critical operational detail of the spyware, from the specific SMS permissions it requests to the remote server addresses it targets.

The critical function that decrypts the C2 endpoint URL is Bewailed(), resulting cleartext identifies the central data exfiltration hub:
https://api[.]ra-backup[.]com/analytics/submit[.]php

The analysis reveals that the identifiers are not the product of standard obfuscators like ProGuard or R8, which typically generate short, sequential strings (a, b, aa, etc...), but a custom obfuscation tool that replaces original identifiers with obscure English dictionary words, such as Bewailed, Cucurbit, and Zyzzyva.

This specific naming convention serves as a trackable cryptographic fingerprint, allowing to link disparate malware samples to the same development pipeline and infrastructure.

Data Collection Capabilities

The malware implements five distinct data collection modules, each mapped to an enum value in crisped that categorizes the stolen data for organized exfiltration.

Upon SMS permission being granted, the malware queries the system SMS content provider to extract all messages.

The contacts collector queries three Android content providers to build complete contact profiles. Among the contact harvesting sources queried are primary contact records, phone numbers, and email addresses.

The border class implements continuous GPS tracking using the Android LocationManager API with a LocationListener callback. Among the captured data are latitude, longitude, speed, accuracy, mock location detection. The listener runs continuously, and each location update is serialized and queued for exfiltration.

The bestrut class enumerates all installed applications.
It uses PackageManager.getInstalledPackages() with QUERY_ALL_PACKAGES permissions to retrieve a complete list. For each package, the malware collects the package name and application label, and builds a JSON array for exfiltration.
The resulting data is categorized under crisped.Outports and written to the exfiltration queue.

The unblest class steals all accounts registered on the device.
It uses AccountManager.getAccounts() to iterate all device accounts.
For each account, extracts account.type (for example “com.google”) and account.name (email address). It also collects the device’s android_id using Settings.Secure. The Data is serialized as JSON and submitted under the Ploying category.

Continuous Exfiltration - The Infinite Upload Loop

The overhot class implements an infinite upload loop that continuously polls for queued data files across all stolen categories. The malware iterates through types (SMS, GPS, Contacts), inserting a 500ms delay between categories to maintain a low processing profile.

To further evade detection by automated analysis tools, the exfiltration logic utilizes Java Reflection within the Plumbers class. By reflectively invoking the HTTP upload handler, the malware decouples the data collection logic from the network transmission layer, making it significantly harder for security products to map the full execution chain from file creation to remote exfiltration.

And the Upload call chain:

Command And Control - Push-Based Surveillance

The APK integrates Firebase Cloud Messaging (FCM) to establish a high-efficiency, push-based C2 channel, which allows threat actors to issue real-time operational commands, such as forcing an immediate data collection cycle or waking the device, without the noise of constant polling.

By embedding these references in firebase_common_keep.xml, the malware maintains a persistent link to the attackers’ infrastructure.

The core of the spyware’s power lies in its Invasive Permission Model.
Beyond the standard notification and location access expected from a “Red Alert” app, it harvests SMS, contacts, and account data.
Crucially, the RECEIVE_BOOT_COMPLETED permission ensures long-term persistence, re-launching the malicious background services automatically upon device reboot, effectively turning the phone into a continuous surveillance tool.

Because the app impersonates a rocket alert system in such tense times, users are highly motivated to grant all permissions immediately.
Location access is expected for a regional alert app, notification permission is essential for alerts, but the remaining permissions (SMS, contacts, accounts) are less expected but are likely granted without question by users anxious to enable life-safety alerts quickly.

Siren Song - The Axis of Resistance Spyware Evolution

Current analysis reveals a significant operational shift in the “Red Alert” malware campaign. While the initial infrastructure originated with the Hamas-affiliated APT-C-23 (Arid Viper), the latest iterations exhibit direct involvement by Iranian-backed threat groups.

This transition indicates a strategic handover or deep operational synergy within the “Axis of Resistance,” aimed at intensifying intelligence collection during the ongoing conflict.

Operational continuity is maintained through the C2 domain ra-backup[.]com, which leverages the “Red Alert” (RA) acronym and a “cloud backup” pretext for exfiltration. While the use of api. subdomains and SaaS-like URI paths mirrors Arid Viper’s historical TTPs, the current versions show higher technical refinement and a broader scope, now targeting Russian and English speakers alongside Hebrew and Arabic users to meet Iranian state-level requirements.

A critical link between these versions is a unique “lexical fingerprint”, a custom obfuscation engine utilizing obscure English and ethnographic terms.

The persistence of this proprietary tool confirms that Hamas’s technical assets have been integrated into an Iranian-managed pipeline, upgrading the spyware into a sophisticated state-level espionage tool.

The convergence of TTPs, from the 2023 patterns to the current technological surge, indicates a coordinated joint venture with Medium-High confidence.

The shift from a Hamas-led effort to an Iranian-orchestrated operation underscores the systematic weaponization of a life-saving application into a tool for both signals intelligence and psychological warfare.

Relevant IOCs

BreachForums - The Return

BreachForums is an English-language cybercrime forum that operates as a black-hat marketplace and community, facilitating the exchange of information about data breaches, the sale of stolen databases, hacking tools, and other illicit services. It was created to replace RaidForums, which was seized and taken offline by law enforcement authorities in 2022.

It was launched in March 2022 by Conor Brian Fitzpatrick, known online as “pompompurin,” shortly after the takedown of RaidForums. On March 21, 2023, the forum was shut down following Fitzpatrick’s arrest. After this takedown, BreachForums re-emerged under new administrators and moderators, including actors associated with ShinyHunters and IntelBroker.

Since then, the forum has repeatedly resurfaced using dozens of domains and mirrors, operating across both the TOR network and various clearnet domains (current is breachforums[.]bf), many of which were later seized or disrupted by law enforcement, which resulted in several cycles of shutdowns and re-launches over time.

ShinyHunters, an established cybercrime group active since around 2020, has been publicly linked to BreachForums as a key actor involved in its revival and partial administration following the arrest of its original founder.

In addition, BreachForums has been repeatedly associated with activity attributed to Lapsus$ and related clusters. In 2024-2025, an overlap between BreachForums infrastructure and actors described as “Scattered Lapsus$ Hunters,” a loose alignment of individuals linked to Lapsus$, Scattered Spider, and ShinyHunters was identified.

This report is an intelligence-driven analysis that correlates technical infrastructure, threat actors, and exposed data to connect disparate indicators and build a coherent intelligence picture. By linking platforms, domains, operational artifacts, and known groups, the report moves beyond isolated findings and contextualizes them within a broader ecosystem, enabling a deeper understanding of how the infrastructure, actors, and activities interrelate and what they reveal about the underlying narrative behind the observed events.

From Dead End to First Exposure

First, I started with the given, the domain name (breachforums[.]bf).
No WHOIS records, it wasn’t part of data leaks or any scraped data, and I couldn’t find any relevant leads based on the official domain name.
The IP address that was resolved by the domain is 95[.]129[.]233[.]76, and when I searched for it, I saw it’s a DDoS protection service and not the real IP of the domain.

I ran a custom enumeration script (fuzzer) on the domain and found few misconfigurations that led me to status code 200 (HTTP OK), as most of them were unreliable and just refreshed the page to the home page of Breachforums, few led me to see sensitive details that provided me with further understanding about the infrastructure and the assets related to the operation.

I was able to see the php_errors.log page, publicly disclose the PHP error log containing repeated PHP Parse errors indicating a syntax issue (“Unclosed (”) within a specific file: /var/www/html/cache/ougc_awards.php.

This file appears to be an automatically generated cache file, likely associated with a MyBB plugin such as OUGC Awards. The fact that these errors are logged dozens of times within short time intervals indicates that the server repeatedly attempts to load a corrupted or malformed cache file, pointing to poor maintenance, a failed update, or an improper system configuration.

The log discloses the server’s full filesystem path, precise technology stack (PHP with MyBB), a specific module, directory structure, activity timestamps, and the frequency of recurring errors, all provides the ability to map infrastructure and operational processes, identifying active components and plugins, and collect other crucial intelligence.

The user enumeration inside the website is not configured correctly and allowed me to view all of the users by their joining date and asses by that who the current admins.

https://www.breachforums[.]bf/ member.php?action=profile&uid=1 provided the admin of the forum, and all I needed is to change the number to 2, 3, and going to check the other users. Number 2, by the way, revealed that ShinyHunters is the admin as well.

Another misconfiguration that provided me with trustworthy intelligence is the fact that https://breachforums[.]bf/BingSiteAuth[.]xml is widely accessible and provided me with the user's one-time hash for SEO purposes.

The BingSiteAuth.xml file is a standard ownership-verification file used by Microsoft Bing to confirm control over a domain, and its presence indicates that the site operators had (or still have) write access to the web root, reflecting full operational control of the domain at a given point in time.

Beyond simple verification, it confirms the deliberate use of official SEO and webmaster tools, suggesting that the site was intended for indexing, visibility, and sustained presence in search engines rather than being a short-lived or purely temporary deployment.

When correlated with server logs (that already been partly exposed), infrastructure changes, and domain activity, the file can help establish a timeline showing when the site reached an operational stage suitable for public indexing.

Identifying The Operational Core

When searching for the domain name using indexing search engines, I noticed the IP repeated IP address 95[.]129[.]233[.]76 (the DDoS guard) and 104[.]21[.]51[.]126, which is directly related to ShinyHunters and Lapsus’ infrastructure, all say it’s not the real IP address I’m searching for.

But one IP address stood out - 45[.]134[.]26[.]22, that leads directly to the domain of breachforums[.]bf.

This IP address was exposed in an RDP handshake scan and reveals the remote desktop service (3389), which indicates a Windows server, probably the one that acts as the main station of operation.

The banner reveals detailed infrastructure information, from the IP which belongs to ASN 198953 operated by Proton66 in Russia (Saint Petersburg), the system is running Windows Server 2019 / Windows 10 version 1809 (build 17763), the authentication uses NTLM, and the internal machine identifier (Target Name and NetBIOS name) is WIN-QCQ1STQOM66.

From an intelligence perspective, this constitutes a full infrastructure fingerprint of a management server, exposing OS type and version, internal host name, hosting provider, and geolocation, indicating weak hardening, as we already saw before.

This IP address was shown with port 135 (Endpoint Mapper) and constitutes a strong indicator of a Windows server that is publicly advertising management-related services.

The IP contains data of other addresses shown in the banner, all of which relate to the single Windows host and represent different network identifiers associated with the same system.

45[.]134[.]26[.]22 is the primary public IP address exposed to the internet and the endpoint through which the RPC service on port 135 is reachable. WIN-QCQ1STQOM66 is the internal hostname of the Windows machine, leaked during the RPC/DCERPC handshake, and it serves as the common identifier linking all associated interfaces.

169[.]254[.]71[.]72 is a Windows link-local address, which is not routable on the internet and typically indicates an internal, virtual, or fallback network interface, suggesting the host has additional internal networking configured.

45[.]134[.]26[.]184 is another public IP within the same ASN and address range, representing an additional interface, a closely related node, or an adjacent system associated with the same infrastructure.

All of these are identifiers that show the exposed RPC service reveals a mapped view of the host’s networking, allowing to correlate multiple IP addresses and interfaces back to a single Windows server without any authentication, providing strong infrastructure linkage and insight into the host’s network layout.

These three IP addresses were deeply checked, and I found out that all of them host different domains with (.cyou), all unavailable and registered in 2025 by an unknown entity, probably for malware spreading purposes.

Such domains, for example:

• indickensonkas[.]cyou

• aesacksis[.]cyou

• sashkra[.]cyou

• saudkas[.]cyou

• indaks[.]cyou

• ilslobas[.]cyou

All pages were deleted, but I managed to find an archive for one of them, verifying it is part of Phishing infrastructure, containing payment request informationn and it seems to be dedicated to Indian citizens.

One Hash, Many Faces

When I deep dived into the address 45[.]134[.]26[.]184, I saw it was directly connected to another website by using the same Favicon hash.

Favicon is an icon a website uses in the browser tab or bookmarks, and the favicon hash is a unique digital fingerprint created from that icon file, meaning that if two sites have the same hash, their favicon files are exactly identical at the file level.

When two websites use the same favicon hash, it means they are using the same default icon, the same website template, the same software or control panel, or were deployed from the same setup or infrastructure.

The favicon hash is 1588839859, and when searching who else uses the exact hash, I found out the website ncrb-main[.]digitalnightowl[.]shop, a dedicated phishing infrastructure, impersonating the National Crime Records Bureau of India.

WHOIS records of the domain show the domain was registered in October 2025, using GoDaddy, exactly as the others.

The domain of digitalnightowl[.]shop contains dozens of other subdomains as well, for different purposes, from Banks fake pages, real-estate agencies fake pages, government fake pages, and hotel fake pages, all directed at Indian citizens.

One of the domains had several misconfigurations that led me to see the backend of the website itself, including the JS files, routes, and error logs.

Beyond The Frontend

When I started searching about “digitalnightowl[.]shop”, I found references to an Etsy store that wasn’t very useful but when I logged in to the website itself, I noticed the there is a difference between the name of the website itself and the name in the URL, meaning the site is technically served under one domain but displayed or branded as another, usually due to a server-level redirect or domain alias.

This commonly occurs when the same operator controls multiple domains for a single website, for branding, redundancy, SEO, or during a domain migration, or when one domain is used as an entry point while another is defined as the primary logical or canonical domain.

When searching the phone number that appeared on the website, I saw it belongs to an Indian guy named Prakhar Abhishek, probably the owner of Digital Night Owl, a company that seems to be providing service in the areas of IT, Data, and SEO.

The phone number itself was in a data leak from 2025, revealing three other Indian phone numbers and associated addresses under different names, two of the addresses are identical, meaning there is a close relation between these individuals.

His email address appears in business registrations in India as the owner of the company, which puts him in charge of the operation as well.

The Revival That Wasn’t

What began as an intelligence investigation into the apparent resurgence of BreachForums ultimately led to the exposure of a broad and coordinated infrastructure of impersonation websites designed to defraud citizens in India on a large scale.

Correlation of the findings reveals a consistent pattern in which all indicators converge on a single company based in India, operating in the fields of IT services and digital marketing.

The aggregated evidence suggests that the company’s owners, Indian nationals residing in the country, are likely responsible for managing the entire operation, including attempts to revive the infamous forum, which itself appears to have been repurposed not as a genuine cybercrime community but as part of a deliberate and organized fraud scheme.

Who Is Sentap

SENTAP, operating under the alias “sentap.cyber”, is a financially motivated threat actor assessed to have been active since at least 2021. The actor primarily operates as an Initial Access Broker (IAB) and data extortion actor, maintaining a persistent presence across underground forums, encrypted messaging platforms, and email-based communication channels.

His core capability lies in obtaining unauthorized access to organizational environments through compromised credentials, leaked accounts, and abuse of legitimate third-party access. Once access is established, he focuses on identifying centralized file-sharing systems and storage repositories that can be exploited for large-scale data collection.

During 2024 and 2025, SENTAP significantly increased the scale and visibility of its operations, advertising datasets measured in the hundreds of gigabytes. Notable cases attributed to the actor include the sale of large volumes of infrastructure and personally identifiable information linked to NBN Co, as well as a separate dataset attributed to UrbanX.

The data described in these listings reportedly included infrastructure documentation, engineering plans, legal and commercial records, and personal information, highlighting the potential for operational, regulatory, and reputational impact.

Geographically, SENTAP’s activity spans multiple regions, with victims and advertised datasets linked to Australia, Europe, North America, the Middle East, and Asia.

Sector-wise, his operations are cross-industry, reflecting a preference for accessibility and data volume rather than a single vertical focus.

The following research will assess Sentap’s actions, digital footprints, and methodologies to identify who this threat actor is and associate him with a specific country (AKA attribution).

Modus Operandi - Trust Abuse Model

SENTAP’s activity indicates an opportunistic operating model, focusing on organizations with exposed or weakly protected infrastructure rather than highly targeted, bespoke intrusion campaigns.

Following data exfiltration, SENTAP engages in extortion-driven activity, leaving ransom or pressure notes within affected environments and initiating direct communication with victims via encrypted channels.

The actor’s demands centre on financial payment in exchange for withholding public disclosure or resale of the stolen data. When negotiations fail or are ignored, SENTAP has been observed advertising and selling datasets on underground data-leak and marketplace forums.

SENTAP operates as a financially motivated threat actor focused on acquiring initial access to organisational environments and converting that access into profit through large-scale data theft and extortion. His operational model is opportunistic in nature, prioritising exploitable exposure, weak identity and access management practices, and over-trusted third-party relationships rather than sophisticated intrusion tooling or highly targeted campaigns.

Initial access is typically achieved using compromised or leaked credentials, including accounts belonging to internal users and external service providers with legitimate access.

SENTAP also actively identifies and abuses internet-facing assets with weak or misconfigured security controls, such as cloud services, VPNs, and other externally exposed infrastructure, favouring low-friction entry points that do not require advanced exploitation techniques.

Once a foothold is established, SENTAP focuses on abusing trusted relationships to maintain access and expand reach within the environment. By operating through valid accounts, particularly those associated with third parties, he can blend into normal user activity, bypass basic security controls, and access sensitive resources with minimal lateral movement or noisy post-exploitation behaviour.

The core phase of SENTAP’s operations centres on file-sharing and a centralised storage infrastructure. He performs systematic, high-volume data collection and exfiltration, often over extended periods, using legitimate transfer mechanisms such as SFTP or standard download functionality.

The objective is bulk data acquisition rather than selective targeting, enabling the extraction of operational documents, business records, technical material, and personally identifiable information at scale.

Following or during data exfiltration, SENTAP transitions to the pressure and extortion phase. He leaves extortion messages within the affected environment and initiates direct communication with the victim via encrypted and privacy-focused channels. Communications are generally non-aggressive in tone but persistent, emphasising payment to prevent public disclosure or resale of the stolen data.

Signals In Plain Sight

My starting point is the username “sentap”. A lot of details were revealed from different hacking communities under this alias, from BF, to XSS and Leakbase, in all of them he posted dozens of times with different sales offers of stolen data.

I was able to identify two different services he was registered to, Twitter (X) and Matrix (An open network for secure, decentralised communication), that I was able to cross between them due to his usage with the same profile picture as he uses in the different hacking forums he participates in.

The username led to an IP address, 185[.]218[.]3[.]32, that was directly associated with it, probably as a static IP address.

When searching for this IP address, I was able to find a relevant data breach that contained the IP address, along with the username “sentap” and an email address.

That piece of information revealed another username, a part of the email address, under the alias “hoveylech”, worth checking as well.

When searching for clues about this username, I was able to find a Twitter account, opened in 2009 under the name “mostafa hoveylech”, an empty account, no posts and no actual activity, but he follows a few individuals that located in Iran.

On top of that, I found an old WordPress site created by him, with no data inside. This is a very old creation from 2010, where the threat actor “sentap“ started to operate.

This WordPress website was automatically translated from the Persian language, another huge clue about the possible origin location of the threat actor - Iran.

Names Don’t Lie

Since we have the email address, I started to investigate that lead.
The email address was directly associated with another Instagram account that was opened in 2020 under the name “Reza Hoveylech”.

By the ABOUT data section in this account, the username is “Hoveylech”, and the origin of the owner is Iran, as suspected.
Also, only one photo was published by this account, of a baby with a text in the Farsi language, the official language of Iran.

In an archived post of the known hacking forum XSS, I found a post written by him that contains one of his email addresses - sentap@jabber[.]fr, not leads nowhere in terms of data breaches and digital footprint.

But, the first email address I found is hoveylech@yahoo[.]com, and was part of the major Facebook data breach in 2019, which revealed the Facebook 100001020766512, and revealed two different crucial details – the name “Mostafa Hoveylech”, a name that was already mentioned in the Twitter page that was found, and a new detail -
+989168155967, a phone number with the Iranian country code.

With a deeper dive into the email address, I found a direct association of this data in a database of mcls.gov.ir, the official Iranian government domain belonging to the Ministry of Cooperatives, Labour and Social Welfare, used for public services and administrative systems.

The appearance of the email address in this DB is valid proof that the attribution of this individual is from Iran.

More than that, it reveals his date of birth and validates his full name, as previously mentioned, as Mostafa.

Financial Infrastructure

As the investigation went deeper, by scraping relevant Instagram comments, I found another two profiles of this individual.
The Instagram page of his persona (“sentap”), followed by the same picture he used in all the other sources, and a reference to his Telegram account.

In his old Telegram BIO, he referred to his Keybase profile, where he lists his user, his PGP key, and two crypto addresses.

When analysing the addresses, both showed no more than 300$ in their peak, suggesting no massive illegal activities occurred in association with those.

Relation With Funksec Group

FUNKSEC is a cybercriminal group primarily associated with ransomware operations and digital extortion, which began gaining noticeable visibility mainly during 2024-2025 and operates in a manner resembling the Ransomware-as-a-Service (RaaS) model, combining intrusions into organizational networks with the theft of sensitive data and threats of public disclosure (double extortion).

The group relies on distributed infrastructure, low-cost VPS hosting, compromised cloud accounts, and anonymization services, and typically targets small to medium-sized organizations, educational institutions, service providers, and occasionally government bodies or subcontractors, with an emphasis not necessarily on extracting high ransom payments but rather on conducting a high volume of fast, opportunistic attacks.

FUNKSEC has been observed exploiting known (N-day) vulnerabilities, gaining initial access through leaked credentials or exposed RDP services, using common post-exploitation tools (including Cobalt Strike-like loaders or simpler alternatives), and leaking stolen data via shaming portals or underground forums, positioning the group as opportunistic and not particularly technologically “elite,” yet operationally efficient in scale, automation, and rapid exploitation of opportunities, making it noisy but dangerous, especially for organizations with weak security hygiene.

As I managed to find on Sentap’s Twitter page, he commented to a user in January 2025, as he seems as an individual who was part of the group.

And in December 2024, he officially tags Funksec group in a Twitter post, where he claims to perform hacking activities on their behalf.

Also, when comparing Sentap’s methods and technical abilities with Funksec’s, there is a huge similarity, as they both opportunistically engage with small-sized organizations with the same modus operandi.

On top of that, in a discussion forum, a comment by Sentap was captured, where he goes against those who claim the hacking software of Fucksec was built by AI agents, dismisses the claim, mocks those spreading it, and emphasizes that, in his view, it is baseless chatter rather than anything grounded in real technology.

Zagros Platform

The “Zagros” service, operated by the Amn Pardaz Nasr Zagros Company, is an officially declared Iranian product designed to provide a domestically controlled solution for accessing the global internet. Its primary purpose is to enable users within the Islamic Republic of Iran to bypass international sanctions and government filtering/blocking of online systems and websites.

The service is explicitly described as an Iranian product offering “unrestricted access to sites and systems that are sanctioned or sensitive to the IP address of our country (Islamic Republic of Iran)”. Technically, it is presented as an alternative to often insecure external tools, aiming to “eliminate the need for... any filter breakers and insecure VPN services” and prevent data leakage in sanctioned or sensitive services.

This strongly suggests its operation as a sophisticated DNS resolver or a similar centralized proxy infrastructure that offers a regulated and monitored channel for external access while being marketed to key demographic sectors such as programmers, graphic designers, gamers, students, and digital currency activists.

Despite marketing itself with features like “Sustainable security” and “Global END to END encryption”, Zagros’s privacy policy contains a critical provision that indicates potential state surveillance and control. While the service claims to protect user privacy, its terms confirm that the service provider has access to users’ personal details, including full name, phone number, and password. Crucially, this sensitive data “will be provided upon official request from competent authorities”. This policy guarantees that Iranian security or intelligence agencies have a clear, documented path to obtain the identity and activity data of any user, effectively centralizing control over the circumvention process and raising serious concerns about surveillance for political activists or others deemed a risk to the regime.

Infrastructure Doesn’t Lie

The IP address of the website is 185[.]164[.]72[.]226, hosted by Pars Parva System LLC, Iran, a data provided by NSlookup search.

While searching other entities using the IP address, I found a domain named “thekitten.ir.zagrosguard.ir” with the same IP address, the same ASN.

The obvious mention to thekitten[.]ir is a direct link to thekitten[.]group, a covert pro-Iranian infrastructure designed to support cyber warfare and espionage against Israeli and other targets. This platform functions as a sophisticated communication hub aimed at coordinating hostile cyber activities by different pro-Iranian groups.

Hi Kitty Kitty

The site is built as a closed and monitored communication platform, featuring a dark homepage with a form for submitting a Signal ID and email address. This design choice indicates an intent to establish a private and ostensibly secure communication channel, operating outside of conventional networks, and requires the preliminary identification of its users.

The inclusion of a validation modal featuring a 64-digit Tracking ID clarifies that this is not an arbitrary platform, such a long and unique identifier enables the precise identification, linking, and monitoring of every single user or “activist” accessing or requesting entry to the site.

Functionally, this setup provides a secure, internal “War Room” infrastructure for cyber groups operating in service of Iranian objectives, complete with a high capacity for internal surveillance and control.

Despite its claims of “independence” within the About Us section, the site’s public declaration is saturated with explicit pro-Iranian ideological markers. The use of terminology such as “The Front”, “The Resistance”, and “Jihad” is fundamental terms within the narrative of the Islamic Revolutionary Guard Corps (IRGC) and the Iranian-led Shiite Axis. Furthermore, the explicit call to action, declaring support for cyber groups operating against the “Zionist regime,” clearly positions the website as an active component of the Iranian non-state actors’ warfare apparatus, even if its institutional affiliation is unofficial or concealed. This makes the platform an ideological front aimed at recruiting and coordinating activists against Israel.

The website directly mentions three known hacking groups that attacked Israel and its allies multiple times, which shows their association with the kitten website.

Clues of Financial Ties With IRGC

The company frames Zagros as far more than just a technical utility, positioning it as a strategic asset with deep ideological ties to the regime. The developers categorise the service as “The Second Step of the Islamic Revolution and the Social Mission”, with the intent to provide the necessary infrastructure for Iranian users to access sanctioned content so that it can “play a small role in realising the statements of the wise and wise Leader of Iran”. This ideological commitment is also reflected in its financial model, as all funds paid by users for the subscription service are explicitly stated to be spent on “jihad and deprivation relief activities”, linking the service’s commercial revenue directly to the IRGC’s funding and social initiatives.

Hidden Pages, Open Road

When trying to understand the different pages I can access in this website, I tried URL fuzzing techniques, a thing that revealed two unrestricted, but yet, very sensitive pages with the status code 200 (OK) – admin & cPanel.

The cPanel (login page for the control panel) runs on port 2083, requires login credentials that I’m not sure if configured with OTP that will alert the suspects, so I chose the second-best option.

Inside The System

Since the admin page is also accessible, I was able to download the actual admin.zip file and review it for further understanding of the system and architecture of the website.

The availability of this file for download meant that I was able to obtain a complete production build of the administration interface. The bundle exposed all frontend logic, including business flows, routing structure, and the communication patterns used by the client when interacting with the backend. This constitutes an unintended information disclosure that provides detailed insight into the internal structure of the administration system.

The file revealed all API endpoints used by the admin panel, including those responsible for viewing, editing, deleting, uploading, and downloading data, as well as additional administrative operations.

It also exposed the authentication flow, including cookie-based session handling, CSRF mechanisms, and the exact request/response formats the client and server expect.

This information provided me with the understanding of how login is performed, how the authenticated state is maintained, and which backend interactions are critical to the system’s operation.

With these data pieces, if I wanted, I could focus directly on high-value operations such as authorisation checks, potential authentication bypass attempts, IDOR testing, and targeted probing of sensitive actions, including deletions, updates, and file handling.

Technical Analysis of The Code

The code exposes the internal admin API through an Axios client configured with baseURL: “/api/admin/” and withCredentials: true. Directly visible endpoints include, for example, POST /api/admin/view-client for retrieving client data by tracking_id, and GET /api/admin/view-clients for listing all clients.
Additional operations, such as file upload, file deletion, message handling, and project management, are also explicitly mapped (POST /api/admin/upload-files, GET /api/admin/get-projects). The authentication flow is similarly exposed through endpoints such as GET /api/admin/checking, POST /api/admin/login, and POST /api/admin/logout.

Admin interface routes (React Router) are fully visible in the bundle. Examples include /admin/home for the main dashboard, /admin/pro-iran-projects for project management, and /admin/view-request/:tracking_id for viewing a specific request based on a route parameter. These routes reveal the exact internal structure and navigation logic of the admin panel.

Client and request data retrieval are handled directly through service functions defined in the code. For instance, POST /api/admin/view-client is used to load a specific client’s details and GET /api/admin/view-clients returns a list of all clients. The code also exposes how updates are performed, such as POST /api/admin/update-status for modifying a client’s status. These functions demonstrate the precise request formats and expected backend responses.

Online Appearance and Digital Exposure

Once I saw the association and connection between the platforms and understood it is no more than a front for cyber-terror activities, I started to map the footprint of these entities, to check if I could find numbers, emails or even a real person associated with this operation.

Since Zagros platform was the first lead, that was my starting point in this discipline.
I was managed to find a Telegram channel of Zagros IP, under the name “ZAGROS | Channel”, with their official logo, that counts 31 subscribers. Already claims to be a front shell, with barely any actual activity. The BIO contains direct reference to their website, and two different Telegram bots, one for support and the second for purchasing.

While reviewing old messages in their channel, I found one that particularly stood out, containing two different phone numbers for WhatsApp contact, an Instagram account, and an official phone number.

All numbers are virtual SIM cards, originating from Turkey and registered to WhatsApp only, with no previous activity of any kind, so this lead wasn’t very useful. The users also didn’t provide any relevant information, but then I thought - if Zagros is a front shell for the kitten’s platform, whoever created Zagros is the owner of the operation, or at least, co-owner. So that’s what I did.

Attribution Begins with a Single Domain

The domain zagros-ip[.]com was part of a data leak from 2018, and revealed a person under the name Mohammad Farshidmehr, an Iranian citizen from Shiraz city.

The individual appears to be a web designer and software developer, living in Australia these days, as appeared on his resume.

With a deeper search, I was managed to find a website he created himself, as part of self marketing act. The website contained a symbol (logo) created by himself, possibly a kind of hallmark.

The first symbol, taken from Mohammad’s website, uses modern Iranian calligraphy identical to the style found in the official emblem of ZAGROS, the Iranian cyber entity operating as a cover for offensive activity and for supporting anti-Israeli proxy groups.

Both symbols rely on the same graphic pattern: Persian line flow, three-dimensional volume construction, curved letterforms resembling the “ʿayn / z” shapes characteristic of Iranian calligraphic design, and colour usage consistent with the same visual school.

This graphic overlap is not coincidental, but a reflection of design style commonly associated with Iranian studios working for government-affiliated bodies and pro-Iranian cyber organisations.

The Facade That Tells the Truth

In practice, the zagrosguard[.]ir domain presents as a relatively simple landing page, with a significant lack of robust and independently verifiable commercial identity. Its stated operational complexity and ideological mission appear to heavily outweigh its minimal public-facing corporate infrastructure.

Based on this observation, it is highly probable that the public-facing Zagros site primarily functions as a technological front or a marketing vehicle for an entirely different, perhaps deeper, network or underlying service.

This approach allows the operating entity, the Amn Pardaz Nasr Zagros Company, to maintain a strategic distance from its core network infrastructure while simultaneously presenting a sanctioned, ideological, and consumer-friendly interface to domestic users.

One IP, Three Faces

Behind an ordinary-looking IP address lies a machinery of logistics, distribution, and anonymity, intertwined with surgical precision. Each service masks itself behind a different facade, yet their trails converge unmistakably at the same destination. What emerges is not coincidence, but the blueprint of a coordinated criminal-grade infrastructure.

Three so-called different services, one illicit and the others controversial, act as one part of a faulty and criminal network.

The following report examines a tightly connected cluster of services that operate across the same infrastructure layer and share a common operational footprint. Although each brand presents itself as a separate entity with a distinct purpose, all of them resolve to the same IP address, indicating a unified backend, shared operators, or a consolidated management structure.

By analysing the hosting patterns, network behaviour, and thematic consistencies, the research demonstrates how these services function as interdependent components within the same criminal-grade digital ecosystem, possibly operated by the same owner (s).

The IP Address and Its Services

Starting with the IP address 155[.]94[.]145[.]211, I found the three different services hosted at the same address.

• BulletproofServers - Darknet-Grade Infrastructure Layer

  BulletproofServers is the foundational layer of this ecosystem. It’s a hosting environment designed for resilience, anonymity, and persistence. This type of hosting prioritizes customer privacy over compliance and offers infrastructure that remains online even under governmental pressure, legal complaints, or even takedown attempts.

  The service promotes “darknet-grade” capabilities, including anonymous setup, no identity verification, permissive content policies, full port availability, and flexible server locations.

  In practice, it operates as an infrastructure-as-a-service model for actors requiring stable but anonymous digital real estate.

  

• NarcoScandinavia - Nordic Underground Logistics Network

  NarcoScandinavia functions as the mid-stream logistical node within this shared infrastructure. It frames itself as a coordinated logistical network operating across the Nordic region, connecting inbound supply routes with last-mile distribution mechanisms. The brand emphasizes structure, reliability, and systematic distribution, qualities associated with organized logistics cells rather than ad-hoc operations.

  This part of the ecosystem bridges international supply flows with domestic demand points, using both physical and digital mechanisms: communication channels, shipment coordination, encrypted operational management, and networked courier elements. Its presence on the same digital infrastructure suggests that logistics management, customer coordination, and backend administration are handled through a centralized system.

  

• ElMercado - Drogas Express España

  ElMercado represents the frontend, the actual service. It’s a consumer-facing layer of the system. An express-delivery model designed for the rapid fulfillment of different illicit drugs across major Spanish cities. The branding aligns with contemporary “quick-commerce” aesthetics - fast delivery, urban coverage, and on-demand availability, but applied to illicit products.

  Operating on the same backend IP, ElMercado appears as the retail endpoint of the ecosystem. While BulletproofServers provides the infrastructure and NarcoScandinavia supports regional logistics, ElMercado translates these capabilities into a commercialized street-level distribution model aimed at end users.

  While BulletproofServers offers the durable, anonymous backbone, NarcoScandinavia manages movement, routing, and distribution across northern Europe, and ElMercado provides fast, city-level delivery and customer-facing access for illicit drugs.

Financial Infrastructure

Once the customer chooses the product he desires, he adds it to his cart and proceeds to the payment.

A new tab opens, asking for the contact method the user prefers, for them to contact first via WhatsApp, Signal, Telegram, Viber or a simple phone call.
Such a method indicates a good OPSEC behaviour, eliminating the chance of investigators obtaining their main usernames and contact methods until they will decide to do that (probably after they perform a background check to ensure their safety).

Once the user has completed his contact details, a new BTC address appears in the payment request to deny the possibility of tracing previous transactions associated with the address.

And Way Down We Go

With the known fact that claims the IP address as the backbone of these three services, I started the investigation with the first one, called “NarcoScandinavia”.

I tried to get as many details about the interface of the website, so I gave a try do web directory search enumeration, to check the different optional pages that answer with a positive response (200), just to find out there aren’t so many of them, and those that do, lead to the same pages I already visited.

In the “contact-us” page, there is a proton email account nrcscandinavia@proton[.]me, which yielded no results. It wasn’t in any data leaks, any registration, no web mentions of any kind and zero results at all.

I gave an honest try to the username itself “nrcscandinavia”, which also led to no where. This is not the right approach.

When trying the second service, called “bulletproofservers”, I started with the name itself and combined various user search manipulations and different dorks to find leads, since there is no actual domain name but only an IP address with a specific port.

The username itself led to an email address (bulletproofservers@protonmail[.]com), and the Telegram user (bulletproofservers), claiming he is the ADMIN in his BIO.

Not So Bulletproof After All

The username was part of a known data leak from a famous hacking group in 2014, revealing a GMAIL address with other details such as DOB, IP address and a user handler in this specific forum.

The email address, associated with a Google ID (114770749765884660059), appears with the photo of the service’s logo.

The username appeared in a data leak from 2019 as well, directly connected to another email: bulkhosting@hotmail[.]com, shown with details such as password, address, zip code, city and name of brand called “GameTsunami”.

When checking the brand “GameTsunami”, it appeared as a kind of hub for video gaming, nothing related to bulletproofservers.

The email address was the main thing, and the idea was to find other associations with it, from data leaks to registrations, web mentions and social media activity.

In a leaked database from 2020, I was able to find the above username and the email, in direct association with a name and what seems to be a phone number.

Finding The Owner

Once we got the name of the person associated with the email address, we already have one more crucial detail: a full address.

When using web search manipulations, I was able to get a deleted page (not archived unfortunately), that was still partly available due to cache memory.

In this search, I was able to find the full name of the individual (Christopher Walker, or as he appeared in the data leak by Chris Walker), and to prove he was a resident of this exact address and sold earlier in 2025.

And the home itself:

Infrastructure Convergence Map

This section visualizes the underlying relationship structure connecting all identified entities across the network. By mapping IP addresses, domains, email accounts, social handles, and operational identifiers, the diagram demonstrates that services which appear unrelated on the surface, BulletproofServers, NarcoScandinavia, and ElMercado, are in fact interlinked through shared infrastructure, overlapping contact points, and recurring digital identifiers.

The graph reveals a consolidated backend ecosystem tied to the same operators, highlighting how infrastructure, logistics, and retail-facing services converge into a single coordinated operation.

Overview and Organisational Profile

Asam (asam.company) is a Tehran-based software and infrastructure provider specialising in high-availability digital platforms for news agencies, broadcasters, and major online media outlets inside Iran.

The company has been active since approximately 2013, based on its publicly presented operational timeline. Asam markets itself as the technical backbone for “leading media”, managing nearly the entire technological layer of client operations, from content-management systems (Asam CMS), CDN distribution, video streaming platforms, push-notification systems, cloud hosting, security monitoring, and 24/7 operational support.

According to their own statements, they absorb the full technical burden of large-scale media publishing, enabling editorial teams to focus exclusively on content.

Comprehensive Control of Media Infrastructure

Multiple Iranian news organisations, spanning economic, political, and national outlets, credit Aasaam directly on their site footers, with phrases such as “Hosted on Aasaam servers” or “Designed and implemented by Aasaam.”

This includes major digital properties such as Donya-ye-Eqtesad, Eghtesadnews, ILNA, Afkarnews, MojNews, NamehNews, and Parsnews. The company’s public client list includes over one hundred organizations, all of which operate under Iran’s national media registry system (سامانه جامع رسانه‌های کشور). Functionally, this centralises the digital infrastructure of a large portion of Iranian media within a single private entity, giving Asam operational responsibility for uptime, security, content delivery, user analytics, and technical resilience.

In the picture: logos represent Iranian state-controlled or IRGC-linked media outlets

Presence in State-Aligned and IRGC-Narrative Media

While Asam does not identify itself as a state-owned or state-affiliated enterprise, a significant portion of its clients consistently publish content aligned with the Iranian government and IRGC narratives.

Outlets such as Afkarnews and Parsnews are known for regularly promoting messaging favourable to Iran’s security establishment, including coverage of IRGC military achievements, regional proxy activity (especially in the cyber arena), and Israel-related geopolitical developments.

• Donya-ye-Eqtesad:

  o “Unveiling of two Israeli military products in cyber attacks”

  

• Afkarnews:

  o “Classified Israeli information leaked”

  

• Asriran News:

  o “Cyber attack on data from the Israeli regime’s Iron Beam system”

Asam as a Structural Enabler of Iran’s Information Operations

Asam company’s infrastructure serves many state-licensed, state-regulated, and state-aligned media outlets, many of which propagate strategic narratives highly aligned with IRGC objectives. As such, Asam acts as a structural enabler within Iran’s broader information and influence ecosystem.

Its platforms ensure the resilience, reach, and continuity of media channels that play a central role in broadcasting ideological, political, and cyber-operation messaging in direct support of Iranian state interests.

This positions Asam as a non-state but deeply embedded node in Iran’s hybrid media-cyber apparatus, providing operational backbone to outlets that shape public perception around Iranian cyber operations, and sustaining the information environment in which groups like Cyber Toufan, Handala, NetHunt3r, and the Cyber Isnaad Front gain legitimacy and psychological impact.

Media Amplification of Iran-Aligned Cyber Operations

Over the past two years, Iranian and regional reporting has frequently highlighted cyber operations linked by Western intelligence and cybersecurity vendors to Iranian interests. Outlets hosted or built by Aasaam have prominently covered and supported activities by groups, including:

• Cyber Toufan (طوفان سایبری): Linked to destructive attacks targeting Israeli public and private sector entities.

• Handala Hacking Team (گروه هکری هندلا): Known for targeting Israeli infrastructure and exfiltrating sensitive datasets.

• NetHunt3r: A group claiming penetration of Israeli commercial and governmental services.

• Cyber Isnaad Front (جبهه اسناد سایبری): A rapidly emerging threat actor assessed as Iranian-aligned, credited with breaches of Israeli defence-industry assets, such as the hack of “Maya” defence contractor.

Asam supported news organisations function as the information-distribution layer of Iranian cyber-influence operations as they routinely publish detailed accounts of cyberattacks against Israeli entities, often with technical summaries, leaked file descriptions, and commentary aligning with IRGC-themed narratives of “resistance” and asymmetric retaliation.

For example, a headline published by Asam supported Donya-ye-Eqtesad:

“The Maya defence company hacked; classified Israeli documents offered for sale by the Cyber Isnaad Front”

Parsnews by Asam Company

Parsnews (پارس نیوز) is a conservative, pro-regime Iranian news website that openly identifies its political and organisational structure.

On the same page and in every footer on the site, there is a permanent credit: “طراحی سایت خابری و آسام برکیزی آسام”, or in a free translation: “Design/construction of the news site by ASAM Software Group”.

On its official “About Us” page, the site states: “صاحب امتیاز: محسن پیرهادی”, meaning “License holder: Mohsen Pirhadi.” Pirhadi is a known conservative figure within Iran’s political landscape, connected to hardline factions and regularly involved in state-aligned media activity. His ownership positions Parsnews not as an independent outlet, but as a platform that operates within the ideological orbit of Iran’s ruling establishment.

This creates a simple and clear technical-commercial connection: a political news site controlled by a conservative politician sits on ASAM software/development infrastructure.

Who is Mohsen Pirhadi

Mohsen Pirhadi is a conservative Iranian politician with a long-standing role inside the country’s hardline political establishment. He previously served as a member of parliament, elected on the “Revolutionary Unity List” (لیست وحدت), a coalition representing Iran’s conservative, pro-regime “revolutionary” faction.

Before that, he was a member and later the secretary of Tehran’s City Council. As of updates published in 2024, Pirhadi holds a senior government position as Deputy Minister of Oil for Parliamentary Affairs, marking his integration into Iran’s upper bureaucratic and executive structures.

In addition to his political career, Pirhadi serves as the managing editor of the conservative daily newspaper Resalat (رسالت), one of Iran’s well-known ideological newspapers historically aligned with the Islamic-revolutionary camp. Resalat has consistently represented hardline viewpoints, framing Iranian domestic and regional policies through a pro-system, religious-nationalist lens. Pirhadi’s leadership in the paper reinforces his position within Iran’s ideological media ecosystem.

A review of Resalat’s opinion section shows numerous columns written by Pirhadi himself, where he explicitly praises Qassem Soleimani, depicting him as “more than a military commander” and as a central architect of Iran’s regional “Axis of Resistance” strategy. These writings adhere closely to IRGC and Quds Force narratives, positioning Soleimani as a visionary and moral figure whose strategic direction shaped Iran’s regional posture.

For four years, Pirhadi served as the Head of the Basij Organisation of the Tehran Municipality (ریاست سازمان بسیج شهرداری تهران). The Basij is a paramilitary volunteer force operating under the command structure of the Islamic Revolutionary Guard Corps (IRGC).

In 2019, the IRGC itself was designated by the United States as a Foreign Terrorist Organization (FTO), while its external operations wing, the Qods Force (IRGC–QF), has been listed since 2007 as a Specially Designated Global Terrorist (SDGT) entity.

He was directly involved in public propaganda campaigns, responsible for large-scale anti-American billboard operations across the city, describing the high production quality and coordinated messaging as indicative of the sophisticated IRGC/Basij propaganda apparatus.

Direct contact with Iranian figures who publicly express terror support

In the political-media space where Pirhadi operates, in the hard-line “revolutionary conservative” camp, some of the most visible figures around him are senior IRGC officers. One well-documented example is Mohammad-Hossein Saffar-Harandi, a long-time IRGC cadre who served as Iran’s Minister of Culture and Islamic Guidance in Ahmadinejad’s first cabinet and then formally returned to the Guards as a cultural adviser to the IRGC commander, later becoming a member of the Expediency Council.

In 2023, in a speech reported by Iran International and echoed in other Iranian outlets, Saffar-Harandi explicitly described Hamas’s 7 October attack on Israel as “قابل تحسین” - “worthy of praise”, and added that “a handful of Basij fighters brought the world’s fourth-strongest army to the point that it was dizzy and didn’t know what to do.”

Hamas itself is designated as a Foreign Terrorist Organisation by the U.S. State Department and appears on multiple Western terrorist lists, including the USA and EU sanctions regimes. Pirhadi is plugged directly into this ecosystem: Resalat’s print and online editions carry Saffar-Harandi’s speeches and interviews under a masthead that names “مدیر مسئول: محسن پیرهادی” (“Managing Director: Mohsen Pirhadi”), and multiple conservative events covered by Iranian media, such as a conference on “revolutionary media” reported by ISNA and mass youth gatherings and cultural events reported by SNN and Borna, list both Saffar-Harandi and Mohsen Pirhadi among the main participants or guests on the same stage.

Summing Things Up

Taken together, these elements form a consistent profile of a senior figure from Iran’s “revolutionary forces,” a conservative newspaper manager, an ideological writer

promoting IRGC/Quds Force narratives, and at the same time, the registered license holder of Parsnews, A political news website controlled by a conservative politician operating on ASAM’s software and development infrastructure.

This situates Parsnews within the same ideological and political network, not merely as a neutral news site, but as a platform under the stewardship of a prominent hardline political actor.

It strengthens the argument that Parsnews operates within Iran’s state-aligned media ecosystem and reinforces government messaging through both political and ideological channels.

Introducing SPYGAMES, A Web of Digital Exploitation

SPYGAME is a transnational cyber-extortion network operating simultaneously on the clear web and the dark web (ONION), known for leaking and monetizing private photos and live camera footage of victims worldwide. The website was first seen in early 2025 under the domain spygame[.]fans, including an ONION mirror.

The platform quickly evolved into a hybrid marketplace for intrusive content and blackmail services.

The SPYGAME ecosystem commodifies the invasion of privacy, offering “Leak & Earn” incentives to contributors, paid “removal” options for victims, and even selling its entire backend as the “SPYGAME PROJECT” package, which includes the site’s code, databases, and hacking scripts for IP cameras.

This report presents a structured OSINT investigation to identify the individuals behind SPYGAME, track its evolution, and document the operational, financial, and technical ecosystem that sustains this cross-platform network.

By combining domain intelligence, blockchain tracing, infrastructure mapping, and digital-persona correlation, the research seeks to attribute ownership, expose infrastructure overlaps, and provide actionable intelligence for law-enforcement and counter-abuse initiatives.

Inside The SPYGAME Network

The network has been active since early 2025, maintaining a small but persistent presence across underground forums, a Twitter (X) channel, and a dark-web community dedicated to leaks and voyeuristic content.

The agenda driving SPYGAME is purely financial, fuelled by an underlying appeal to personal vengeance, particularly targeting individuals seeking to retaliate against women with whom they have had negative or exploitative relationships.

The platform monetizes stolen intimate content through subscription access, extortion payments, and affiliate-style “Leak & Earn” schemes.

Promotional traces of the site have surfaced on different adult-content subforums, where the actors advertise live camera feeds, data packages, and “content removal” services to attract both paying clients and new collaborators to spread the content across the web.

Financial Infrastructure

The website offers a “free taste” with blurred content of random girls, but when accessing the actual content itself, including comprehensive guides on “how to hack”, it asks the user to pay for full VIP access.

The requested amount is 249$ for lifetime access, paid via BTC to the following address: bc1q54p5m9p08fw4xnqywgt3z3l8cu9gk0fwc7t8u3

Deep Diving

Each content leak of a specific girl contains her personal details as well.
From country to her province, city, date of birth, personal phone number, and email address, all for full disclosure, and obviously, put pressure on her to pay for data removal. In this way, the threat actor always wins, if he is not paid by the content consumers, he gets paid by the victim who is eager to delete his intimate content from the website.

The old IP address of the Clearnet domain (which already got deleted) is 86.54.42.127, leading to a VPS server in Bern, Switzerland. No VPN/Proxy/Cloudflare defenders were identified. The only open ports were 80 & 443 (for web browsing) and 22 (to manage the server itself via SSH).

It’s All About the Domain

When digging in into the old clear web domain of SPYGAMES, 4 different domains were found.

Ø true-leaks[.]com

Ø njalla[.]net

Ø zxc[.]qa

Ø instafansxxx[.]com

Some of them with a clear name indicating the kind of content on those websites, and some seem like random words. Let’s check them deeply.

The domain true-leaks[.]com, owns a very suspicious name, almost having direct association to the conspiracy just by the name. Most of them are not available anymore, but older archived versions of them indeed revealed a direct connection to the content on SPYGAME and the same web design and patterns (colour, font, and country list).

In the picture: True-leaks[.]com, SPYGAME and zxc[.]qa websites

When checking the domain njalla[.]net, it revealed an anonymous domain name registrar, hosting provider and VPN provider, established by The Pirate Bay co-founder and allows an encrypted tunnel from the original computer to the Internet.
Also, it’s the exact registrar that instafansxxx[.com] used to register the domain.

Revealing the Master of Puppets

When understanding that all the domains are associated to another, and of course to SPYGAME, I have dived deeply into them to reveal the individuals associated with to them.

The domain zxc[.]qa was found in association to a few data leaks and revealed the password “zjtxkw2” and “123456”, at least on of them is kind of unique and may be used to reverse search by leaked passwords to find more details. So that is exactly what I did.

The password “zjtxkw2” was found numerous times in direct association with an email address: fasdzc@zxc.qa

The domain true-leaks[.]com was deeply investigated, and appears to be registered by a male, originally from the UK, under the name “Artur”.

And as shown in the Domain search engine:

Eventually, Anonymity Always Fails

What this investigation really shows is simple and chilling.
Massive criminal schemes don’t fail because their code is bad or their planning was amateur. They fail because people slip.

A reused email at sign-up, an overlooked EXIF tag in a hurried upload, or a careless “like” on a social post, each is a tiny, human mistake that leaves a trail.

When you stitch enough of those crumbs together, domain histories, leaked passwords, blockchain trails and offhand social signals, the mask comes off.

The takeaway for investigators is hopeful and urgent.
Persistent, patient OSINT turns small errors into big breakthroughs, and for those who think anonymity is guaranteed, sloppy OPSEC is not protection, but an open door.

Another AI Misuse

It started like most dark corners of the internet do - quietly, anonymously, and with a shiny new tech twist. Deepfucks[.]com, a website offering AI-generated pornographic videos of celebrities, quickly gained traction, drawing tens of thousands of views on each video.

While the site marketed itself as “entertainment,” what it really served was non-consensual deepfake content, hyper-realistic, sexually explicit videos using the faces of real people without their permission.

But behind the slick interface and synthetic faces was a real person. And after deep digging, I found him.

Through a detailed OSINT investigation, I traced the site’s origin back to a single operational security mistake its creator made when the site first launched.

That error cracked the anonymity he relied on. What followed was the slow, methodical process of connecting dots, emails, domains, and social media breadcrumbs, until the identity of the person behind one disturbing AI porn platform came into focus.

This is the story of how I found him, what I uncovered, and why it matters.

Let the OSINT Begin

This is not the first or last misuse of AI for purposes of Deep Fake porn, but one of the known platforms.

The official website offers direction to social media pages of the “brand” – from Facebook, to Instagram, Twitter, and YouTube, all for the purpose of gaining followers and more views when new users come to the website.

I started digging into those social media for finding clues or references to contact methods, such as email addresses or phone numbers.

Only Facebook and YouTube contained a way to engage with the owner, by solving a CAPTCHA and getting an email address, but it was a generic admin email address, which wasn’t in any data leaks or yielded any results by Google Dorks techniques.

The website itself is registered with privacy restrictions, but... What if it wasn’t always the case?

I started to look at cached versions of the website by using WayBack machine, a viewed dozens of website changes, just for the chance one of them revealed a crucial detail, but nothing was found in this department either.

It’s Pivot Time!

Not for the first time, deep and dark website owners, cyber-criminals, and others who are doing “shady stuff” tend to make mistakes that will lead future investigators to the golden ticket.

OPSEC, known as Operational Security, is the art of hiding personal details that may reveal our identity and actions. One small slip, like using a real email, can blow their cover, especially when using the email address for other needs (personal ones) as well.

Olbricht, the founder of the notorious “SilkRoad” made this mistake, extremist groups fall for this, and hopefully other criminals will too in the future.

I started digging into historical WHOIS records of the domain. There were a few, but the last one, and ironically, the oldest record, revealed the first email address used to open this domain. An email address with the domain “larsersej.dk”, with direct association to the domain “deepfucks[.]com”.

Connecting The Dots

Once I got an email address, I started checking where it appears.

Investors and researchers usually counts on the fact the email address or phone number they found is used for personal usage too, a thing the increases the fact it

associated with personal social media accounts, password breaches and internet posts that may reveal extra relevant data. It was the case.

Using Google Dorks queries, I was able to find GitHub page with metadata that reveals the exact email address used to open the domain of deepfucks[.]com, with a full name of a person who claims he owns this email address. It was all in his official GitHub

profile, which also reveals his photo, his experience and other coding projects.

In the picture: direct connection between the name on GitHub to the email address he registered with.

Also, in his GitHub BIO there was a website address with the exact same domain of the email he opened Deepfucks[.] with.

The final stage was to find clues that would claim his current location if the authorities wanted to catch him.

His Google Maps account was abundant, and no hard techniques were needed here. His recent activity claims exactly where he can be found.

A Complete Intelligence Profile

Profiling the person behind the website reveals contact methods and his social

accounts, a thing that may assist the authorities and other intelligence agencies to engage with him when needed.

For this purpose and to maintain his privacy, all PIIs (personal identification information) is blurred.

The threat landscape is always renewed and updated, with malicious softwares classified into several categories when the most common ones are Stealers or Ransomwares.

In this research, we came across an email sent to victims working in the advertising domain, containing a message prompting action and introducing them to a business cooperation worth significant amounts of money.

All the victim had to do is answer a few “questions” found in the attachment file.

The delivery method is a phishing email that includes a link to an attachment, intended to be unzipped and opened on the victim’s system.

We found evidence that the email message was actually part of a large-scale campaign trying to attack online advertising, SEO and brand growth specialists, with the purpose of stealing their Facebook advertising accounts.

Infection chain

The attacker created fake Linkedln accounts (AKA “Sock Puppets” or “Burner Accounts”), all of which shared nearly identical BIOs, email addresses and phone numbers.

The mail addresses were on newly registered domains (created between August and September 2023), trying to imitate names of famous and large internet fashion retailers such as Furla, O-bag and Pavers.

All of the accounts had similar roles as “Recruitment Specialist” and were linked by common biographies, WhatsApp numbers and email domains.

The fake accounts contacted legitimate Linkedln professionals in the areas of marketing, SEO and advertising, and asked them to contact the company’s marketing managers.

Checking the phone numbers and domains the attackers used, all of them were identified as VOIPs from the USA and the UK.

A similar recruitment operation was conducted on Upwork, a freelancer marketplace, in an attempt to reach more potential victims.

After the initial contact was established on social media, the discussion switched to emails promising a supposedly lucrative offer for business cooperation.

Other emails sent as part of this campaign explicitly mentioned large amounts of money as part of luring into the scheme.

The email domains observed throughout the investigation were all created on Squarespace (a website builder) in August - September 2023. The majority of them did not have DNS entries (meaning there is no website) and those who had, displayed generic “Coming Soon” pages.

All emails were written in good business English and contained a link to a Google document with questions to be answered by the candidates in a very short time frame as part of increasing the urgency, a very well-known technique by adversaries.

The Google Document, stripped of Metadata and styled with brand assets - logos, fonts, links to the brand website (meaning there are different versions for each retailer brand the attacker tried to impersonate) contained a link to a password protected ZIP file hosted on DropBox, which the victim was supposed to download and unzip.

The file was password protected to prevent scanning by malware detectors on DropBox.

Code Analysis

The unzipped file contained a list of media assets jpg and mp4 files) and a 1.47GB size of

.scr file - in fact a Windows executable (.exe file) which would run when double clicked by an unsuspecting victim.

Whenrunning “binwalk” onit(atoolforsearching agivenbinary imageforembedded files and executable code), wefound the code which was written inPython named Iibb1.py.

Extracting the Python file from the executable allowed us to analyze the source code. The file was unknown to VT, however Five vendors identified it as malicious (hash 1cc4759938e647675a55173f96cb7833f6daef641a7da8aa68debc74eaae9795) - either a Python Trojan or a Python Stealer.

The code performs various tasks related to collecting information from several browsers. Additionally it interacts with Facebook’s Ads Manager to gather data related to ad accounts. The code operates by the following stages :

1. It imports several Python libraries for tasks such as file operations, cryptography and making HTTP requests.

2. It retrieves information about the computer’s hostname, username and OS version (probably for additional info to check if there are exploitable CVEs due to the

non-upgraded version of the OS).

3. It takes a snapshot of the screen

4. It makes an HTTP request to https://ipinfo[.]com to obtain information about the computer’s IP address, location and country.

5. It creates a timestamp and generates a unique name for a file.

6. It defines functions to check if specific web browsers are running and to find user profiles for these very own browsers.

The specific browsers it tries to look for are Chrome, Edge, Brave, Opera, Chromium, Firefox and CocCoc - a Vietnamese browser.

7. It defines functions to copy browser data files, such as cookies and login data from user profiles, to a destination folder and then deletes the original files (essentially kicking the user out of their account).

8. It defines functions to decrypt and extract login data (usernames, passwords and cookie information ) from Firefox profiles.

9. It defines functions to interact with Facebook Ads Manager, such as obtaining access tokens and retrieving data related to ad accounts.

10. It writes the collected data, including login information and cookie data, to human readable text files.

11. It uses a Telegram bot with hard-coded credentials to exfiltrate the data from the local machine to the malware operator

12. It appears to keep track of a counter for some purpose, possibly related to the number of times the script has run on the particular machine.

Further analysis of the code reveals messages in Vietnamese, which can hint at the origin of the malware.

The headers used for the Facebook call provide both more evidence of Vietnamese involvement and a version of Chrome (112) which was the main version in April 2023, so it is likely the malware was written during that period.

The main() section of the code revealed inisindeedaStealer, tryingtoobtain data stored locally inthe browsers and using a Telegram bot for exfiltration.

Attribution

We believe the developers of the malware and its operators are Vietnamese, based on the following:

• Messages written to the logs:

  

• HTTP call headers:

  

• Special handling for CocCoc (Vietnamese browser):

  

  We were able to access the Telegram Bot used by the attackers. Using the “getUpdates” API returned a list of files as uploaded from victims’ machines, including test runs by the malware operator on their own machine (showing the presentation as a victim would see it), providing valuable insights into their identity.

  

  In the picture: The screenshot from the attacker’s machine included text in Vietnamese.

  Calling the Telegram bot’s “getChatAdministrators” API revealed the Telegram username “iamRioooo”, and the Ianguage_code “vi” (Vietnamese)

In the picture: the suspects’ Telegram account

Based on a browser profile grabbed by the malware from the supposed attacker’s computer, we came across the name “Tien Oinh Van” (apparently a very popular name in Vietnam), and a personal email address “dinhvantien20102000@gmaiI[.]com” - also, not distinct enough to allow for identification.

Based on the user names and passwords grabbed by the malware from the supposed attacker’s computer, we were able to determine with a high degree of confidence the attacker’s real identity, and that he is, or was, a student at the Dong Nai Institute of Technology.

Use of AI

Throughout our research we were very impressed with the level of written English communication by the attacker. In fact, his phishing emails and recruitment messages were so articulate we suspected we were looking at a team of attackers, one of whom is a native English speaker.

This mystery was solved when one of the screenshots from the attacker’s computer showed ChatGPT open on his screen in an attempt to generate recruitment emails for Facebook Advertising Specialists.

We have long been warned that generative AI services could be used by fraudsters for malicious purposes, such as crafting high quality phishing emails, but this is the first time we have encountered such an example in real life.

For additional defense, we have created relevant YARA rules -

1.

rule SuspiciousDomain { strings:

$domain1 = “it-furIa.com”

$domain2 = “furla-it.com”

$domain3 = “obag-it.com”

$domain4 = “pavers-co.uk”

$domain5 = “falconeri-it.com”

$domain6 = “colehaan-us.com”

$domain7 = “us-coIehaan.com” condition:

any of ($domain*)

2.

rule SuspiciousCodelndicator { strings:

$idbot1 = “V34_0110-fur-DI”

$idbot2 = “NonV45-0910-Cole-N6”

$apibot1 = “6453235748:AAHa67pMUGuvhmEuR0pIPhzWLQsMd-qAKoU”

$apibot2 = “6453235748:AAHa67pMUGuvhmEuR0pIPhzWLQsMd-qAKoU”

$newtime = /[0-9]+h[0-9]+m[0-9]+s-[0-9]+-[0-9]+-[0-9]+/

$name f = /[A-Za-z]+ [A-Za-z0-9-_]+ [0-9]+h[0-9]+m[0-9]+s-[0-9]+-[0-9]+-[0-9]+/

condition:

any of ($idbot*, $apibot*, $newtime, $name_f)

3. rule SuspiciousFBTG { strings:

$fburl = “adsmanager.facebook.com”

$tgurl = “api.telegram.org”

$import = “import” condition:

$import at 0 and $fburl and $tgurl

4. rule DetectLibb1 InZip { strings:

$zip magic = (50 4B 03 04)

$Iibb1_fiIename = “Iibb1.py”

condition:

$zip_magic at 0 and $Iibb1_fiIename

A Broadcast of Hate - The True Agenda of Radio Islam

Radio Islam (islam-radio.net) presents itself as an alternative “truth platform,” but behind the facade of a cultural or religious outlet lies one of the longest-running antisemitic propaganda hubs on the internet.

Operating across multiple languages, the site has consistently promoted Holocaust denial, conspiracy narratives about “Jewish world control”, revealing personal details of Jewish individuals living in Denmark, and rhetoric framing Jews as a global enemy that must be confronted.

While originally tied to a Swedish radio broadcast in the late 1980s, the platform has since evolved into a digital archive of ideological extremism, one that blends Neo-Nazi themes, Islamist hostility toward Israel, and calls for “struggle” against so-called Jewish domination across the globe.

This report traces the evolution of islam-radio.net from a local broadcast into a transnational hate ecosystem, examines the role of its founder in shaping its ideology, and documents how the site has functioned as both an online archive and a recruitment asset for broader extremist narratives to find out who really runs the website.

Under The Hood of Radicalization

An anonymous tip of an Israeli family living in Denmark led me to this website, as I received a phone call from a guy, claiming his wife’s name and personal details are on the website, all because she has a Jewish name, which makes her a potential target.

When reviewing this website, I came across proper propaganda against Israelis and Jewish people, extreme antisemite content, pure pro-Palestinian opinions, and significant incitement to violence.

The website includes graphic content taken from the old Nazi Germany, spreads conspiracy theories about Jews, and publishes content of Holocaust denial.

The website itself originated in Sweden in the late 1990s as the online continuation of a Stockholm-based radio program founded in 1987 by Ahmed Rami. Although its name suggests a religious or cultural Islamic broadcast, the site is not a mainstream Islamic platform but an openly antisemitic propaganda hub that has been repeatedly cited by watchdog organizations, scholars, and legal authorities as one of the most extreme hate-based websites on the internet.

The website hosts a large multilingual archive of articles, books, and documents whose central purpose is to delegitimize and demonize Jews, Zionism, and Israel.

The site positions itself as a “freedom fighter” platform and uses militant language that portrays Jews as an enemy that must be opposed, turning antisemitic conspiracy theory into a call for action, even a physical one.

Altough there is no official claim by the owner of Radio Islam, or as it is written in the website - “This Site is owned by a group of Freedom Fighters from different countries in support of Ahmed Rami‘s struggle”, this website runs in the image and insparation of Rami himself.

Ahmed Rami, who was mentioned, is a Moroccan-Swedish former military officer who fled to Sweden after allegedly taking part in a 1972 coup attempt against King Hassan II, later becoming known as one of Europe’s most prominent antisemitic propagandists.

In 1987, he founded Radio Islam in Stockholm, originally a community radio program that quickly shifted into broadcasting Holocaust denial, conspiracy theories about “Jewish/Zionist power,” and far-right extremist content.

In 1996, it moved online under the domain islam-radio.net, which has since been cited by watchdog groups (ADL, SPLC) as one of the most radical antisemitic sites on the internet.

Rami was convicted in Sweden in 1990 for “incitement against an ethnic group” and served six months in prison, and has been investigated multiple times since for similar offenses, including a 2025 conviction related to antisemitic statements and praise of Hitler.

His ideology represents a hybrid of Islamist-style anti-Zionism and European Neo-Nazi rhetoric, creating an unusual bridge between far-right and radical Islamist narratives.

From Tunisia with Hate

When checking old domain records, I noticed that the name of the domain was part of a known registrar data leak, occured a few years ago.
The leak included not only the dmian name, but an email address and a phone number associated to it.

When searching the email, I managed to find it in an XLS document from 2014, called “Selection Events”, probably a bunch of events around the area of Africa and Tunisia, alongside full names of two individuals and 2 different email addresses, as one of them is the email address that is associated directly with islam-radio.net.

The associated names are Jawhara Mohamed Ayoub, Hidoussi Ben, and Hidoussi Ahmed Farouk (who are most likely related by blood).

The email addresses (one of which is already known and directly associated with Radio Islam are hmatest@gmail[.]com and hidoussifarouk6@gmail[.]com, a personal email address of one of the individuals.

Both emails related directly to Hidoussi’s, but the email hidoussifarouk6@gmail[.]com (belongs to Farouk Hidoussi / Farouk Hidouci) found in direct association with an Instagram account of an armed individual with a face mask, standing near a vehicle that seems to be tagged with a car plate of France.

This account contains only one photo, of Algeria’s national flag and follows extremists content, such as the account “s3dosh_officiel”, that publish photos of radical Islam and owns a profile picture with the Arabic text “We belong to god, and to him we shall return”, a very known phrase taken from Quran and mostly used in terms of death and terror.

The Faces Behind Radio Islam

The email addresses and names revealed two individuals, their names already been mentioned (Farouk Hidoussi, Hidoussi Ayoub), Tech Journalists and web designers from Tunisia.

The email address and phone number that are directly associated to the domain of Radio Islam led to this individual as well, confirming his identity and direct relation and ownership to this matter.

In the picture: Object 1 Behind the Website (Hidoussi Ayoub)

In the picture: Object 2 Behind the Website (Hidoussi Farouk)

INDOHAXSEC - Introduction to Threat Actor

INDOHAXSEC is an Indonesian hacktivist group known for conducting politically motivated cyber operations and opportunistic attacks targeting government entities, corporations, and organizations across Southeast Asia and beyond, mostly Israel, India, and Azerbaijan, who known to be Israel supporters.

The group went public in early October 2024, a year after the horrific October 7th massacre by the terror organization Hamas, establishing a strong online presence under names such as “INDOHAXSEC TEAM.”

Their campaigns are characterized by large scale website defacements, DDoS attacks, and data-leak announcements often framed as acts of protest pagainst olitical and ideological adversaries. Among their more notable operations is a claimed breach of Nestlé’s internal systems, where they allegedly accessed and leaked over 28,000 corporate credentials in connection with a boycott campaign against Western-aligned companies.

INDOHAXSEC has also declared cooperation with other hacktivist entities, including the Pakistani group Team Azrael (“Angel of Death”), with stated intentions to conduct cyber operations targeting Indian digital infrastructure.

Despite self-promoted claims of developing a web-based “WannaCry-style” ransomware tool, independent verification of such capabilities remains limited, suggesting the group’s real-world expertise lies primarily in exploiting poorly secured web servers, CMS vulnerabilities, and weak credentials, their data leak operations also reclaimed.

INDOHAXSEC maintains multiple Telegram channels and social-media presence through which they publicize supposed successful intrusions, recruit collaborators, and disseminate propaganda aligned with nationalist and anti-Western narratives.

The following research sheds light on this collective and explores potential affiliations between the group’s online handles, infrastructure usage, and the broader Southeast-Asian hacktivist ecosystem.

Getting To Know INDOHAXSEC

The group has been active since October 2024, with a few dozen posts on different hacking forums, Telegram, and even a WhatsApp channel where they boast about recent cyber operations against Israel, India, Azerbaijan, and basically anyone who is “against Islam” in their opinion.

They are monetizing and promoting themselves through social media, from Instagram to TikTo,k to reach new joiners and to gain sympathy by the audience.

• TikTok: https://www.tiktok.com/@indohaxsec

• Telegram: https://t.me/Indohaxsec_Team

• Instagram: https://www.instagram.com/indohaxsec

• GitHub: https://github.com/INDOHAXSEC

Toolkit & Repositories

INDOHAXSEC maintains a public GitHub presence tied to the group’s October-2024 start, the org page and contribution history show most activity concentrated around that timeframe, and the repo README(s) and commits link back to the group’s Telegram. Their GitHub is essentially a surface-web staging area for scripts, droppers, DDoS tooling, and site-encryption code rather than a polished malware farm.

1. Ark-Cheat-Detector (modified) - A game-related repo was repurposed into a web backdoor delivery mechanism. Low sophistication, but an effective way to hide malicious PHP on web hosts.

2. NUKLIR (Python / Node.js DDoS collection) - a set of DDoS scripts available in Python and Node.js formats that enable volumetric flooding against specified targets. NUKLIR is a functional DDoS tooling (simple to use, widely re-shared) and very useful for hacktivist-style disruption, but not an advanced tradecraft.

3. RUDAL & Rudal-shell (Python / PHP) - very similar to NUKLIR but missing some external dependencies. The collection contains PHP backdoors and utility scripts for remote control of compromised web servers (file upload/download, command exec, simple web shells). These artifacts indicate a focus on maintaining web footholds and automating defacement/encryption workflows.

4. ExorLock (ransom/site-encryptor) - ExorLock ransomware project was traced back to earlier group iterations (AnonBlackFlag) via archived README files.
   ExorLock appears in the repository history and was previously claimed to have been used against an Indian target (unconfirmed).

5. XSS_Fucker (scanner / PoC) - a compiled Python scanner intended to find XSS vulnerabilities at scale. This sort of tooling automates the discovery of trivial web vulnerabilities that can then be weaponized for defacement, session theft, or initial access.

INDOHAXSEC’s toolkit is serviceable but generally low-to-moderate sophistication. The group reuses public code, forks benign projects, and injects PHP droppers/backdoors, packages commonly available DDoS/XSS scanners, and simple encryptors.

Their public posture (posting repos and demo videos) shows they favour notoriety and ease of reuse over stealth and rigorous OPSEC.

Hashtags & Focus Areas

An examination of the hashtags appearing in INDOHAXSEC’s Telegram posts offers additional perspective on their targeting patterns and victim selection. The chart below illustrates the distribution of the group’s most used hashtags since October 2024.

Known Collaborations

Ø NoName057(16)

• Nature of alliance: Publicly declared “collaboration” announced via Telegram approximately one month after INDOHAXSEC’s formation.

• Profile of partner: Pro-Russian hacktivist collective known for large-scale DDoS operations against Western and NATO-aligned infrastructure.

• Assessment: Ideological alignment (anti-Western, pro-Palestinian rhetoric) and publicity cooperation rather than formal, coordinated cyber campaigns.

  

  Ø Team Azrael (“Angel of Death”)

• Nature of alliance: Tactical, event-driven collaboration announced during India-Pakistan cyber tensions.

• Profile of partner: Pakistani hacktivist group linked to politically motivated campaigns targeting Indian entities.

• Assessment: Typical of hacktivist surge behaviour, a temporary alliance focused on geopolitical flashpoints, with no proof of long-term shared command or infrastructure.

  

  Deep Diving

  The username “INDOHAXSEC” is not common, and it is the official name of the group, so this is the starting point. When searching for that username, their Instagram profile popped up.
  By using API manipulations, I found the ID of the profile (68343877461) and managed to associate the profile with the registered email address (indohaxsec@gmail.com) and a new username - “K3T0PR4K”.

  

  The email address was also shown on the cached website of the group (that already went off-line), a thing that validates the relation of this email address to the hacking group.

  

  

  The username itself was found several times in relation to previous cyber-attacks (mostly data leaks, defacements, and DDoS attacks) against India and Israel, exactly as the group targets.

  

  The Email As a Pivot Point

  As the username itself provided only superficial evidence, I dug more into the email address itself.

  An active Google account (GMAIL) was found with a photo of two guys, covering their faces with COVID masks, one of them is wearing a hoodie with a code sample on it, and the second wears a hoodie with the logo “SurabayXploit”.

  When searing this term, I found that Surabay(a)Xploit (often seen as SurabayaBlackhat / Surabaya Xploit / Barrabravaz) appears to be an Indonesian language hacking/defacement persona or small collective that publishes exploit code, web shells, and “toolbox” repositories (PHP shells, arbitrary-file-download exploits, short URL tools, DDoS/scan scripts) on GitHub and related sites - basically a regional exploit/defacement repo hub rather than a sophisticated APT.
  
  Also, it came out that it is an annual event held in Surabaya, Indonesia, that aims to provide a platform for high school and vocational students to channel their interest in information technology.

  The alternative name mentioned above, “SurabayaBlackHat”, is in the source code of the website (view-source:https://berkeleyschools.net/B4.html) that has been hacked, including other related references, such as “indonesianblackhat”, “Jakarta Anonymous,” and “Indonesia_Hacker”

  

  When searching this term, a LinkedIn profile appeared, under the name “M.REIHAN FATAHILLAH”, A person from Surabaya, Jawa Timur, Indonesia, who claims to be an IT Security and Bug Hunting in Surabaya xploit, the only one that was found in this association.

  As shown in his LinkedIn BIO, he “plays your code with xploit”, and he owns a Cyber ​​Security community, namely SurabayaXploit.

  

Antipodean Group – Introduction

Antipodean Resistance (Known as “AR”) is an Australian neo-Nazi extremist group that was first seen in October 2016. The name “Antipodean” refers to Australia’s geographic location (the Antipodes), underscoring the group’s aim to establish a National Socialist movement in Australia.
AR was founded by young white supremacists who organized via the now-defunct Iron March forum, a notorious international far-right networking site.

In early 2016, a small cluster of Iron March users discussed forming “a new group for younger NatSocs (national socialists), 14-25” that would “take the fight to the enemy”, even suggesting actions like attacking a synagogue to show they were serious.
By October 2016, the group had a name, a logo, and its own sub-forum on Iron March, where a founding member using the alias “Xav” declared AR’s bold catchphrase: “We’re the Hitlers you’ve been waiting for”, which still appears on the website.

Their ideology is a blend of white supremacism, antisemitism, homophobia, and ultra-nationalism. The group explicitly venerates Adolf Hitler and promotes National Socialism (Nazism) as its guiding doctrine.
AR’s propaganda and internal writings reveal a belief that white Australians are in an existential struggle against “enemies”, with Jews singled out as the ultimate nemesis.

In the Nazi worldview AR subscribes to, Jews are blamed for controlling governments, banks, and media, and accused of plotting a “white genocide” by means of immigration and multiculturalism.
AR members routinely refer to this antisemitic conspiracy theory in their rhetoric, portraying Jews as the primary target of their hatred. One AR poster even called to “Legalise the execution of Jews”, illustrating the group’s genocidal mindset.
Australian authorities consider AR a dangerous extremist entity who are willing to use extreme violence.

Known “AR” Symbols & Aesthetics

The group’s logo prominently features a Totenkopf (death’s head skull, as used by Hitler’s SS) wearing an Australian Akubra-style hat, set against a Black Sun design, with a swastika and laurel wreath included.

Members often display the swastika flag, AR’s own flag is blue and white with a black swastika, and they give the Nazi salute in photos.
The slogan “We’re the Hitlers you’ve been waiting for” encapsulates their self-image as a revived Hitler Youth-style vanguard in Australia.

AR primarily recruits young, white Australian men (teens to mid-20s), insisting on physical fitness and fanatic devotion, as a reference to the known movements of 1940 Germany.
The membership is secretive and relatively small, with chapters claimed in most major Australian cities despite an overall headcount likely only in the few members adopt pseudonyms and conceal their faces (often using skull masks or digital blur) in all published images to avoid identification.

Known Affiliations

Antipodean Resistance (AR) is actively connected with a few other groups, all well-known Neo-Nazi divisions with shared tactics and ideologies, most were classified as terror and violence extremist groups by world-wide authorities, and not for nothing.

1. National Action [UK] - AR admired NA’s tactics and adopted similar militant neo-Nazi strategies.

2. Nordic Resistance Movement (NRM) [Scandinavia] - AR maintained direct communication and shared ideological alignment, including an interview with NRM’s Finnish branch.

3. Atomwaffen Division (AWD) [US] - AR and AWD maintained friendly relations, shared propaganda, and aligned in violent activities and ideology.

4. The Lads Society [Australia] - Many AR members transitioned to the Lads Society, and the groups became so intertwined that they are difficult to separate.

5. National Socialist Network (NSN) [Australia] - AR’s legacy continued in NSN after a merger with the Lads Society, with key AR figures joining NSN.

Known Cases of Violence By AR

Over the years, Antipodean Resistance (AR) has been involved in different violent incidents and hate crimes.
From vandalized schools, universities, and public spaces with neo-Nazi propaganda, including swastikas and racist slogans, causing fear among Jewish, Asian, and LGBT communities between 2016 to 2019, to a violent confrontation with anti-fascist activists when they were caught putting up homophobic posters in Melbourne in 2017.

AR has also conducted ongoing combat training camps where recruits practiced martial arts and possibly firearms handling, preparing for physical conflict.
In 2019, AR expressed support for the Christchurch Mosque shootings and echoed the shooter’s views, though no direct involvement was confirmed.

Known Members of AR

Antipodean Resistance was founded by Tim Heibach (known as “Xav”) and Jacob Hersant.
Tim was the key organizer, shaped AR’s structure and militant ideology while Jacob, who is active from a young age, became a chief organizer, involved in defacing locations with AR propaganda and later recruiting for AR’s Victoria branch.

Other early contributors include “Kehlsteinhaus” and Nathaniel Anderson, who handled propaganda and graphic design.
The group operated as a decentralized youth network, using small, autonomous cells across Australia.

While there was no public leader, internal leadership was evident through those managing the website and training camps. In 2019, many AR members transitioned to the National Socialist Network (NSN) under Tom Sewell, who became a key figure in the broader neo-Nazi scene.

Exposing New Member of AR

Over the years, a few of the AR members were exposed, no one was identified as the owner of the official website “antipodean-resistance.com”.
So, I took the initiative and started to investigate. In this research, using OSINT techniques and methodologies of intelligence collection and verifications, I present the individual behind the official website of the organization, with cross-references that allegedly validates his interests in a way that frame him as indeed one of the individuals in AR.

First, the domain

Current WHOIS records aren’t the solution, as all are restricted for privacy, so I started to figure out “what general stuff” I know about the domain?

• It’s an official website of a Neo-Nazi fascist group based in Australia. The suspected individual must be Australian at least, 100% sure a white person, probably, and statistically male. That’s a start.

• The official website of “antipodean-resistance” shares the same IP address with 5 other domains, no Cloudflare or any other protection usage, meaning the IP address I’m seeing, is indeed the IP address of the website.
  All the websites are with the same clear agenda of white-supremacist and Neo-Nazism. IP Address is 23[.]184[.]48[.]187

  

  [*] renegadetribune[.]com →

  

  [*] white-power[.]org →

  

  [*] wearswar[.]com →

  

  [*] nsdapao[.]org →

  

  [*] nvu[.]info →

  

  There is a similar agenda against child abusers appears in the official website of “antipodean-resistance” and one of the other domains hosted with the same IP address, “nvu.info”. That is a pattern.

  

When Past and Present Come Together

Since current WHOIS records aren’t yielding results, let’s check past records.
Though few registrations have been made within this domain, we do know that AR was established at the end of 2016, so the focus should be around the one or two years afterwards.

99% of the data wasn’t good enough, until I found one specific result that contained an email address, a full name, phone number ,and a country - Australia. Bingo!

The email address belongs to a person named Paul Kimbell, an Australian citizen, white male, just as assumption.
A phone number also found, with the country code of Australia, belongs to Paul as well.

Connecting The Dots

• Australianlibertyalliance[.]info: website for the Australian Liberty Alliance, a minor right-wing to far-right political party in Australia that was briefly known as the “Yellow Vest Australia”.

• Sustainabletimbertasmania[.]info: a Tasmanian Government Business Enterprise responsible for sustainably managing public production forests. Paul is from Geilston Bay, Tasmania, Australia.

• Tarkineaction[.]org: a website dedicated to supporting those who want action against the destruction of Takayna (Australia’s largest cool-temperate rainforest, located in northwest Tasmania). Australia's rainforests are a known secret training camp for members of Antipodean Resistance.

  

  When viewing Paul associated profiles, some of them, for example his Flickr account, backed the claim about his agenda of forests saving, exactly as the shown agenda in some of the domains he registered and as pictures shown in the official website of AR, showing Australian forests and the squad training camps.

  

  

  In the picture: Paul’s Flickr account, with the agenda of defending forests, exactly as the agenda of the domain he registered.

  

  

  
  In the picture: Pictures used on the official website of AR, containing known forests in Australia

Investigation Continues

The phone number that was found in association with Paul and the official domain of AR led to a Facebook profile called “Aves Animalia”, supposedly with almost no data, but there are two likes by this account.
The first is for a Facebook page called “Radical Art In Nature”, and the second for another Facebook page called “Graffiti Research Lab”, both of them claims of Graffiti as a mean to an end, exactly as AR does in now days for delivering a message.
Also, another interesting fact, one of the friends of the Facebook page “Aves Animalia” is Paul himself.

In the picture: Aves Animalia Facebook page, directly associated with the phone number found in the WHOIS records

A Complete Intelligence Profile

Profiling the person behind the website reveals contact methods and his social accounts, a thing that may assist to the authorities and other intelligence agencies to engage with him when needed.

For this purpose and to maintain his privacy, all PIIs (personal identification information) and associated online accounts are blurred.

A Threat Actor Revealed

ByteToBreach is a well-known cyber threat actor active, known primarily for carrying out opportunistic but high-impact breaches against financial institutions, airlines, and corporations across multiple regions. His attacks have been documented against Uzbekistan Airways, where he leaked passenger data, including records of U.S. government employees; Seychelles Commercial Bank, where he exfiltrated customer banking data and attempted extortion by decrypting files, and BTS Group Holdings. In this major Thai conglomerate, they stole internal LMS (Learning Management System) data and advertised ongoing network access. Additional chatter links them to breaches of academic institutions in the United States, though attribution in those cases remains less certain.

The following research sheds light on this individual and reveals connections between the threat actor and the persona behind it.

*The personal details (PII & usernames) are blurred for security and privacy*.

So, Who Are You, ByteToBreach?

A recent post in a known hacking forum by him offers reverse shell access to 2 huge corporations (Nokia & Atos), while he publishes contact methods to reach him.

• Session: 05c2db4775cb46350f16814dfe3bfa856664f315585653e4c368af08ce50b0Signalc31b

• Signal: Bytetobreach

• Email: Bytetobreach@tuta.com

All are very secure and known to be in use by cybercriminals, terrorists, investigators, and super privacy-oriented individuals.

The Investigation Starts

The user “Bytetobreach” leads to an active Telegram user with this alias. By search manipulations, the current username revealed 2 other usernames: CvHNWwEG, and iηeѕslopеz (the ‘η’ is a Latino/Greek letter).

The user Bytetobreach leads to an active Instagram account, which publishes evidence of hacking and breaches he performs (SQL Injection, ransomware, and phishing scams, including live recording from the victim’s screen).

While the users “CvHNWwEG” and “iηeѕslopеz” did not yield any results as themselves but the letter ‘η’ suggests a hint regarding the source of the language, thus the source of the individual behind the operation.

Through searching the Tuta mail, TOX address, and username provided by the attacker, a website called “bytetobreach.com” was revealed, where these contact methods are posted. He claims to “protect” others’ data from hackers, while he is the de facto attacker. A known method by criminals.

The website is full of victims that he has already attacked, and even reviews by those “clients”, saying how aggressive he was in his attacks, but after he rented his services for protecting them, he became a whole different person.

Among his victims are well-known organizations, such as banks, airways, and universities across the globe. He is well proud of his achievements, claiming to hack over 200 clients in 26 different countries.

The contact methods he provided were already mentioned, but he chose to add another revealing sentence that can hint at his way of thinking, a thing that represents him potentially in other places and can be used to cross-reference to locate the individual.

He specifically says, “Do not contact me if you are a t3rr0r!st3, or if you are into ch!ldr3n$”, meaning he owns a very straightforward mindset about child sexual abusers (CSAM) and terror-related entities.

Also, the website he operates is using WordPress as a host, another clue that may reveal useful associations.

The Domain As a Pivot Point

The domain itself wasn’t part of any data breaches or mentions around the web, and no WHOIS records were found associated with it.
When checking the IP address of the website, it led to Frankfurt, Germany, where the WordPress servers are. But… What if one of the interacting users with the IP address is associated with it?

After researching the IP address in data breaches, and an automated script with a dictionary of relevant words (such as ‘hack’, ‘dark’, ‘tuta’ [the anonymous mail provider], and others), one user came up. This is the lead.

Also, important to add - this IP address is used to host over 300+ different websites, none of them was found in the history of the following suspected user, which backs the claim that the only reason for associating with this IP address is directly related to “ByteToBreach”.

While going deeper into this user’s data, I found other relevant associations to hacking skills, privacy software, and operating systems, and of course, many usages with the letter ‘η’, as he is located in Greece.

By this data, we can understand that he is well familiar with privacy-oriented solutions (Tails OS, Tuta mail, Kali Linux, etc), that he speaks Greek, is involved with hacking tools and associated GitHub repos (such as Wi-Fi stealers), and even searched for guidance on hosting his own Darkweb site.

Also, a lot of mentions for WordPress services were found, including https://***di*.staging.wpengine.com, a staging site (private test version of WP, like a SandBox that is designed to be private and hidden from the public’s site).

New Clue Sheds Light

After reviewing thousands of lines of data, one username repeated again and again, “**uru_gr” (username blurred for privacy matters), which opened a whole new door for this investigation.

The username is directly associated with a website called “**uru.gr”, where the owner posts dozens of materials on stealers, exploits, privacy-oriented tools, and hacking materials.

Also, by the username “**uru”, in his associated data found, an ONION url was found (Darknet) with his name, meaning he used to be the admin of a website on the Darknet.
The server has already been deleted, and no archives were found.

When using the Wayback Archive Machine to check the past versions of the website, I found it was part of a Mashable leak that occurred in 2020 and revealed personal information, including usernames. His username is to be more straightforward.

In the archived version of his website, he claims to be part of Anonymous hackers, and expressed direct against child abusers, exactly as the official hacker’s website.

The http://t[.]co/HaIX**** is a direct link to **uru.GR website.

Username To Social Life

With this username revealed, tons of other data came out. From email addresses to passwords, associated accounts, and a lot more.
The Twitter (X) account with this name appears to be in direct association with cybersecurity and technology, and refers to the website with this username, Facebook account, and approves the location of Greece.

On this Twitter account, there are a lot of old posts about individuals who got arrested for child abuse and child pornography (again, repeating the strong mindset and agenda against CSAM users), and references to Anonymous hackers, a user named “TheAnon0ne”, a known hacker with a strong agenda against child abusers.

As shown previously in the archived version of his website **uru.GR, the hashtags #Anonymous, #OpPedoChat, and the user @TheAnon0ne, repeated on his Twitter as well.

Let’s understand who this **uru

More than 20 different emails were found with his nickname, including tuta email provider, but none of them yielded any significant results.
Though the nick by itself didn’t help, the website “**uRu.gr”, based on that very same nick, gave the official LinkedIn page of this entity.

The most interesting result here is the fact that there is only one employee in this company.
When checking the page to see who is the person involved with it, one name came up – Anastasis ******, from Thessaloníki, Greece.

Checking on this individual led to phone numbers and email addresses associated directly with him, and from there, to a Facebook page with 121K likes and 3.8K followers.

By the account, it appears that this individual is well familiar with hacking materials. He claims to be a cybersecurity expert (penetration testing, malware analysis, developer, red teamer), and is associated directly with **uRu.
Also, the first post his on his Facebook page includes a manual of FlipperZero, a known hacking tool that can read, copy, and emulate RFID and NFC tags, radio remotes, iButtons, and digital access keys.

In this Facebook page, older posts, one specific post came up, regarding child safety on the internet, directly connected to the “anti-pedophile” mindset, appears on the official website of the threat actor “Bytetobreach”. This post is tagged with another Facebook account under his name, with the same photo and nickname (Cyber***).

When exploring this second Facebook page's posts, more relevant posts on child safety strengthen the claim of his mindset, similar to the threat actor “Bytetobreach” that spoke directly against pedophiles on his official website.

On top of that, the username he uses on his official Facebook pages (Cyber***) is the username for **uru.news website on his behalf.

With a deeper dive into his profiles and mentions, his appearence in a freelancers website came out, specifiying his email address, phone number and some details about him owning the relevant skills that “Byetobreach” owns, that he have 16 years of expirience (which perfectly alligns with the fact that in the official website of the threat actor, that created 1 year ago, it says “15 years of expirience”), and the fact he mentions WorPress (the infrastracture of “Bytetobreach’s” website) as main skill.

A Complete Intelligence Review - Digital Footprints

Profiling the person behind the website reveals contact methods and their social accounts, a thing that may assist the authorities and other intelligence agencies to engage with them when needed.

For this purpose and to maintain his privacy, all PIIs (personal identification information) and associated online accounts are blurred.