Nariman Gharib

KittenBusters leaked #APT35 infrastructure docs. Using leaked passwords, I accessed their Edis Global accounts & downloaded invoices. They used phone numbers from Russia, Israel & Netherlands with fake addresses, paying via crypto. files.narimangharib.com/other/CK%20-...

😀

Episode 4: Inside Charming Kitten's Financial Operations and Infrastructure Network The fourth release of leaked documents from Iran's APT35 (Charming Kitten) operation exposes something previous leaks haven't: the complete financial backbone a...

New Charming Kitten APT35 leak shows their entire budget. Bitcoin payments for domains and hosting, ProtonMail accounts (still active, I checked), Iranian shell companies, the whole operation running on maybe $10k.

حمله سایبری به آکادمی راوین؛ نشت گسترده اطلاعات دانشجویان آموزشگاه وزارت اطلاعات پایگاه داده جامع حاوی اطلاعات شخصی دانشجویان آکادمی راوین، آموزشگاه مخفی وزارت اطلاعات که ایران‌اینترنشنال پیشتر هویت اعضای آن را افشا کرده بود، به صورت گسترده منتشر شده است.

www.iranintl.com/202510230171

Ravin Academy confirmed the breach and published a statement.

Group-IB Threat Intelligence uncovered a sophisticated phishing campaign orchestrated by the Advanced Persistent Threat (APT) MuddyWater, targeting international organizations worldwide to gather foreign intelligence. www.group-ib.com/blog/muddywa... #RavinAcademy

Exclusive: Full Student Database of MOIS-Affiliated Ravin Academy Leaked Based on the intelligence assessments from multiple government agencies, Ravin Academy functions as a MOIS-directed recruitment and training front operating und...

A comprehensive database containing complete registration records of Ravin Academy students has been obtained by me, revealing detailed personal information of individuals enrolled in the organization's training programs.

blog.narimangharib.com/posts/2025%2...

Part two and three of the leaked Charming Kitten files reveal operations across five continents In my previous analysis of the Charming Kitten leak, I examined the unprecedented breach that exposed the inner workings of an Iranian state-sponsored hacking o...

BellaCiao was developed at Tehran's Shuhada base. Moses Staff & Sahyoun24 weren't independent—all run by the same IRGC unit. MORE... blog.narimangharib.com/posts/2025%2... #APT35

t.me/narimangharib

Massive Leak Exposes Inner Workings of Iranian Hacking Group Charming Kitten In what appears to be one of the most significant breaches of an Iranian state-sponsored hacking operation to date, an anonymous source has published internal d...

Breaking News: Iranian Advanced Persistent Threat Group #APT35 Has Been Compromised, with Internal Documents Leaked Online

blog.narimangharib.com/posts/2025%2...

Teenagers charged over Transport for London cyber attack Thalha Jubair, 19, from East London, and Owen Flowers, 18, from Walsall in the West Midlands, were arrested

BREAKING: Two teenagers charged over 'Scattered Spider' Transport for London cyber attack. About to appear in court for first time. I'm here for BBC so follow the story for updates: www.bbc.co.uk/news/article...

www.international.gc.ca/transparency...

It's truly enjoyable to see the efforts of the Islamic Republic's cyber forces as they try to use social engineering on me.

Your cyber threat intel is part of the North Korean strategy: DPRK operators are abusing CTI platforms to see if they’ve been seen—and moving faster because of it. 👀

Exclusive: How North Korean hackers are using fake job offers to steal cryptocurrency North Korean hackers are saturating the cryptocurrency industry with credible-sounding job offers as part of their campaign to steal digital cash, according to new research, raw data, and interviews.

Granular look here from @ajvicens.bsky.social and I on how job seekers in the crypto currency industry are being bombarded with fake job offers from North Korean hackers. Based on 19 interviews with targets and research from cyber firms @sentinelone.com and Validin

www.reuters.com/world/asia-p...

There might be some kind of history in my ancestors that I’m not aware of. 😆

🤣🤣🤣🤣🤣🤣

The impact of the Salesloft Drift breach on Cloudflare and our customers An advanced threat actor, GRUB1, exploited the integration between Salesloft’s Drift chat agent and Salesforce to gain unauthorized access to Salesforce tenants of Cloudflare and many other companies.

A recent security issue announced by Salesloft has impacted many companies, including Cloudflare. Read more

https://blog.cloudflare.com/response-to-salesloft-drift-incident/?utm_campaign=cf_blog&utm_content=20250902&utm_medium=organic_social&utm_source=bluesky

A UK government study has found that, despite being aware that cyber insurance exists and is an option, most British companies struggle to understand insurance policy details, which is impeding a broader adoption

www.gov.uk/government/p...

Charming Kitten 2025: Strategic Target Selection and Researcher Surveillance Analysis Overview This research examines a new Charming Kitten campaign utilizing advanced impersonation tactics, long-term monitoring of security researchers, and unique infrastructure. This analysis is base...

Screw it, unlocking the paywall on my Charming Kitten investigation. Everyone should know how they're impersonating former Pentagon officials to target activists. Full technical details, IoCs, everything that was VIP-only is free now
vip.narimangharib.com/charming-kit...
#APT35

The Telegram Trap: Why Iran's The Islamic Republic is floating the idea of unblocking Telegram again, and if you believe this is about digital freedom, I have a bridge in Tehran to sell you....

The Islamic Republic is floating the idea of unblocking Telegram again

blog.narimangharib.com/posts/2025%2...

In recent hours, intelligence agencies in the Islamic Republic, including the Shahid Kaveh group, have attempted to deny any cyberattacks on their ships by LabD cyber group. And as always, they said I am a member of unit 8200 of the Israeli army. 😆😆

Inside the Lab-Dookhtegan Hack: How Iranian Ships Lost Their Voice at Sea Lab-Dookhtegan has been systematically targeting Iranian infrastructure for months now, and when they reached out about their latest operation, I knew it would ...

LabDookhtegan paralyzed 64 Iranian ships at sea last night, again...

blog.narimangharib.com/posts/2025%2... #Iran #CyberAttack

In May, we, alongside CBC's Visual Investigation Unit, @tjekdet.dk and @politiken.dk revealed the identity of the key administrator behind one of the largest AI porn sites. Dutch politicians across political parties are now calling for the Canadian to be extradited. www.cbc.ca/news/canada/...

Iran's defense sector offers $213,000 prize for counter-drone technology, seeking systems to detect and neutralize small UAVs through jamming, AI tracking, or physical interception. Competition highlights Tehran's push for indigenous anti-drone capabilities hxxps://archive[.]is/qCyIt

Handala Hacker Exposed: Iran International Identifies Intelligence Ministry Operative Behind Cyber Attack Tonight, Iran International TV revealed the identity of one of the key figures behind the Handala hacking group that claimed responsibility for attacking the ne...

You can watch the video here with English subtitles: blog.narimangharib.com/posts/2025%2...

Tonight, Iran International TV exposed the identity of a Handala hacking group admin—part of the Banished Kitten cyber unit I've previously reported on—and unmasked his handler in Iran's Ministry of Intelligence.

- Morteza Aftabi-Far
- Ali Bermoudeh