Welcome to Memetic Warfare. This week we’ll look at some interesting stuff brought up by Iranian dissident Nariman Gharib.

The first finding from Gharib is an analysis of the recent KittenBusters leak - apparently, they were behind not only Moses Staff (which we’ve discussed before) but also the outlet Sahyoun24.

Sahyoun24, or Zion24, is thus a pretty overt influence operation run apparently by female operators. Sahyoun24 is an interesting operation in that it’s semi-overt, featuring Iranian social media accounts such as Aparat.

They’re active not only with a Persian language, but also an Arabic, English and Hebrew domain.

Backup domains on .com and .info, only .com is up but it’s different than the main site:

All of their accounts only have a few followers except for Telegram, which has over 10,000:

They’re not trying hard to hide their hosting also - 2 past hosts are Namecheap, one Iranian. One appears to be a dedicated Namecheap host - should be easy enough to report/take down:

Most of the other findings here are boring, but the important part is the semi-overt nature. This looks more like domestic IO first (makes sense that it’s a counterintelligence group behind it then), foreign IO last. It’s also in that increasingly overt area with Iran - now that there’s no risk of being overt, why not be overt and not even try to hide affiliations?

Gharib has been up to other shenanigans as well as of late. He apparently acquired a copy of the registration records of Ravin Academy students. Ravin Academy is a sanctioned organization that allegedly trains cyber operators for the Iranian MOIS.

This is interesting in of itself, and Gharib has set up an aesthetically-pleasing domain hosting the database, available here.

I’m bringing this up not only because it’s cool and interesting and arguably useful to many, but because it takes the step that is always so lacking in this type of activity: indexing it.

People love posting full databases online, forcing anyone who wants to work with them to download and grep them like no tomorrow, or god forbid fuse multiple files if they upload it in a bunch of disjointed CSVs or other formats. Making them accessible online is a MUCH more impactful way of making sure the information actually reaches its target.

That’s it for this week, thanks for reading.