Mehran Armiyon

In one of #Telerik's recent updates, I noticed a fix for CVE-2024-10095, an insecure deserialization vulnerability in their UI for WPF. So I thought, what a perfect time for a patch analysis :) Check it out here: armiyon.me/blog/2025/cve-…

‼️🇮🇷 The IRGC (Islamic Revolutionary Guard Corps) surveillance system and Iranian police database have allegedly been leaked and posted for free download on a popular cybercrime forum. ‣ Threat Actor: IamNotaFBIWorker ‣ Category: Data Breach / Leak ‣ Victim: IRGC Surveillance System / Iranian Police ‣ Industry: Government / Military / Law Enforcement ‣ Country: Iran The data leak allegedly exposes sensitive information and the inner workings of the state's monitoring apparatus. The information allegedly leaked includes: ▪️ User Account Details and Activity Metrics ▪️ Social Connections and Interactions ▪️ Sensitive Personal Information ▪️ Machine Learning-Based Sentiment Analysis (e.g., "Against" the state) ▪️ Emotion Analysis of User Content (e.g., "ANGRY", "SAD") ▪️ Topic Categorization (e.g., "political", "economical") Two separate archives were posted for free download: the SEPAH-X-SURVEILLANCE dataset and a separate Iranian police database (mini). The threat actor stated they hope Iran takes this as a lesson.

🚨‼️ CRITICAL: Ubiquiti UniFi Network Application vulnerabilities were just disclosed CVE-2026-22557 CVSS 10.0 Remote path traversal vulnerability allowing an attacker to access and manipulate files, leading to account takeover. No authentication required. CVE-2026-22558 — CVSS 7.7 Authenticated NoSQL Injection allowing privilege escalation.

@RezaVaisi @elonmusk SOS @elonmusk

@elonmusk Dear Elon, In these critical days, the people of Iran need internet access. Please help them stay connected as they struggle to reclaim their country from the rule of the mullahs. Stand with the Iranian people. Iran will not forget its friends.

کاربران همچنان از سرشماره VAJA به بهانه فروش VPN و کانفیگ استارلینک پیامک تهدیدآمیز دریافت می‌کنند.

گروه Void Verge که دیروز باعث اختلال در شبکه زیرساخت شده بود، اعلام کرده که حکومت درحال آماده‌سازی فاز بعدی از قطع سراسری اینترنت در شرایط اضطراریه. هدف از این اقدام محدود کردن زنجیره ارتباط در اینترنت داخلیه، تا کاربران نتونن ابزارهای اتصال به اینترنت بین‌المللی رو با هم به اشتراک بذارن. بر اساس این ادعا، اقداماتی مثل مسدود کردن سرویس‌های رایگان اشتراک فایل در اپراتورهای اینترنت همراه، محدودسازی گسترده ارسال لینک و محتوا در پیام‌رسان‌های داخلی، ارسال پیامک‌های تهدیدآمیز و همینطور شناسایی وی‌پی‌ان‌های فعال در کانال‌ها و گروه‌ها درحال انجامه و گفته میشه این اطلاعات بصورت دستی یا با استفاده از ابزارهای خزنده (از جمله اسپارتا) جمع‌آوری میشن، تا دسترسی‌ها مسدود بشن.

Finally got some breathing room, so here's a quick recap of the cyber side of IR/US ongoing war: 1. Right after the first strikes by US, within the first hours, multiple popular (pro regime) news agencies and outlets were compromised at the same time. Legitimate looking news contents were injected to the front page, aimed at degrading morale of pro-regime force by typical PSYOPS tactics. Sites were quickly taken down and restored. 2. Shortly after that, BadeSabaa (Prayer time app), a popular mobile app with 30+ Million installations (from Iranian app store) was hijacked and used to send push notifications to users. This time the target audience was mostly army members, calling them to surrender and join the people, if they want to survive. This app is an interesting pick, not just because it has a high number of downloads. Users of the app are particularly religious people and have higher chance to be also pro-regime and within body of the army. One important but seemingly ignored fact about this app is that it requests location access to operate. It's safe to assume most users allow that for more accurate prayer time results. It's also safe to assume that, if the app backend is compromised enough to allow sending push notifications, it's safe to assume that any telemetry logs and data from the app would be also compromised. Correlating telemetry with unique device ID for that large user base can be (ab)used in many different and interesting ways! Not that it has been the case. * Rumors circulated that EITAA, an Iranian popular messaging app, was also taken down and no longer accessible. That turned out to be just a rumor as I verified. 3. Iran internet went in full blackout mode again. Not that this had anything to do with a cyber operation. Initially starting from MCI and expanding to the entire country within a day. Like in previous case, there are still a small fraction of hosts that remain accessible from outside, but if you have been logging previous round's data and compare it with current one, you might notice interesting discrepancies ;) This is likely a multi-reason effort to contain exposure of impact of strikes, possible denial of service to smaller drones (which turned out a failed assumption and attempt during IR/IL war too) and finally to have a veil over any potential aggression towards upcoming unrests and protests by people in the streets. 4. During second day of strikes, Iranian national TV's Channel 3 satellite streams (IntelSat) were hijacked (2nd time since recent protests) and videos of Trump and Netanyahu speeches were broadcasted instead. Again, expected PSYOPS move considering the situation. Other covert operations have been also in progress, which I guess we might be hearing about them (or not) in near future. I will be occasionally updating this as a thread, if more notable cyber attacks takes place.

Best way to test it was to create a functional wrapper around it, so I tasked Codex to make me Mr. Apple github.com/Hamid-K/Mr.App… The MCP support is experimental, but otherwise the idea is to have something like Claude or Codex, based on the locally available Apple Intelligence model. It can already interact with OS commands and filesystem. And yes, it's dumb, in comparison to frontier and most other heavier open models, but you get what you pay for :)

دوستان داخل ایران: یکی از روش های دریافت اطلاعات در زمان جنگ، رادیوی موج کوتاه (short wave) هست. امواج رادیویی در این محدوده فرکانسی (٣ تا ٣٠ مگاهرتز) امکان طی مسافت طولانی در حد هزاران کیلومتر رو دارن. تو این رشته کمی اطلاعات در این زمینه میدم که امیدوارم مفید باشه. 1/14

@SinSinology Hey; Your DMs are closed. Mind if I slide in with a quick question?! :)

🦋

@SinSinology 🔥🔥

Vahid is an Iranian Internet activist - he has become the most important distributor of citizen videos during the last uprisings in Iran. His words today: “I don't dare to open the messages. Not because of the violence in the images. That’s not as difficult as the questions from mothers whose children have been detained. They send their missing child's photo and ask me to compare it with the faces I blurred in the videos! They beg me to identify the sender of the video of their loved one's body so they can ask about their final moments.” #IranMassacre

متاسفانه سعید سوزنگر و ایمان (امیرحسین) صیرفی بازداشت شدن. امیدواریم زودتر برگردن.

#سعید_سوزنگر را هم به بند کشیده اند. @saeedsouzangar را آزاد کنید. سعید انسانی است خیرخواه، دلسوز و متعهد به سلامت جامعه و پرکار برای جامعه آی تی ایران. صدایش باشیم.

Hello, World! #DigitalBlackoutIran

Thanks @Logitech!!!

این دامنه و وب سایت رو ثبت و راه اندازی کردم بعنوان راهنمای امنیت سایبری اولیه، ساده و قابل استفاده برای عموم. محتوا و قالب اصلی سایت کار من نیست و فقط ترجمه و قالب فارسی رو اضافه و درست کردم. amni.at محتوای فنی، بخصوص متناسب با شرایط و نیاز کاربر ایرانی، هنوز جای کار و تکمیل شدن داره که به مرور انجامش میدم. پیشنهادی هم اگر دارید برای تکمیل و اصلا محتوا، میتونید از طریق مخزن گیت هاب پروژه ارسال کنید :)

تیم توسعه دیفیکس اعلام کرده که بروزرسانی جدیدی برای بهبود دسترسی به #اینترنت_آزاد مختص کاربران ایران منتشر شده و هم‌اکنون در گوگل‌پلی و گیت‌هاب در دسترس هست. همینطور اشاره کردن که نسخه‌های iOS و ویندوز این #فیلترشکن هنوز تحت بررسی استور هستن و به‌دلیل تعطیلات روند تأیید اونها زمان‌بر شده؛ به همین دلیل پیشنهاد کردن نسخه ویندوز رو مستقیماً از گیت‌هاب دانلود کنین.

The MongoBleed vuln is such a cool and powerful primitive, it practically allows you to remotely live-view the host memory (limits still apply) and navigate around like a local hexdump! I made a TUI live memory browser based on @dez_'s PoC. Credits to him for the original PoC and work! 1. Use "--auto-mode speed --loop --decode --optimize" to get good offsets 2. Run again with --tui --hit-tag and browse :) Check the notes for more detailed options and dump optimizations. github.com/Hamid-K/mongob…

nice new paper on vulnerable code reachability: VPChecker many SBOM tools operate at binary level, reporting a finding regardless of whether the vulnerable function from the imported lib was used capturing dependencies at function level can reduce false positives drastically