Laissez-farsi
Welcome to Memetic Warfare.
After the past few posts covered China, we’ll be going back to other topics this week.
The first is Iran. I published an investigation last week at the FDD - alongside Joe Truzman - looking at a persistent Iranian espionage operation, available here. Recorded Future (we’ll discuss below) first published on it.
Like other Iranian espionage operations covered here, this operation overtly identifies itself as Iranian:
This operation has some unique components. As per its name, it’s tied to the MOIS and not the IRGC. It also has three additional channels: the “HR” channel of VIPEmployment02bot, and “social media” channels in English/Hebrew and Arabic.
Readers of the blog may remember the VIPEmploymentBot operation from past posts - see here:
So, it’s back it seems, and is doubling down on the influence element.
The affiliate channel shares AI-generated propaganda content seeking to recruit Israelis in the “Mossad, Shabak the police forces and people with access to any national databases” alongside “regular people from all walks of life”:
The channel shares content from those actually recruited, at least allegedly:
The channel also shares content from Handala channels, mainly Handala Partisans, their latest recruitment effort:
The Iranian Intelligence Voice channel also shared general news-style propaganda in English, Hebrew and Arabic, while promoting the recruitment bot:
The channels have since been taken down, but share the same recent trends we’ve seen from Iran:
Fusing recruitment for espionage and sabotage with influence operations
Overt affiliation with Iran, presumably to sharpen the psychological impact while also filtering out recruits to those who don’t mind working for Iran
Targeting Israeli defense and security personnel.
It’s interesting to see Iran-branded operations, let alone specific organizational affiliation. I wonder to what degree this is the MOIS learning from the IRGC or competition perhaps for clicks.
This operation mimics a fair amount from the previous IRGC operation targeting Israeli defense personnel, but it also shares the laissez-faire approach to operational security that the MOIS has. Whereas the IRGC operation targeted specific Israelis with SMSes and tried to avoid detection to some degree, the MOIS revels in its exposure.
Let’s move on. I want to shout out Recorded Future for putting out some great research as of late.
The first report I want to shout out is his look at Handala, available here. I know we’re all sick of Handala, at least I am, but it’s worth looking at and is quite comprehensive.
As stated at the beginning of this post, the report first exposed round 2 of the VIPEmploymentBot, pointing out its crossposting with Handala:
The report also covered the amplification of the VIPEmploymentBot and 02 historically:
He also points out that Iranian actors pushed the channel globally - from unrelated groups in Latin America to others - mainly to promote the IO side of the operation.
Some of the posts in Arabic called for “cooperation” from Muslims worldwide, calling on them to kill Americans and Israelis as well as their infrastructure, and of course upload propaganda content.
The report also looks at the historical side of things, with the BraveIL operation active in mid 2024 serving as as as an early stab at virtual espionage, a few months prior to the first VIPEmploymentBot operation:
Great stuff and I’d recommend reading it.
Another interesting report from Recorded Future was their exposure of a network of domains and services that enable the busting of sanctions for sanctioned vessels and companies. Really interesting stuff, including fake certificate generation and other services - check it out here.
That’s it for this week, thanks for reading.