IRAN'S PROPAGANDA SITES
ARE TRACKING YOU
Google Tag Manager detected on Iranian state media sites
● IRNA.IR - State news agency
● KHAMENEI.IR - Supreme Leader's site
● Your IP, browser, location logged
● Data flows to government servers
@RINGMAST4R
PRIVATE IP LEAK
IRNA.IR EXPOSED
Internal RFC1918 IP exposed in public DNS
● kateb.irna.ir → 10.30.41.85
● Internal subnet: 10.30.41.0/24
● Editorial system 'Kateb' exposed
● Split-horizon DNS misconfigured
@RINGMAST4R
VPN ENDPOINT EXPOSED
FOREIGN MINISTRY
Ministerial VPN hostname in public DNS
● r1.vpn.minister.local.mfa.gov.ir
● Resolves to: 185.143.235.201
● Internal naming convention leaked
● Target for credential attacks
@RINGMAST4R
ADMIN PORTAL FOUND
KHAMENEI.IR
Admin subdomain exposed via SSL certificates
● admin.english.khamenei.ir
● Found in Certificate Transparency logs
● Administrative interface exists
● Internal system now publicly known
@RINGMAST4R
HIDDEN API DOMAIN
KHAMENEI.LINK
Separate TLD used to hide API infrastructure
● formx.khamenei.link (not .ir)
● Not found via subdomain enumeration
● Discovered through JavaScript analysis
● Contains redirect tracking system
@RINGMAST4R
MOBILE APK EXPOSED
FARSNEWS.IR
Android app available for reverse engineering
● dl.farsnews.ir/app.apk
● May contain hardcoded API secrets
● Device fingerprinting system exposed
● Authentication mechanisms revealed
@RINGMAST4R
182 EMBASSY SUBDOMAINS
MFA.GOV.IR MAPPED
Complete Iranian diplomatic network mapped
● lebanon.mfa.gov.ir (Hezbollah)
● venezuela.mfa.gov.ir (Maduro alliance)
● russia, china strategic partners
● cms, cloud, email systems found
@RINGMAST4R
HEZBOLLAH HOSTING
RUSSIAN PROTECTION
Deliberate use of Russian hosting for resilience
● moqawama.org.lb → Moscow, Russia
● almanar.com.lb → Selectel Moscow
● Backup: Czech Republic, Malaysia
● .lb TLD avoids US domain seizures
@RINGMAST4R
EXIF METADATA
ATTRIBUTION FOUND
Photoshop metadata preserved in graphics
● Adobe Photoshop 7.0 (2002) - pirated
● Multiple files from same workstation
● Timestamps = Beirut hours (GMT+3)
● Individual creators trackable
@RINGMAST4R
WHATSAPP OPSEC FAIL
FILENAME PRESERVED
Original WhatsApp filename on news site
● "WhatsApp Image 2025-12-13..."
● english.alahednews.com.lb
● Internal communication pattern revealed
● Editorial workflow exposed
@RINGMAST4R
GOVERNMENT ASNs
ATTRIBUTION CONFIRMED
Dedicated government-owned networks identified
● AS34592 - Iranian Presidential Admin
● AS29079 - IRNA network
● AS205585 - ArvanCloud CDN
● Single point of failure identified
@RINGMAST4R
ARVANCLOUD CDN
SINGLE POINT OF FAILURE
All Iranian government sites use one CDN provider
● president.ir, khamenei.ir, irna.ir
● mfa.gov.ir, tasnimnews.com, presstv.ir
● ASN: AS205585 - Iranian owned
● If ArvanCloud fails = ALL gov sites fail
@RINGMAST4R
CROSS-SITE TRACKING
VISITOR SURVEILLANCE
Google Analytics & Microsoft Clarity on state media
● GTM-TLJW8TR - Hezbollah TV (almanar)
● GTM-PZ3N9B8 - IRGC (tasnimnews)
● Microsoft Clarity = full session recordings
● Cross-site correlation possible
@RINGMAST4R
IRGC DEV TOOLS EXPOSED
FARSNEWS.IR
Internal development infrastructure publicly visible
● jira.farsnews.ir - Issue tracker
● git.farsnews.ir - Source code repos
● chat.farsnews.ir - Internal comms
● my-api-tlg.farsnews.ir - Telegram API!
@RINGMAST4R
KHAMENEI.IR STREAMING
YOUTH TARGETING
5-server high-availability propaganda network
● live1-5.khamenei.ir streaming servers
● nojavan.khamenei.ir = "Youth" targeting
● 10+ language versions for global reach
● Mail separated on different ASN
@RINGMAST4R
HEZBOLLAH DNS
EASTERN EUROPE HOSTED
Custom DNS infrastructure outside Lebanon
● awt-lb.com = "AWT Lebanon" DNS service
● Hosted in Budapest, Hungary
● ClouDNS Bulgaria for backup
● Harder to trace and takedown
@RINGMAST4R
US DOJ SEIZURES
MINIMAL IMPACT
Domain seizures are symbolic only
● moqawama.org SEIZED → .org.lb ACTIVE
● almanarnews.org SEIZED → .com.lb ACTIVE
● .lb TLD = Lebanese jurisdiction
● Hezbollah anticipated US action
@RINGMAST4R
IRNA INTERNAL NETWORK
FULLY MAPPED
State news agency infrastructure exposed
● tahrir.irna.ir = Editorial systems
● 217.25.58.101 = Remote access server
● lab1-3.irna.ir = Dev/test servers
● 6 language editorial systems found
@RINGMAST4R
PRESIDENT.IR
SESSION LEAKS
Presidential website exposes internal data
● X-SID header leaks session info
● Wildcard *.president.ir certificate
● ASN: AS34592 - Presidential Admin
● Hidden subdomains possible
@RINGMAST4R
ADMIN EMAILS EXPOSED
DMARC RECORDS
Internal email addresses found in DNS
● Targets for social engineering
@RINGMAST4R
PRTG MONITOR EXPOSED
MEHRNEWS.COM
Network monitoring system publicly visible
● prtg.mehrnews.com - PRTG Network Monitor
● hrm.mehrnews.com - HR Management
● bot.mehrnews.com - Automation bots
● May leak infrastructure details
@RINGMAST4R
SESSION HASHES
COLLECTED
PHP session IDs harvested from state sites
● moqawama.org.lb - PHPSESSID exposed
● farsnews.ir - cookiesession1 hash
● almanar.com.lb - CSS cache hash
● Session hijacking potential
@RINGMAST4R