Nariman Gharib
@nariman.bsky.social
Britain-based Iranian Activist 🚦 Cyber Espionage Investigator 👁
New Charming Kitten APT35 leak shows their entire budget. Bitcoin payments for domains and hosting, ProtonMail accounts (still active, I checked), Iranian shell companies, the whole operation running on maybe $10k.
Episode 4: Inside Charming Kitten's Financial Operations and Infrastructure Network
The fourth release of leaked documents from Iran's APT35 (Charming Kitten) operation exposes something previous leaks haven't: the complete financial backbone a...
blog.narimangharib.com
October 28, 2025 at 12:45 AM
New Charming Kitten APT35 leak shows their entire budget. Bitcoin payments for domains and hosting, ProtonMail accounts (still active, I checked), Iranian shell companies, the whole operation running on maybe $10k.
Group-IB Threat Intelligence uncovered a sophisticated phishing campaign orchestrated by the Advanced Persistent Threat (APT) MuddyWater, targeting international organizations worldwide to gather foreign intelligence. www.group-ib.com/blog/muddywa... #RavinAcademy
www.group-ib.com
October 22, 2025 at 9:08 AM
Group-IB Threat Intelligence uncovered a sophisticated phishing campaign orchestrated by the Advanced Persistent Threat (APT) MuddyWater, targeting international organizations worldwide to gather foreign intelligence. www.group-ib.com/blog/muddywa... #RavinAcademy
A comprehensive database containing complete registration records of Ravin Academy students has been obtained by me, revealing detailed personal information of individuals enrolled in the organization's training programs.
blog.narimangharib.com/posts/2025%2...
blog.narimangharib.com/posts/2025%2...
Exclusive: Full Student Database of MOIS-Affiliated Ravin Academy Leaked
Based on the intelligence assessments from multiple government agencies, Ravin Academy functions as a MOIS-directed recruitment and training front operating und...
blog.narimangharib.com
October 22, 2025 at 7:43 AM
A comprehensive database containing complete registration records of Ravin Academy students has been obtained by me, revealing detailed personal information of individuals enrolled in the organization's training programs.
blog.narimangharib.com/posts/2025%2...
blog.narimangharib.com/posts/2025%2...
BellaCiao was developed at Tehran's Shuhada base. Moses Staff & Sahyoun24 weren't independent—all run by the same IRGC unit. MORE... blog.narimangharib.com/posts/2025%2... #APT35
Part two and three of the leaked Charming Kitten files reveal operations across five continents
In my previous analysis of the Charming Kitten leak, I examined the unprecedented breach that exposed the inner workings of an Iranian state-sponsored hacking o...
blog.narimangharib.com
October 16, 2025 at 9:44 AM
BellaCiao was developed at Tehran's Shuhada base. Moses Staff & Sahyoun24 weren't independent—all run by the same IRGC unit. MORE... blog.narimangharib.com/posts/2025%2... #APT35
Breaking News: Iranian Advanced Persistent Threat Group #APT35 Has Been Compromised, with Internal Documents Leaked Online
blog.narimangharib.com/posts/2025%2...
blog.narimangharib.com/posts/2025%2...
Massive Leak Exposes Inner Workings of Iranian Hacking Group Charming Kitten
In what appears to be one of the most significant breaches of an Iranian state-sponsored hacking operation to date, an anonymous source has published internal d...
blog.narimangharib.com
September 30, 2025 at 9:14 PM
Breaking News: Iranian Advanced Persistent Threat Group #APT35 Has Been Compromised, with Internal Documents Leaked Online
blog.narimangharib.com/posts/2025%2...
blog.narimangharib.com/posts/2025%2...
Reposted by Nariman Gharib
BREAKING: Two teenagers charged over 'Scattered Spider' Transport for London cyber attack. About to appear in court for first time. I'm here for BBC so follow the story for updates: www.bbc.co.uk/news/article...
Teenagers charged over Transport for London cyber attack
Thalha Jubair, 19, from East London, and Owen Flowers, 18, from Walsall in the West Midlands, were arrested
www.bbc.co.uk
September 18, 2025 at 1:29 PM
BREAKING: Two teenagers charged over 'Scattered Spider' Transport for London cyber attack. About to appear in court for first time. I'm here for BBC so follow the story for updates: www.bbc.co.uk/news/article...
It's truly enjoyable to see the efforts of the Islamic Republic's cyber forces as they try to use social engineering on me.
September 10, 2025 at 11:48 AM
It's truly enjoyable to see the efforts of the Islamic Republic's cyber forces as they try to use social engineering on me.
Reposted by Nariman Gharib
Your cyber threat intel is part of the North Korean strategy: DPRK operators are abusing CTI platforms to see if they’ve been seen—and moving faster because of it. 👀
September 4, 2025 at 1:58 PM
Your cyber threat intel is part of the North Korean strategy: DPRK operators are abusing CTI platforms to see if they’ve been seen—and moving faster because of it. 👀
Reposted by Nariman Gharib
Granular look here from @ajvicens.bsky.social and I on how job seekers in the crypto currency industry are being bombarded with fake job offers from North Korean hackers. Based on 19 interviews with targets and research from cyber firms @sentinelone.com and Validin
www.reuters.com/world/asia-p...
www.reuters.com/world/asia-p...
Exclusive: How North Korean hackers are using fake job offers to steal cryptocurrency
North Korean hackers are saturating the cryptocurrency industry with credible-sounding job offers as part of their campaign to steal digital cash, according to new research, raw data, and interviews.
www.reuters.com
September 4, 2025 at 4:02 PM
Granular look here from @ajvicens.bsky.social and I on how job seekers in the crypto currency industry are being bombarded with fake job offers from North Korean hackers. Based on 19 interviews with targets and research from cyber firms @sentinelone.com and Validin
www.reuters.com/world/asia-p...
www.reuters.com/world/asia-p...
Reposted by Nariman Gharib
A recent security issue announced by Salesloft has impacted many companies, including Cloudflare. Read more
https://blog.cloudflare.com/response-to-salesloft-drift-incident/?utm_campaign=cf_blog&utm_content=20250902&utm_medium=organic_social&utm_source=bluesky
https://blog.cloudflare.com/response-to-salesloft-drift-incident/?utm_campaign=cf_blog&utm_content=20250902&utm_medium=organic_social&utm_source=bluesky
The impact of the Salesloft Drift breach on Cloudflare and our customers
An advanced threat actor, GRUB1, exploited the integration between Salesloft’s Drift chat agent and Salesforce to gain unauthorized access to Salesforce tenants of Cloudflare and many other companies.
blog.cloudflare.com
September 2, 2025 at 5:14 PM
A recent security issue announced by Salesloft has impacted many companies, including Cloudflare. Read more
https://blog.cloudflare.com/response-to-salesloft-drift-incident/?utm_campaign=cf_blog&utm_content=20250902&utm_medium=organic_social&utm_source=bluesky
https://blog.cloudflare.com/response-to-salesloft-drift-incident/?utm_campaign=cf_blog&utm_content=20250902&utm_medium=organic_social&utm_source=bluesky
Reposted by Nariman Gharib
A UK government study has found that, despite being aware that cyber insurance exists and is an option, most British companies struggle to understand insurance policy details, which is impeding a broader adoption
www.gov.uk/government/p...
www.gov.uk/government/p...
September 2, 2025 at 7:38 PM
A UK government study has found that, despite being aware that cyber insurance exists and is an option, most British companies struggle to understand insurance policy details, which is impeding a broader adoption
www.gov.uk/government/p...
www.gov.uk/government/p...
Screw it, unlocking the paywall on my Charming Kitten investigation. Everyone should know how they're impersonating former Pentagon officials to target activists. Full technical details, IoCs, everything that was VIP-only is free now
vip.narimangharib.com/charming-kit...
#APT35
vip.narimangharib.com/charming-kit...
#APT35
Charming Kitten 2025: Strategic Target Selection and Researcher Surveillance Analysis
Overview
This research examines a new Charming Kitten campaign utilizing advanced impersonation tactics, long-term monitoring of security researchers, and unique infrastructure. This analysis is base...
vip.narimangharib.com
August 29, 2025 at 12:23 PM
Screw it, unlocking the paywall on my Charming Kitten investigation. Everyone should know how they're impersonating former Pentagon officials to target activists. Full technical details, IoCs, everything that was VIP-only is free now
vip.narimangharib.com/charming-kit...
#APT35
vip.narimangharib.com/charming-kit...
#APT35
The Islamic Republic is floating the idea of unblocking Telegram again
blog.narimangharib.com/posts/2025%2...
blog.narimangharib.com/posts/2025%2...
The Telegram Trap: Why Iran's
The Islamic Republic is floating the idea of unblocking Telegram again, and if you believe this is about digital freedom, I have a bridge in Tehran to sell you....
blog.narimangharib.com
August 28, 2025 at 4:32 PM
The Islamic Republic is floating the idea of unblocking Telegram again
blog.narimangharib.com/posts/2025%2...
blog.narimangharib.com/posts/2025%2...
LabDookhtegan paralyzed 64 Iranian ships at sea last night, again...
blog.narimangharib.com/posts/2025%2... #Iran #CyberAttack
blog.narimangharib.com/posts/2025%2... #Iran #CyberAttack
Inside the Lab-Dookhtegan Hack: How Iranian Ships Lost Their Voice at Sea
Lab-Dookhtegan has been systematically targeting Iranian infrastructure for months now, and when they reached out about their latest operation, I knew it would ...
blog.narimangharib.com
August 22, 2025 at 9:54 AM
LabDookhtegan paralyzed 64 Iranian ships at sea last night, again...
blog.narimangharib.com/posts/2025%2... #Iran #CyberAttack
blog.narimangharib.com/posts/2025%2... #Iran #CyberAttack
Reposted by Nariman Gharib
In May, we, alongside CBC's Visual Investigation Unit, @tjekdet.dk and @politiken.dk revealed the identity of the key administrator behind one of the largest AI porn sites. Dutch politicians across political parties are now calling for the Canadian to be extradited. www.cbc.ca/news/canada/...
August 14, 2025 at 9:44 AM
In May, we, alongside CBC's Visual Investigation Unit, @tjekdet.dk and @politiken.dk revealed the identity of the key administrator behind one of the largest AI porn sites. Dutch politicians across political parties are now calling for the Canadian to be extradited. www.cbc.ca/news/canada/...
Iran's defense sector offers $213,000 prize for counter-drone technology, seeking systems to detect and neutralize small UAVs through jamming, AI tracking, or physical interception. Competition highlights Tehran's push for indigenous anti-drone capabilities hxxps://archive[.]is/qCyIt
August 14, 2025 at 8:20 AM
Iran's defense sector offers $213,000 prize for counter-drone technology, seeking systems to detect and neutralize small UAVs through jamming, AI tracking, or physical interception. Competition highlights Tehran's push for indigenous anti-drone capabilities hxxps://archive[.]is/qCyIt
Tonight, Iran International TV exposed the identity of a Handala hacking group admin—part of the Banished Kitten cyber unit I've previously reported on—and unmasked his handler in Iran's Ministry of Intelligence.
- Morteza Aftabi-Far
- Ali Bermoudeh
- Morteza Aftabi-Far
- Ali Bermoudeh
August 13, 2025 at 8:15 PM
Tonight, Iran International TV exposed the identity of a Handala hacking group admin—part of the Banished Kitten cyber unit I've previously reported on—and unmasked his handler in Iran's Ministry of Intelligence.
- Morteza Aftabi-Far
- Ali Bermoudeh
- Morteza Aftabi-Far
- Ali Bermoudeh
