================================================================================ CRITICAL OSINT FINDINGS Iranian Government & Hezbollah Infrastructure Summary of Key Discoveries Generated: 2026-01-04 ================================================================================ ================================================================================ EXECUTIVE SUMMARY ================================================================================ This document summarizes critical findings from open-source intelligence gathering on Iranian government and Hezbollah digital infrastructure. TARGETS ANALYZED: - Iranian Government: khamenei.ir, president.ir, mfa.gov.ir, irna.ir - IRGC-Linked Media: farsnews.ir, tasnimnews.com, defapress.ir - State Media: presstv.ir, mehrnews.com - Hezbollah: moqawama.org.lb, almanar.com.lb, alahednews.com.lb TOTAL SUBDOMAINS DISCOVERED: 300+ TOTAL UNIQUE IPs MAPPED: 50+ GOVERNMENT ASNs IDENTIFIED: 4 ================================================================================ [1] FARSNEWS.IR - IRGC NEWS AGENCY API ================================================================================ FINDING: Active REST API with mobile app infrastructure exposed ENDPOINT: https://api.farsnews.ir STATUS: Returns 401 Unauthorized (requires authentication) SERVER: "ninja" (custom implementation) HEADERS REVEAL MOBILE APP ARCHITECTURE: - X-Token (authentication token) - APPVERSION, app-version (mobile app versioning) - duid (device unique ID - fingerprinting) - platform, os (iOS/Android detection) - app-market (app store source tracking) - app-scope (permission levels) MOBILE APP DOWNLOAD EXPOSED: https://dl.farsnews.ir/app.apk STREAMING INFRASTRUCTURE: - stream01.farsnews.ir - stream02.farsnews.ir - stream03.farsnews.ir CDN NODES: - cdn.farsnews.ir (primary) - ccdn.farsnews.ir (secondary) - dl.farsnews.ir (downloads) - trace.farsnews.ir (analytics) RESPONSE FORMAT: MessagePack binary (not JSON) INTELLIGENCE VALUE: - APK can be reverse-engineered for API secrets - Device fingerprinting reveals surveillance capability - Token auth system could be targeted -------------------------------------------------------------------------------- ================================================================================ [2] IRNA.IR - PRIVATE IP ADDRESS LEAK ================================================================================ FINDING: Internal RFC1918 IP address exposed in public DNS SUBDOMAIN: kateb.irna.ir RESOLVES TO: 10.30.41.85 (PRIVATE IP!) ANALYSIS: - "Kateb" = "writer/scribe" in Farsi - Indicates internal editorial system - Reveals internal network subnet: 10.30.41.0/24 - Split-horizon DNS misconfiguration INTERNAL NETWORK TOPOLOGY (Discovered): - 10.30.41.x - Editorial systems (leaked) - 217.25.48.x - Mail, Gallery, Tahrir - 217.25.51.x - RS1 server farm - 217.25.53.x - RS2 server farm - 217.25.56.x - News, Streaming (Sky) - 217.25.58.x - Remote access REMOTE ACCESS SERVER: remote.irna.ir -> 217.25.58.101 MAIL SERVER: mail.irna.ir -> 217.25.48.34 (Requires Firefox 65+/Chrome 70+) -------------------------------------------------------------------------------- ================================================================================ [3] MFA.GOV.IR - VPN ENDPOINT EXPOSED ================================================================================ FINDING: Ministerial VPN hostname leaked in public DNS SUBDOMAIN: r1.vpn.minister.local.mfa.gov.ir RESOLVES TO: 185.143.235.201 (ArvanCloud CDN) ANALYSIS: - "minister.local" = internal domain naming convention - "r1" suggests multiple endpoints (r2, r3...) - VPN for Minister's office exposed - Potential for credential attacks CONTROL PANEL CONFIRMED: cp.mfa.gov.ir -> 109.201.11.102 ISP: Tose'h Fanavari (AS24631) ORG: "Foreign Ministry of IRAN" (confirmed by IP lookup) EMBASSY NETWORK: 180+ subdomains mapped including: - lebanon.mfa.gov.ir (Hezbollah connection) - venezuela.mfa.gov.ir (Maduro alliance - now disrupted) - Full diplomatic network across 100+ countries -------------------------------------------------------------------------------- ================================================================================ [4] TASNIMNEWS.COM - SELF-HOSTED ANALYTICS ================================================================================ FINDING: IRGC news outlet runs private Matomo analytics ENDPOINT: https://analytics.tasnimnews.com STATUS: Returns 403 Forbidden (access restricted) SERVER: nginx ANALYSIS: - Self-hosted Matomo (formerly Piwik) instance - Avoids sending data to Google - Contains detailed visitor analytics - IP-restricted access GOOGLE TAG MANAGER: GTM-PZ3N9B8 GOOGLE ANALYTICS: G-MGYZR3Q3BS (also used despite self-hosting) -------------------------------------------------------------------------------- ================================================================================ [5] HEZBOLLAH - RUSSIAN/CZECH HOSTING ================================================================================ FINDING: Hezbollah sites hosted outside Middle East for resilience MOQAWAMA.ORG.LB (Islamic Resistance): PRIMARY: - IP: 91.109.206.65 - Location: Moscow, Russia - ISP: Okay-Telecom Ltd. - ASN: AS199669 BACKUP: - IP: 176.74.216.191 - Location: Czech Republic - ISP: HOST-TELECOM - ASN: AS51248 ANALYSIS: - Russian hosting protects from Western takedowns - Czech backup adds redundancy - .lb domain outside US legal jurisdiction - Commercial hosting, not state infrastructure US-SEIZED DOMAINS: - moqawama.org - almanarnews.org - manarnews.org - almanar-tv.org - alshahid.org ACTIVE DOMAINS (Lebanese TLD): - moqawama.org.lb - almanar.com.lb - alahednews.com.lb -------------------------------------------------------------------------------- ================================================================================ [6] GOVERNMENT ASN OWNERSHIP ================================================================================ DEDICATED IRANIAN GOVERNMENT ASNS: AS34592 - Iranian Presidential Administration Used by: president.ir Type: Direct government ownership AS29079 - IRNA (Islamic Republic News Agency) Used by: irna.ir and all subdomains Type: State media dedicated network AS24631 - Tose'h Fanavari Ertebabat Pasargad Used by: mfa.gov.ir infrastructure ORG confirmed: "Foreign Ministry of IRAN" AS48434 - Tebyan-e-Noor Cultural-Artistic Institute Used by: mail.khamenei.ir Type: Religious/cultural front organization PRIMARY CDN: AS205585 - ArvanCloud Used by: ALL major Iranian government sites Single point of failure for regime web presence -------------------------------------------------------------------------------- ================================================================================ [7] TRACKING & ANALYTICS INTELLIGENCE ================================================================================ GOOGLE ANALYTICS PROPERTIES: Site | GA Property --------------------|------------------ khamenei.ir | UA-6238962-2, G-8MVZ1HLJT0 almanar.com.lb | UA-199941297-1, G-JJ1SM3JFZW tasnimnews.com | G-MGYZR3Q3BS presstv.ir | G-F359E8PMME mehrnews.com | G-ERSHRYVTBP defapress.ir | G-94BW46TZJM moqawama.org.lb | G-Z8F3HPDSWG IRONY: "Anti-Western" sites use Google Analytics Google has visibility into all their traffic GOOGLE TAG MANAGER CONTAINERS: GTM-TLJW8TR - Al-Manar/Hezbollah network Links: almanar.com.lb, almanartv.com.lb, manartv.com.lb GTM-PZ3N9B8 - Tasnim News (IRGC) MICROSOFT CLARITY (Session Recording): almanar.com.lb: cgaike4iub, cs22bibpe3 mehrnews.com: o2z34ibfin Microsoft records user sessions on Hezbollah media sites. -------------------------------------------------------------------------------- ================================================================================ [8] OPERATIONAL SECURITY FAILURES ================================================================================ CRITICAL EXPOSURES: 1. VPN HOSTNAME IN PUBLIC DNS r1.vpn.minister.local.mfa.gov.ir exposed Enables targeted credential attacks 2. PRIVATE IP LEAK kateb.irna.ir -> 10.30.41.85 Internal network topology revealed 3. APK DOWNLOAD EXPOSED https://dl.farsnews.ir/app.apk Can be reverse-engineered for secrets 4. DEVELOPMENT TOOL NAMES EXPOSED jira.farsnews.ir, confluence.farsnews.ir git.farsnews.ir, svn.farsnews.ir Reveals internal tooling (though not accessible) 5. WESTERN TRACKING ON REGIME SITES Google Analytics on khamenei.ir Microsoft Clarity on Hezbollah sites Contradicts "resistance" narrative 6. SERVICE WORKER EXPOSES TECH STACK https://farsnews.ir/service-worker.js Reveals frameworks: Workbox, Capacitor, MessagePack 7. API HEADERS REVEAL ARCHITECTURE Mobile app fingerprinting exposed Token authentication system visible -------------------------------------------------------------------------------- ================================================================================ [9] CURRENT EVENTS CONTEXT (January 2026) ================================================================================ IRAN PROTESTS (Day 7+): - At least 10 killed by regime forces - 100+ locations, 22 provinces affected - Internet disrupted 35% - Khamenei: "Rioters must be put in their place" VENEZUELA CONNECTION SEVERED: - US captured Maduro (Jan 3, 2026) - 20-year defense pact disrupted - IRGC investments at risk - Iranian drone base compromised POST-WAR STATUS (June 2025 Israeli Strikes): - IRGC commanders Salami & Hajizadeh killed - Fordow centrifuges "no longer operational" - 60% enriched uranium stockpile remains - Iran halted IAEA cooperation -------------------------------------------------------------------------------- ================================================================================ [10] KHAMENEI.IR - SUPREME LEADER DEEP DIVE ================================================================================ TARGET: khamenei.ir (Official Website of Ayatollah Khamenei) OSINT DATE: 2026-01-04 (via Tor - Swiss exit node) STATUS: 23+ years online (first archived Nov 30, 2002) INFRASTRUCTURE: - Main IP: 5.160.10.200 (AS200554 Dade Pardaz Kimia Pouyesh - Tehran) - Mail Server: mail.khamenei.ir -> 94.232.174.104 (AS48434 Tebyan-e-Noor) - Live Streaming: live1.khamenei.ir -> 81.12.39.67 (AS42337 Respina) - DNS: ns1/ns2.nashridc.ir, ns1/ns2.nashridc.com - CMS: www.nastooh.ir (Iranian platform) - SSL: Let's Encrypt wildcard cert (*.khamenei.ir) SUBDOMAINS DISCOVERED: 41 total - 14+ language portals (farsi, english, arabic, russian, chinese, etc.) - 10 per-language CDNs (cdn-farsi, cdn-english, etc.) - 12+ live streaming nodes (live1-5, live.idc0-cdn1-13) - ADMIN PORTAL: admin.english.khamenei.ir (exposed in certs!) - HIDDEN API: formx.khamenei.link (separate TLD!) API ENDPOINTS DISCOVERED: - https://formx.khamenei.link/farsi-json/topticker (ACTIVE - returns JSON) - https://farsi.khamenei.ir/ndata/news/{id}/View - https://english.khamenei.ir/service/artworks - https://english.khamenei.ir/service/Analysis TRACKING (CRITICAL): - Google Analytics: UA-6238962-2, G-8MVZ1HLJT0 - Google Site Verification: FrS79LKnklz_7cQGdeYYR5RW-gtYz2sm3JWIVWo24W0 - NOTE: Supreme Leader uses Google extensively despite anti-Western rhetoric SECURITY POSTURE: [OK] HSTS with preload (1 year) [OK] X-Frame-Options: SAMEORIGIN [OK] X-XSS-Protection: 1; mode=block [MISSING] Content-Security-Policy [MISSING] Referrer-Policy [WEAK] jQuery 1.6.2 (2011 - known vulnerabilities) -------------------------------------------------------------------------------- ================================================================================ [11] DOMAIN SEIZURE ANALYSIS - THE .LB WORKAROUND ================================================================================ US DOJ (EDVA) SEIZED 13 HEZBOLLAH DOMAINS: - moqawama.org -> DOJ seizure page - almanarnews.org -> DOJ seizure page - manarnews.org -> DOJ seizure page - almanar-tv.org -> DOJ seizure page - alshahid.org -> DOJ seizure page - + 8 additional domains WORKAROUND - ACTIVE .LB ALTERNATIVES: +---------------------------+------------------------------------------+ | SEIZED DOMAIN | ACTIVE ALTERNATIVE | +---------------------------+------------------------------------------+ | moqawama.org | moqawama.org.lb (Moscow + Czech hosting) | | almanarnews.org | almanar.com.lb (Russia + Malaysia) | | alahednews.org | alahednews.com.lb -> alahednews.news | +---------------------------+------------------------------------------+ WHY .LB DOMAINS CANNOT BE SEIZED: - Registry: LBDR (American University of Beirut) - Jurisdiction: Lebanese law only - No US cooperation treaty for domain seizures - Pattern: State actors ALWAYS maintain ccTLD backups EFFECTIVENESS ASSESSMENT: MINIMAL - Content: 100% available via .lb domains - Operations: Completely unaffected - Propaganda: Continues uninterrupted - Users: Quickly learn new domains -------------------------------------------------------------------------------- ================================================================================ [12] HEZBOLLAH FINANCIAL INTELLIGENCE ================================================================================ ESTIMATED ANNUAL REVENUE: $1 BILLION+ (Iran + criminal enterprises) 2025 OFAC/TREASURY ACTIONS: - Nov 2025: Exchange houses exploiting Lebanon's cash economy (sb0308) - Sept 2025: $10 MILLION REWARD offered for financial network info - July 2025: Financial officials sanctioned (sb0189) - March 2025: "Finance Team Sanctions Evasion Network" (sb0063) - Since Jan 2025: IRGC-QF transferred $1+ BILLION to Hezbollah MONEY LAUNDERING NETWORKS: - Ayman Joumaa Network: $200 MILLION/MONTH for cartels (8-14% commission) - Nazem Ahmad Network (Apr 2023): 52 entities across 9 countries - Diamonds, gems, art, luxury goods, cash - "Blood diamond" smuggling in DRC CRIMINAL ENTERPRISES: - Drug Trafficking: DEA Project Cassandra (cocaine), Captagon - Oil Smuggling: Via IRGC-QF networks - Gold Smuggling: Iran -> Turkey via Mahan Air - Counterfeiting: US currency, medicine - Cigarette Smuggling: Documented NC case FRONT BUSINESSES: - Construction, real estate, import/export - Money exchanges (sarrafs), gold/diamond trade - Used car dealerships, electronics 2025 DIGITAL EXPLOITATION: - Whish Money and OMT digital wallets in Lebanon - Weak AML/ATF rules exploited - Donations to sanctioned charities via digital payments -------------------------------------------------------------------------------- ================================================================================ [13] HEZBOLLAH TECHNICAL INFRASTRUCTURE ================================================================================ MOQAWAMA.ORG.LB (Main Portal): - Server: Apache + PHP - Primary IP: 91.109.206.65 (Moscow, Russia - Okay-Telecom) - Backup IP: 176.74.216.191 (Czech Republic - HOST-TELECOM) - DNS: ns41-44.cloudns.net (outside US jurisdiction) - Session: PHPSESSID cookies (MD5 hashes) ALMANAR.COM.LB (Al-Manar TV): - Server: nginx (different infrastructure) - IPs: 5.35.14.164-166 (Selectel Moscow) - Backup: 47.250.57.153 (Alibaba Cloud Malaysia) - CDN: Reverse proxy with caching SUBDOMAINS CONFIRMED ACTIVE: - video.moqawama.org.lb (Video archive) - audio.moqawama.org.lb (Audio library) - gallery.moqawama.org.lb (Photo gallery) - games.moqawama.org.lb (Propaganda games) DISCOVERED EMAILS: - info@moqawama.org.lb - games@moqawama.org (OPSEC FAIL: uses seized domain!) SESSION HASHES COLLECTED: - PHPSESSID: 83d0d0dde0bdea9c508fb780f5e22330 - sec_session_id: 78278a485df2a5807e6d9c45158a989e - sec_session_id: d0130803e2bad19514db5f13679dbd1f -------------------------------------------------------------------------------- ================================================================================ [14] MEDIA OPSEC FAILURES ================================================================================ WHATSAPP ORIGIN DETECTED: File: "WhatsApp Image 2025-12-13 at 9.50.45 AM.jpeg" - Original WhatsApp filename preserved - Staff uploads directly from WhatsApp without renaming - Reveals internal communication patterns TIMESTAMP FILENAMES (Al-Ahed News): Format: YYYYMMDDHHmmss.jpg - 20260101193702.jpg -> Uploaded 2026-01-01 at 19:37:02 - Times consistent with Beirut working hours (UTC+2/+3) - Automated upload system with no manual review EXIF METADATA PRESERVED (Caricatures): +------------------+----------------------------+----------------------+ | FILE | SOFTWARE | EDIT TIMESTAMP | +------------------+----------------------------+----------------------+ | 1679.jpg | Adobe Photoshop 7.0 | 2023-04-15 15:27:26 | | 1713.jpg | Adobe Photoshop 7.0 | 2023-05-31 07:13:38 | | 1808.jpg | Adobe Photoshop CS6 (Win) | 2014-07-22 16:07:36 | | 1833.jpg | Adobe Photoshop CS6 (Win) | 2024-01-22 14:34:12 | +------------------+----------------------------+----------------------+ OPSEC FAILURES: 1. Photoshop 7.0 (2002) - 22 years old, likely pirated 2. Photoshop CS6 (2012) - Last non-subscription version 3. Edit times reveal Beirut working hours 4. Multiple files from same workstation -------------------------------------------------------------------------------- ================================================================================ [15] COMPLETE DATA INVENTORY ================================================================================ ROOT: C:\Users\Squir\Desktop\IRAN\ INTELLIGENCE DOCUMENTS: - resources\intel\NOTABLE_FINDINGS_EXPANDED.txt (detailed analysis) - resources\intel\SUBDOMAIN_INTEL.txt (300+ subdomains) - resources\intel\HASH_COLLECTION.txt (IP geolocation data) - resources\intel\IRAN_MASTER_INTEL.txt (timeline & events) - resources\intel\SITE_FINGERPRINT_INTEL.txt (tracking IDs) - resources\intel\SOURCES.txt (100+ sources) - resources\intel\DOMAIN_SEIZURE_ANALYSIS.txt (jurisdiction) - resources\intel\HEZBOLLAH_FINANCIAL_INTEL.txt (financial ops) - resources\intel\TECH_STRUCTURE.txt (server infrastructure) - resources\khamenei\intel\KHAMENEI_IR_OSINT_REPORT.txt (full report) DOWNLOADED CONTENT: - resources\khamenei\raw_html\ (2 HTML files, 244KB) - resources\khamenei\js\ (3 JS files, 93KB) - resources\hezbollah\HTMLs\ (90+ HTML files) - resources\hezbollah\media\ (20 images, EXIF preserved) SCRIPTS: - scripts\subdomain_hunter.py - scripts\ip_intel.py - scripts\hash_hunter.py - scripts\username_hunter.py - scripts\db_manager.py DATABASE: - iran_osint.db (SQLite - structured data) ================================================================================ [16] COLLECTED HASHES & TOKENS (REAL DATA ONLY) ================================================================================ PHP SESSION HASHES (Collected from HTTP responses): +----------------------------------+----------------------------------+ | SOURCE | SESSION HASH | +----------------------------------+----------------------------------+ | moqawama.org.lb (PHPSESSID) | 83d0d0dde0bdea9c508fb780f5e22330 | | audio.moqawama.org.lb | 78278a485df2a5807e6d9c45158a989e | | gallery.moqawama.org.lb | d0130803e2bad19514db5f13679dbd1f | +----------------------------------+----------------------------------+ COOKIE SESSION IDs (From API response): - farsnews.ir: cookiesession1=678B286B29F37FAC96F0F1CB00C133DC CSS CACHE HASHES (Found in HTML): - mnrminify_3c902298363cd2282b362f860e54fe29.css (almanar.com.lb) REDIRECT TRACKING HASHES (Found in API response): - c=ae8373ca17dc9561f317 (formx.khamenei.link) GOOGLE SITE VERIFICATION TOKEN (Found in DNS TXT): - FrS79LKnklz_7cQGdeYYR5RW-gtYz2sm3JWIVWo24W0 (khamenei.ir) FULL HASH DATABASE: C:\Users\Squir\Desktop\IRAN\hash_database.db (21 records) -------------------------------------------------------------------------------- ================================================================================ [17] SUMMARY STATISTICS ================================================================================ TOTAL SUBDOMAINS DISCOVERED: 500+ - khamenei.ir: 41 subdomains - mfa.gov.ir: 182 subdomains (embassy network) - irna.ir: 50 subdomains (internal IP leak) - farsnews.ir: 30+ subdomains (API exposed) - Hezbollah network: 20+ active subdomains TOTAL UNIQUE IPs MAPPED: 75+ GOVERNMENT ASNs IDENTIFIED: 6 - AS34592 (Presidential Admin) - AS29079 (IRNA) - AS24631 (Foreign Ministry) - AS48434 (Tebyan-e-Noor/Khamenei) - AS200554 (Dade Pardaz/Khamenei) - AS57986 (Sigma IT/Khamenei mail) TRACKING IDs COLLECTED: 15+ - Google Analytics: 7 properties - Google Tag Manager: 2 containers - Microsoft Clarity: 3 projects CRITICAL EXPOSURES: 9 1. VPN endpoint in public DNS (mfa.gov.ir) 2. Private IP leak (irna.ir - 10.30.41.85) 3. APK download exposed (farsnews.ir) 4. Admin portal in certs (khamenei.ir) 5. Hidden API domain (formx.khamenei.link) 6. Google Site Verification token (khamenei.ir) 7. WhatsApp filename patterns (Hezbollah media) 8. Photoshop version metadata (Hezbollah graphics) 9. Seized domain in email (games@moqawama.org) ================================================================================ END CRITICAL FINDINGS ================================================================================