Welcome to Memetic Warfare. This week will be a bit shorter than usual.

I’m sure you’ve all been waiting with baited breath, as have I, to determine whether or not Ababil of Minab was IRGC or MOIS-run.

Your wait has now come to an end thanks to Gambit, which published a report attributing Ababil of Minab to the MOIS, specifically the same group behind Black Shadow. Check out the main points below:

I’ll save you the details, though it’s a pretty concise report, so if you’re interested, give it a read. Having said that - they later targeted the South Florida Regional Transportation Authority by hitting an exposed RDP instance and going from there to live off of the land.

Gambit noticed that Ababil had somehow managed to enroll in Open AI’s security research program! Otherwise, how could they have possibly bypassed ChatGPT’s guardrails to get it to help them with their malware development and scripting? Jokes aside, good catch in the video.

They also use a self-signed certificate, which Iranian threat actors love and we’ll get back to momentarily:

They also apparently are moving into low level languages, doing some dev work in C++. I don’t recall many cases of C++ being used by MOIS threat actors, so that’s a step up:

Gambit attributed the operation to the MOIS by virtue of overlap with past infrastructure, specifically the MOIS-run “nefeshhope” operation:

And to conclude:

Great stuff overall and looking forward to seeing more from Gambit.