Et Tu, Metus?
Welcome to Memetic Warfare.
This week’s post will cover Meta’s new Quarterly Adversarial Threat Report for Q1 of 2025, see here.
Unfortunately, like Facebook itself, their quarterly threat report now seems to be on life support, coming in at a paltry 8 pages:
Do you really need an executive summary if you only have 3 pages of actual content?
The first operation is China-based:
There isn’t really anything new here - past ties to previously exposed similar operations, showing that these is just recidivist activity. The takedown amount is small, narratives are nothing new - nothing really worth noting.
Iran is a bit more interesting but not by much:
Again, small number of accounts taken down, known hashtags/tactics, small ad spend but they had some successful accounts at least. Only interesting part to me was the targeting of Azerbaijan and Turkey, which isn’t surprising but nice to see confirmed. I’d also like to see the ties to Storm 2035, which we aided in the attribution of before as mentioned by Open AI, but Meta is playing things close to the chest.
We can get a better understanding of those ties by looking at the threat indicators:
Here we see that they refer to israelboycottvoice, a domain that my colleague Max Lesser and I exposed at the FDD and on Memetic Warfare - see below. In all seriousness, it’s a bummer that Meta didn’t refer to our past reporting on this domain or even say (as has happened in the past) that they referred to third party reporting such as ours, as we exposed it over half a year ago. See the Memetic Warfare post below:
Iranian IO Domains - Sneak Peek
Welcome to Memetic Warfare. We’re in unprecedented territory here as I’m posting a second consecutive post in one day, something that I almost never do and probably won’t do again going forward. However, it’s worth it.
We didn’t come across Palestinesupporter, so let’s see what’s up there.
Looking at a past scanned copy shows that it was involved in organizing protests with a petition-style signup:
Interestingly, the passive DNS shows that it was hosted mainly on Cloudflare, with no dedicated hosts showing up:
The archived page also has links to a few social media entities, including a somehow still active Instagram account - how does this domain get listed as an indicator yet its accounts are still up?
There’s also Twitter and TikTok, and the whole thing hasn’t been active for a while.
So, this one domain is an anomaly - not hosted on any dedicated hosts, used Cloudflare and Amazon successfully, with minimal operational security slipups. I wonder how this domain fits exactly into the rest of the network, as only Meta found it.
Anyway, let’s wrap it up here. Meta’s threat report is continuing to die a slow death, with Meta now putting out several page, undetailed reports. At least they still put out a few indicators to work with.