╔══════════════════════════════════════════════════════════════════════════════╗ ║ ║ ║ IRAN & HEZBOLLAH PROXY NETWORK — COMPLETE INTELLIGENCE REPORT ║ ║ ║ ║ Campaign: IRAN OSINT / Huntr Scan / Manual Recon ║ ║ Sessions: January 2026 (Primary) + February 25, 2026 (Update) ║ ║ Scope: 670 Iranian + Hezbollah domains ║ ║ Total Findings: 28 ║ ║ Critical Exposures: 9 ║ ║ ║ ╚══════════════════════════════════════════════════════════════════════════════╝ ════════════════════════════════════════════════════════════════════════════════ TABLE OF CONTENTS ════════════════════════════════════════════════════════════════════════════════ I. Executive Summary II. Target Scope & Methodology III. Critical Findings (9) IV. High-Severity Findings (8) V. Medium-Severity Findings (5) VI. Low/Informational Findings (6) VII. Hezbollah Infrastructure Analysis VIII. Iranian Government Infrastructure IX. Tracking & Analytics Intelligence X. Financial Intelligence (Open Source) XI. Data Inventory XII. Statistics ════════════════════════════════════════════════════════════════════════════════ I. EXECUTIVE SUMMARY ════════════════════════════════════════════════════════════════════════════════ This report documents all findings from OSINT reconnaissance against Iranian government, military, intelligence, and Hezbollah proxy network digital infrastructure, conducted across two sessions in January and February 2026. Key outcomes: - 670 domains scanned (609 Iranian + 61 Hezbollah proxy network) - 500+ subdomains discovered across all targets - 75+ unique IP addresses mapped - 6 government-owned ASNs identified - 28 total findings (9 critical, 8 high, 5 medium, 6 low/info) - Complete Iranian diplomatic network mapped (182 embassy subdomains) - Hezbollah hosting resilience strategy documented - Financial operations intelligence compiled ($1B+ annual revenue) - 15+ tracking IDs harvested (Google Analytics, GTM, Clarity) Constraint: Most Iranian .ir domains sit behind ArvanCloud CDN/WAF which serves HTML catch-all pages for all requests, making automated scanning ineffective from clearnet. Several Hezbollah sites require Tor access (SSL handshake failures from clearnet, Moscow hosting timeouts). ════════════════════════════════════════════════════════════════════════════════ II. TARGET SCOPE & METHODOLOGY ════════════════════════════════════════════════════════════════════════════════ TARGET LISTS: iranian-websites.txt 653 domains - Supreme Leadership & Constitutional Bodies (5) - Executive / Presidency (5) - Parliament / Legislative (2) - Government Ministries (16) - Military / Defense / Intelligence (20+) - Nuclear Program (10+) - Banks & Financial (30+) - Universities (50+) - State Media & News (40+) - Municipalities (50+) - Healthcare (30+) - Infrastructure (100+) hezbollah-proxy-network-websites.txt 61 domains - Hezbollah Official Media (TV/Radio/News) - US DOJ Seized Domains (13) - Social/Charitable Front Organizations - Iraqi PMF / Houthi / Axis of Resistance media METHODOLOGY: Session 1 (January 2026): - Tor-based reconnaissance (Swiss, Russian, Turkish, UAE, Lebanese exits) - Certificate Transparency log enumeration - DNS enumeration (A, MX, NS, TXT, CNAME, SOA records) - crt.sh subdomain discovery - HTTP header analysis and fingerprinting - JavaScript source code analysis - EXIF metadata extraction - API endpoint discovery - ASN and IP geolocation mapping - Open-source financial intelligence compilation Session 2 (February 2026): - Huntr automated scanner (daemon mode, 50 workers) - Manual probe of 23+ Iranian domains for common exposures - Deep WordPress enumeration on Hezbollah sites - Debug log extraction - .git directory confirmation via HTTP response code analysis ════════════════════════════════════════════════════════════════════════════════ III. CRITICAL FINDINGS ════════════════════════════════════════════════════════════════════════════════ ─────────────────────────────────────────────────────────────────────────────── CRIT-01: IRNA.IR — Private IP Address Leak ─────────────────────────────────────────────────────────────────────────────── Severity: CRITICAL Status: CONFIRMED (January 2026) Target: irna.ir (Islamic Republic News Agency) Finding: Subdomain kateb.irna.ir resolves to 10.30.41.85 — a private RFC1918 IP address exposed in public DNS records. Details: "Kateb" = "writer/scribe" in Farsi — internal editorial system Split-horizon DNS misconfiguration leaks internal topology Internal Network Topology Revealed: 10.30.41.x Editorial systems (leaked via kateb subdomain) 217.25.48.x Mail, Gallery, Tahrir (editorial) 217.25.51.x RS1 server farm 217.25.53.x RS2 server farm 217.25.56.x News, Streaming (Sky) 217.25.58.x Remote access Related Infrastructure: remote.irna.ir → 217.25.58.101 (Remote access server) mail.irna.ir → 217.25.48.34 (Mail server) ─────────────────────────────────────────────────────────────────────────────── CRIT-02: MFA.GOV.IR — VPN Endpoint Exposed in Public DNS ─────────────────────────────────────────────────────────────────────────────── Severity: CRITICAL Status: CONFIRMED (January 2026) Target: mfa.gov.ir (Ministry of Foreign Affairs) Finding: r1.vpn.minister.local.mfa.gov.ir → 185.143.235.201 (ArvanCloud) Details: "minister.local" = internal domain naming convention leaked "r1" suggests multiple VPN endpoints (r2, r3...) Target for credential stuffing/brute force attacks VPN software version could be fingerprinted Related: cp.mfa.gov.ir → 109.201.11.102 (Control Panel) ORG confirmed: "Foreign Ministry of IRAN" (via IP lookup) ─────────────────────────────────────────────────────────────────────────────── CRIT-03: KHAMENEI.IR — Admin Portal in Certificate Transparency ─────────────────────────────────────────────────────────────────────────────── Severity: CRITICAL Status: CONFIRMED (January 2026) Target: khamenei.ir (Supreme Leader's Office) Finding: admin.english.khamenei.ir discovered in public CT logs Details: Administrative interface for Supreme Leader's website exists Exposed via public Certificate Transparency logging Likely internal-only but hostname now known Target for access attempts ─────────────────────────────────────────────────────────────────────────────── CRIT-04: KHAMENEI.LINK — Hidden API on Separate TLD ─────────────────────────────────────────────────────────────────────────────── Severity: CRITICAL Status: ACTIVE (confirmed February 2026) Target: formx.khamenei.link (Hidden API domain) Finding: Separate TLD (.link vs .ir) used to hide API infrastructure Discovered only through JavaScript source code analysis Active endpoint: /farsi-json/topticker (returns JSON) Details: Not discoverable via subdomain enumeration of khamenei.ir Contains redirect tracking system with unique hashes API returns news ticker data with tracking parameters Data dumped: khamenei-farsi-json-topticker.json (1,630 bytes) ─────────────────────────────────────────────────────────────────────────────── CRIT-05: FARSNEWS.IR — Mobile APK Exposed + API Architecture ─────────────────────────────────────────────────────────────────────────────── Severity: CRITICAL Status: ACTIVE (requires Tor access) Target: farsnews.ir (Fars News Agency — IRGC-linked) Finding: Android APK direct download exposed at dl.farsnews.ir/app.apk Full REST API architecture visible at api.farsnews.ir (401) APK Intelligence: URL: https://dl.farsnews.ir/app.apk Can be reverse-engineered for hardcoded API keys/secrets Reveals authentication mechanisms Device fingerprinting system exposed API Architecture (from headers): Server: "ninja" (custom implementation) Auth: X-Token, token headers Mobile: duid (device unique ID), platform, os, app-market, app-scope Versioning: APPVERSION, app-version, api-version Format: MessagePack binary (not JSON) Methods: GET, POST, PUT, DELETE, PATCH (full CRUD) Session: cookiesession1=678B286B29F37FAC96F0F1CB00C133DC CDN/Streaming Infrastructure: cdn.farsnews.ir Primary CDN ccdn.farsnews.ir Secondary CDN dl.farsnews.ir Downloads trace.farsnews.ir Analytics/tracing stream01-03.farsnews.ir Video streaming (3 nodes) Internal DevOps (from DNS — not publicly accessible): jira.farsnews.ir Project management confluence.farsnews.ir Documentation git.farsnews.ir Source control svn.farsnews.ir Legacy source control chat.farsnews.ir Internal messaging ─────────────────────────────────────────────────────────────────────────────── CRIT-06: MFA.GOV.IR — 182 Embassy Subdomains Mapped ─────────────────────────────────────────────────────────────────────────────── Severity: CRITICAL Status: CONFIRMED (January 2026) Target: mfa.gov.ir (Ministry of Foreign Affairs) Finding: Complete map of Iranian diplomatic web infrastructure 182 subdomains discovered covering every embassy/consulate Key Subdomains: lebanon.mfa.gov.ir / beirut.mfa.gov.ir Hezbollah connection venezuela.mfa.gov.ir Maduro alliance (disrupted) russia.mfa.gov.ir / china.mfa.gov.ir Strategic partners 100+ country-specific embassy subdomains Internal Systems: cms.mfa.gov.ir Content Management System cloud.mfa.gov.ir Cloud Storage email.mfa.gov.ir Email Portal webmail.mfa.gov.ir Webmail Access visareq.mfa.gov.ir Visa Request System e_visa.mfa.gov.ir E-Visa Portal appointment.mfa.gov.ir Appointment System econsulate.mfa.gov.ir E-Consulate System Mail Servers (from SPF records): 109.201.11.102 109.201.11.104 ─────────────────────────────────────────────────────────────────────────────── CRIT-07: Hezbollah Russian/Czech Hosting Strategy ─────────────────────────────────────────────────────────────────────────────── Severity: CRITICAL (strategic intelligence) Status: CONFIRMED (January 2026) Finding: Deliberate use of Russian and Czech hosting for resilience against Western takedowns MOQAWAMA.ORG.LB (Islamic Resistance): Primary: 91.109.206.65 Moscow, Russia (Okay-Telecom, AS199669) Backup: 176.74.216.191 Czech Republic (HOST-TELECOM, AS51248) ALMANAR.COM.LB (Al-Manar TV): Primary: 5.35.14.164-166 Moscow, Russia (Selectel) Backup: 47.250.57.153 Malaysia (Alibaba Cloud) DNS: ns41-44.cloudns.net (outside US jurisdiction) Strategy Analysis: Russian hosting = protection from Western takedowns Multiple countries = infrastructure redundancy .lb TLD = outside US legal jurisdiction Commercial hosting, not state infrastructure ─────────────────────────────────────────────────────────────────────────────── CRIT-08: Government ASN Ownership (6 Identified) ─────────────────────────────────────────────────────────────────────────────── Severity: CRITICAL (attribution intelligence) Status: CONFIRMED ASN Owner Used By ───────── ──────────────────────────────────── ───────────────── AS34592 Iranian Presidential Administration president.ir AS29079 IRNA (News Agency) irna.ir network AS24631 Tose'h Fanavari Ertebabat Pasargad mfa.gov.ir AS48434 Tebyan-e-Noor Cultural Institute mail.khamenei.ir AS200554 Dade Pardaz Kimia Pouyesh khamenei.ir AS57986 Sigma IT Infrastructures Dev Co. khamenei.ir mail Primary CDN: AS205585 ArvanCloud ALL major gov sites → Single point of failure for regime web presence ─────────────────────────────────────────────────────────────────────────────── CRIT-09: ALMANAR.COM.LB — WordPress Debug Log Exposed ─────────────────────────────────────────────────────────────────────────────── Severity: CRITICAL Status: STILL LIVE (February 2026) Target: almanar.com.lb (Al-Manar TV — Hezbollah) Finding: WordPress debug.log publicly accessible at: https://almanar.com.lb/wp-content/debug.log Dumped: 100 KB → DUMP_2_25/almanar/debug.log Intelligence Extracted: Server path: /home/manarnet/public_html/ Hosting user: manarnet Custom theme: ar-manar (with framework subdirectory) Security plugin: hide_my_wp (active — trying to hide WordPress identity) Debug plugin: debug-bar (left active in production!) WordPress: 6.7.0+ (based on deprecation messages) PHP version: 8.x+ (typed parameter errors) Theme Files Exposed: wp-content/themes/ar-manar/framework/functions/manar-functions.php wp-content/themes/ar-manar/framework/functions/theme-functions.php wp-content/themes/ar-manar/single.php MySQL Connection Failure Logged: [06-Oct-2025 09:25:13 UTC] mysqli_real_connect(): (HY000/2002): No such file or directory Error Timeline: April 2025 — October 2025 (months of uncleared logs) ════════════════════════════════════════════════════════════════════════════════ IV. HIGH-SEVERITY FINDINGS ════════════════════════════════════════════════════════════════════════════════ ─────────────────────────────────────────────────────────────────────────────── HIGH-01: ENGLISH.ALAHEDNEWS.NEWS — .git Directory Confirmed ─────────────────────────────────────────────────────────────────────────────── Severity: HIGH Status: PROTECTED (403) — directory EXISTS Target: english.alahednews.news (Al-Ahed News — Hezbollah) Finding: All .git paths return 403 (vs 404 for non-existent paths) Confirms git repository deployed to production server HTTP Response Mapping: .git/HEAD → 403 .git/config → 403 .git/COMMIT_EDITMSG → 403 .git/description → 403 .git/info/refs → 403 .git/packed-refs → 403 .git/logs/HEAD → 403 .htaccess → 403 composer.json → 403 .gitignore → 403 wp-content/debug.log → 403 package.json → 404 (doesn't exist) wp-json/ → 404 wp-login.php → 404 Sitemap reveals internal domain: english.alahedlb.inf* (truncated — possibly internal development hostname) ─────────────────────────────────────────────────────────────────────────────── HIGH-02: KHAMENEI.IR — 41 Subdomains + Full Infrastructure Map ─────────────────────────────────────────────────────────────────────────────── Severity: HIGH Status: CONFIRMED Subdomains Discovered (41): Language Portals (14): farsi, english, arabic, french, spanish, russian, urdu, hindi, azeri, indonesian, japanese, turkish, hausa, swahili CDN Nodes (10): cdn-farsi, cdn-english, cdn-arabic, cdn-french, cdn-spanish, cdn-russian, cdn-urdu, cdn-hindi, cdn-azeri, cdn-nojavan Data Center CDN (4): idc0-cdn0, idc0-cdn1, idc0-cdn4, idc0-cdn5 Live Streaming (5): live1, live2, live3, live4, live5 Special: admin.english.khamenei.ir ADMIN PORTAL virastar.nojavan.khamenei.ir Editor tool (youth section) gaame2.khamenei.ir Games section mail.khamenei.ir Mail server doran.khamenei.ir Unknown function enghelab.khamenei.ir "Revolution" section s2.khamenei.ir, s13.khamenei.ir Static servers nojavan.khamenei.ir Youth portal IP Mapping (17 IPs): 5.160.10.200-202 Primary servers (Tehran, AS200554) 81.12.39.67-238 Streaming/CDN (Respina, AS42337) 94.232.173-174.x Mail infrastructure (Tebyan-e-Noor, AS48434) 185.143.234.x ArvanCloud CDN 217.218.67.226-227 Additional servers DNS Infrastructure: ns1/ns2.nashridc.ir Primary nameservers ns1/ns2.nashridc.com Secondary nameservers CMS: www.nastooh.ir (Iranian CMS platform) SSL: Let's Encrypt wildcard cert (*.khamenei.ir) ─────────────────────────────────────────────────────────────────────────────── HIGH-03: IRNA.IR — 50 Subdomains + Network Topology ─────────────────────────────────────────────────────────────────────────────── Severity: HIGH Status: CONFIRMED Key Subdomains: kateb.irna.ir → 10.30.41.85 (PRIVATE IP LEAK — see CRIT-01) remote.irna.ir → 217.25.58.101 (Remote access) mail.irna.ir → 217.25.48.34 (Mail server) gallery.irna.ir → Image gallery sky.irna.ir → Streaming tahrir.irna.ir → Editorial rs1/rs2.irna.ir → Server farms ─────────────────────────────────────────────────────────────────────────────── HIGH-04: TASNIMNEWS.COM — Self-Hosted Matomo Analytics ─────────────────────────────────────────────────────────────────────────────── Severity: HIGH Status: ACTIVE (403 — IP restricted) Target: tasnimnews.com (IRGC-affiliated) Finding: analytics.tasnimnews.com — Self-hosted Matomo (formerly Piwik) Returns 403 Forbidden (access restricted, likely IP-whitelisted) Intelligence Value: Contains detailed visitor analytics for IRGC news outlet User demographics, locations, reading patterns Referrer sources, device fingerprints Also Uses Google: GTM: GTM-PZ3N9B8 GA4: G-MGYZR3Q3BS ─────────────────────────────────────────────────────────────────────────────── HIGH-05: FARSNEWS.IR — Service Worker Exposes Tech Stack ─────────────────────────────────────────────────────────────────────────────── Severity: HIGH Status: CONFIRMED Finding: https://farsnews.ir/service-worker.js publicly accessible Reveals complete frontend technology stack Frameworks Identified: Workbox (Google's service worker library) Capacitor (hybrid mobile app framework) MessagePack (binary serialization) CSP Header Reveals Connections: api.farsnews.ir Main API og.farsnews.ir Open Graph service cdn.farsnews.ir CDN stream01-03.farsnews.ir Streaming h.r1-edge-v2.s3mer.net External CDN edge live.cdn.asset.aparat.com Iranian video platform capacitor://localhost Mobile app framework native-removal.triboon.net Iranian ad network ─────────────────────────────────────────────────────────────────────────────── HIGH-06: MOQAWAMA.ORG.LB — Full Site Structure Mapped ─────────────────────────────────────────────────────────────────────────────── Severity: HIGH Status: CONFIRMED 12 Subdomains: moqawama.org.lb Main portal (Arabic) video.moqawama.org.lb Video archive audio.moqawama.org.lb Audio library gallery.moqawama.org.lb Photo gallery games.moqawama.org.lb Propaganda games july2006.moqawama.org.lb 2006 war archive Exposed Endpoints: /chahid.php Martyrs database /fimisil.php Military operations /leadership.php Leadership info /history.php Organization history /structure.php Org structure /essaydetails.php?eid= Articles (sequential IDs 41800-42010+) /guestbook.php Guest book /mailinglist.php Email signup Email OPSEC Failure: games@moqawama.org — uses SEIZED .org domain, not .org.lb ─────────────────────────────────────────────────────────────────────────────── HIGH-07: EXIF Metadata — Hezbollah Graphics Attribution ─────────────────────────────────────────────────────────────────────────────── Severity: HIGH Status: CONFIRMED File Software Edit Timestamp ─────────────── ──────────────────────── ───────────────────── 1679.jpg Adobe Photoshop 7.0 2023-04-15 15:27:26 1713.jpg Adobe Photoshop 7.0 2023-05-31 07:13:38 1808.jpg Photoshop CS6 (Win) 2014-07-22 16:07:36 1833.jpg Photoshop CS6 (Win) 2024-01-22 14:34:12 Analysis: Photoshop 7.0 (2002) — 22+ years old, likely pirated Photoshop CS6 (2012) — last non-subscription version Multiple files from same workstation Timestamps consistent with Beirut working hours (GMT+2/+3) ─────────────────────────────────────────────────────────────────────────────── HIGH-08: WhatsApp OPSEC Failure — Editorial Workflow Exposed ─────────────────────────────────────────────────────────────────────────────── Severity: HIGH Status: CONFIRMED Finding: Original WhatsApp filename preserved on news site: "WhatsApp Image 2025-12-13 at 9.50.45 AM.jpeg" Location: english.alahednews.com.lb Analysis: Staff uploads directly from WhatsApp without renaming Reveals internal communication patterns (WhatsApp for content sharing) Timestamp shows exact time image was shared Editorial workflow lacks content review pipeline ════════════════════════════════════════════════════════════════════════════════ V. MEDIUM-SEVERITY FINDINGS ════════════════════════════════════════════════════════════════════════════════ ─────────────────────────────────────────────────────────────────────────────── MED-01: KHAMENEI.IR — jQuery 1.6.2 (Known Vulnerabilities) ─────────────────────────────────────────────────────────────────────────────── Finding: jQuery 1.6.2 (2011) on Supreme Leader's website Known XSS vulnerabilities in this version Missing: Content-Security-Policy, Referrer-Policy headers ─────────────────────────────────────────────────────────────────────────────── MED-02: KHAMENEI.IR — Google Analytics on Supreme Leader's Site ─────────────────────────────────────────────────────────────────────────────── Properties: UA-6238962-2, G-8MVZ1HLJT0 Google Verification: FrS79LKnklz_7cQGdeYYR5RW-gtYz2sm3JWIVWo24W0 Proves Supreme Leader's office uses Google services despite anti-Western rhetoric ─────────────────────────────────────────────────────────────────────────────── MED-03: Microsoft Clarity Recording on Hezbollah Sites ─────────────────────────────────────────────────────────────────────────────── almanar.com.lb: Clarity IDs cgaike4iub, cs22bibpe3 mehrnews.com: Clarity ID o2z34ibfin Microsoft records full user sessions (heatmaps, clicks, scrolls) on designated terrorist organization's media sites ─────────────────────────────────────────────────────────────────────────────── MED-04: ILNA.IR — Admin Path Disclosure ─────────────────────────────────────────────────────────────────────────────── robots.txt reveals: Disallow: /fa/admin/* Disallow: /en/admin/* Disallow: /ar/admin/* Multi-language admin panels confirmed (Farsi, English, Arabic) ─────────────────────────────────────────────────────────────────────────────── MED-05: ArvanCloud WAF — Universal Iranian Gov Protection ─────────────────────────────────────────────────────────────────────────────── All major .ir gov/university sites serve HTML catch-all for all paths Confirmed domains: president.ir, dolat.ir, irna.ir, isna.ir, ido.ir, ut.ac.ir Automated scanning produces only false positives Requires Tor exit or known valid paths to bypass ════════════════════════════════════════════════════════════════════════════════ VI. LOW / INFORMATIONAL FINDINGS ════════════════════════════════════════════════════════════════════════════════ ─────────────────────────────────────────────────────────────────────────────── INFO-01: US DOJ Domain Seizures — Ineffective Against .lb ─────────────────────────────────────────────────────────────────────────────── 13 Hezbollah domains seized by EDVA under IEEPA: moqawama.org, almanarnews.org, manarnews.org, almanar-tv.org, alshahid.org, + 8 additional .lb alternatives remain FULLY OPERATIONAL: moqawama.org.lb, almanar.com.lb, alahednews.com.lb Lebanese .lb registry (LBDR at American University of Beirut) is outside US jurisdictional reach. Content 100% available. ─────────────────────────────────────────────────────────────────────────────── INFO-02: Hezbollah Social Media Accounts ─────────────────────────────────────────────────────────────────────────────── Moqawama: @almoqawama1 (Twitter), MoqawamaOrg (YouTube) Al-Ahed: @English_AlAhed (Twitter), t.me/Eng_ahed (Telegram) Al-Manar: GTM links almanar.com.lb, almanartv.com.lb, manartv.com.lb ─────────────────────────────────────────────────────────────────────────────── INFO-03: Hezbollah Email Discovery ─────────────────────────────────────────────────────────────────────────────── info@moqawama.org.lb Main contact games@moqawama.org Uses SEIZED domain (OPSEC failure) ─────────────────────────────────────────────────────────────────────────────── INFO-04: PHP Session Hashes Collected ─────────────────────────────────────────────────────────────────────────────── PHPSESSID: 83d0d0dde0bdea9c508fb780f5e22330 (moqawama.org.lb) sec_session_id: 78278a485df2a5807e6d9c45158a989e (audio.moqawama.org.lb) sec_session_id: d0130803e2bad19514db5f13679dbd1f (gallery.moqawama.org.lb) cookiesession1: 678B286B29F37FAC96F0F1CB00C133DC (farsnews.ir) ─────────────────────────────────────────────────────────────────────────────── INFO-05: Robots.txt Intelligence — Iranian News Sites ─────────────────────────────────────────────────────────────────────────────── defapress.ir: Sitemap exposed tabnak.ir: Sitemap exposed mashreghnews.ir: Disallow /search yjc.ir: Sitemap exposed khabaronline.ir: Disallow /print/, /link/, /search shana.ir: Disallow /print/ iribnews.ir: Sitemap exposed icana.ir: Custom captcha system (sncaptcha.jpg) ─────────────────────────────────────────────────────────────────────────────── INFO-06: PRESIDENT.IR & DOLAT.IR — Obfuscated Anti-Bot ─────────────────────────────────────────────────────────────────────────────── Uses ArvanCloud anti-bot scripts: __arcsjs, __arcsjsc Timezone detection (Tehran/Iran) Heavy JavaScript obfuscation with eval() Cookie-based validation before serving content ════════════════════════════════════════════════════════════════════════════════ VII. HEZBOLLAH INFRASTRUCTURE ANALYSIS ════════════════════════════════════════════════════════════════════════════════ DOMAIN STRUCTURE: MOQAWAMA NETWORK (Apache + PHP): ├── moqawama.org.lb Main portal (Arabic) │ ├── video.moqawama.org.lb Video archive │ ├── audio.moqawama.org.lb Audio library │ ├── gallery.moqawama.org.lb Photo gallery │ ├── games.moqawama.org.lb Propaganda games │ └── july2006.moqawama.org.lb 2006 war archive │ ├── moqawama.org SEIZED BY US DOJ │ └── alahednews.news News (migrated from .com.lb) └── english.alahednews.news (.git exists! — 403 protected) AL-MANAR NETWORK (nginx — separate infrastructure): └── almanar.com.lb Al-Manar TV (WordPress) └── english.almanar.com.lb English edition AL-NOUR RADIO: └── alnour.com.lb Hezbollah radio HOSTING STRATEGY: ┌──────────────────────┬────────────────────┬──────────────────────┐ │ Site │ Primary │ Backup │ ├──────────────────────┼────────────────────┼──────────────────────┤ │ moqawama.org.lb │ Moscow (Okay-Tel.) │ Czech (HOST-TELECOM) │ │ almanar.com.lb │ Moscow (Selectel) │ Malaysia (Alibaba) │ │ alahednews.news │ Unknown │ Unknown │ │ alnour.com.lb │ Unknown │ Unknown │ └──────────────────────┴────────────────────┴──────────────────────┘ TECH STACKS: ┌──────────────────────┬──────────┬──────────┬──────────────────────┐ │ Site │ Server │ Backend │ CMS │ ├──────────────────────┼──────────┼──────────┼──────────────────────┤ │ moqawama.org.lb │ Apache │ PHP │ Custom │ │ almanar.com.lb │ nginx │ PHP │ WordPress 6.7+ │ │ english.almanar │ nginx │ PHP │ WordPress │ │ alahednews.news │ Apache │ PHP │ Custom (git deployed)│ │ alnour.com.lb │ Unknown │ Unknown │ Unknown │ └──────────────────────┴──────────┴──────────┴──────────────────────┘ ALMANAR.COM.LB WORDPRESS DETAILS: Server path: /home/manarnet/public_html/ Theme: ar-manar (custom with framework) Plugins: hide_my_wp, debug-bar WordPress: 6.7.0+ debug.log: EXPOSED (100KB dumped) admin-ajax.php: Allowed in robots.txt WP REST API: Hidden by hide_my_wp plugin ════════════════════════════════════════════════════════════════════════════════ VIII. IRANIAN GOVERNMENT INFRASTRUCTURE ════════════════════════════════════════════════════════════════════════════════ NETWORK ARCHITECTURE: ┌─────────────────────────────────────────────────────────────────────┐ │ ArvanCloud CDN (AS205585) │ │ Single point of failure for regime │ │ │ │ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │ │ │ president.ir │ │ dolat.ir │ │ mfa.gov.ir │ + ALL │ │ │ AS34592 │ │ (cabinet) │ │ AS24631 │ major │ │ └──────────────┘ └──────────────┘ └──────────────┘ .ir sites │ └─────────────────────────────────────────────────────────────────────┘ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │ khamenei.ir │ │ irna.ir │ │ farsnews.ir │ │ AS200554 │ │ AS29079 │ │ ninja svr │ │ nashridc.ir │ │ 10.30.41.x │ │ APK exposed │ │ nashridc.com│ │ (leaked) │ │ Capacitor │ └──────────────┘ └──────────────┘ └──────────────┘ IRANIAN SITE TECH STACKS: ┌──────────────────┬──────────┬──────────────────────────────────┐ │ Site │ Server │ Notable │ ├──────────────────┼──────────┼──────────────────────────────────┤ │ khamenei.ir │ nginx │ HTTP 445 custom, jQuery 1.6.2 │ │ president.ir │ ArvanCDN │ JS obfuscation, anti-bot │ │ irna.ir │ ArvanCDN │ Private IP leak, 50+ subdomains │ │ mfa.gov.ir │ ArvanCDN │ VPN exposed, 182 subdomains │ │ farsnews.ir │ ninja │ REST API, MessagePack, Capacitor │ │ tasnimnews.com │ IIS │ Self-hosted Matomo analytics │ │ presstv.ir │ nginx │ ASP.NET Core, US CDN edge │ │ mehrnews.com │ nginx │ Microsoft Clarity tracking │ │ defapress.ir │ nginx │ Legacy cache headers (1997!) │ │ aeoi.org.ir │ — │ 500 Internal Server Error │ └──────────────────┴──────────┴──────────────────────────────────┘ ════════════════════════════════════════════════════════════════════════════════ IX. TRACKING & ANALYTICS INTELLIGENCE ════════════════════════════════════════════════════════════════════════════════ COMPLETE TRACKING ID DATABASE: ┌────────────────────┬───────────────┬─────────────────┬────────────────┬───────────────────────┐ │ Site │ GTM │ GA (UA) │ GA4 │ Other │ ├────────────────────┼───────────────┼─────────────────┼────────────────┼───────────────────────┤ │ almanar.com.lb │ GTM-TLJW8TR │ UA-199941297-1 │ G-JJ1SM3JFZW │ Clarity: cgaike4iub │ │ │ │ │ │ Clarity: cs22bibpe3 │ │ │ │ │ │ Clicky: 101369727 │ │ moqawama.org.lb │ — │ — │ G-Z8F3HPDSWG │ — │ │ khamenei.ir │ — │ UA-6238962-2 │ G-8MVZ1HLJT0 │ — │ │ tasnimnews.com │ GTM-PZ3N9B8 │ — │ G-MGYZR3Q3BS │ Matomo (self-hosted) │ │ presstv.ir │ — │ — │ G-F359E8PMME │ — │ │ mehrnews.com │ — │ — │ G-ERSHRYVTBP │ Clarity: o2z34ibfin │ │ defapress.ir │ — │ — │ G-94BW46TZJM │ — │ │ farsnews.ir │ — │ — │ — │ Custom (ninja server) │ └────────────────────┴───────────────┴─────────────────┴────────────────┴───────────────────────┘ GTM LINKED DOMAINS: GTM-TLJW8TR → almanar.com.lb, almanartv.com.lb, manartv.com.lb GTM-PZ3N9B8 → tasnimnews.com GOOGLE SITE VERIFICATION TOKENS: khamenei.ir: FrS79LKnklz_7cQGdeYYR5RW-gtYz2sm3JWIVWo24W0 almanar.com.lb: uKONEXKPHaKP2TcRviBc_p5xMXtLokVZAV9_wLLFpTg IRONY: "Anti-Western" regime sites and designated terrorist organizations feed all visitor data to Google and Microsoft. ════════════════════════════════════════════════════════════════════════════════ X. FINANCIAL INTELLIGENCE (OPEN SOURCE) ════════════════════════════════════════════════════════════════════════════════ HEZBOLLAH ESTIMATED ANNUAL REVENUE: $1 BILLION+ (Iran IRGC-QF transfers + criminal enterprises) 2025 TREASURY/OFAC ACTIONS: Nov 2025: Exchange houses laundering tens of millions Sept 2025: $10 MILLION REWARD for financial network info July 2025: Financial officials sanctioned Mar 2025: "Finance Team Sanctions Evasion Network" targeted Jan 2025+: IRGC-QF transferred $1B+ to Hezbollah MONEY LAUNDERING: Ayman Joumaa Network: $200M/MONTH for cartels (8-14% commission) Nazem Ahmad Network: 52 entities, 9 countries, diamonds/gems/art Digital payments: Whish Money + OMT wallets in Lebanon CRIMINAL ENTERPRISES: Drug Trafficking (DEA Project Cassandra — cocaine, Captagon) Oil Smuggling (via IRGC-QF networks) Gold Smuggling (Iran → Turkey via Mahan Air) Counterfeiting (US currency, medicine) GEOPOLITICAL CONTEXT (Jan 2026): Venezuela connection SEVERED (Maduro captured Jan 3, 2026) Assad regime collapse degraded Syria financial bridge Iran post-war: IRGC commanders killed, nuclear sites struck (June 2025) ════════════════════════════════════════════════════════════════════════════════ XI. DATA INVENTORY ════════════════════════════════════════════════════════════════════════════════ ROOT: C:\Users\Squir\Desktop\IRAN\ FEBRUARY 2026 SESSION (DUMP_2_25/): ────────────────────────────────────────────────────────────────── almanar/ debug.log 100 KB WordPress debug log huntr-scan.jsonl 262 B Scanner output khamenei-farsi-json-topticker.json 1.6 KB API endpoint data IRAN-FINDINGS.txt Session findings IRAN-COMPLETE-REPORT.txt THIS FILE JANUARY 2026 SESSION (resources/): ────────────────────────────────────────────────────────────────── resources/intel/ NOTABLE_FINDINGS_EXPANDED.txt 471 lines Detailed analysis SUBDOMAIN_INTEL.txt 323 lines 500+ subdomains HASH_COLLECTION.txt 181 lines IP geolocation IRAN_MASTER_INTEL.txt 279 lines Timeline & events SITE_FINGERPRINT_INTEL.txt 230 lines Tracking IDs SOURCES.txt 264 lines 100+ sources DOMAIN_SEIZURE_ANALYSIS.txt 251 lines Jurisdiction analysis HEZBOLLAH_FINANCIAL_INTEL.txt 253 lines Financial operations TECH_STRUCTURE.txt 321 lines Server infrastructure HEZBOLLAH_DATA_DUMP.txt 206 lines Content dump INFRASTRUCTURE_OSINT_DUMP.txt 202 lines IP/DNS/ASN data Iranian_Leadership_OSINT.txt 210 lines Leadership intel NOTABLE_FINDINGS.txt 360 lines Key findings OSINT_RECON_TOOLKIT.txt 303 lines Tool documentation Total: 3,854 lines of intelligence resources/khamenei/ raw_html/ 244 KB 2 HTML files js/ 93 KB 3 JS files intel/KHAMENEI_IR_OSINT_REPORT.txt Full OSINT report resources/hezbollah/ HTMLs/ 90+ HTML files media/ 20 images (EXIF preserved) DATABASES: ────────────────────────────────────────────────────────────────── iran_osint.db SQLite structured data 5 persons, 5 organizations, 6 social media accounts hash_database.db 21 hash records huntr.db 670 domain scan results PRIOR FINDINGS: ────────────────────────────────────────────────────────────────── KEY_FINDINGS.txt 10 actionable findings Iran Pwned/CRITICAL_FINDINGS.txt 17 critical findings + stats ════════════════════════════════════════════════════════════════════════════════ XII. STATISTICS ════════════════════════════════════════════════════════════════════════════════ SCOPE ───────────────────────────────────────────────── Total domains in target lists: 670 Iranian government/military/media: 609 Hezbollah proxy network: 61 Domains scanned (Huntr automated): 670 Domains manually probed: 40+ FINDINGS ───────────────────────────────────────────────── Total findings: 28 Critical severity: 9 High severity: 8 Medium severity: 5 Low / Informational: 6 INFRASTRUCTURE ───────────────────────────────────────────────── Total subdomains discovered: 500+ khamenei.ir: 41 mfa.gov.ir: 182 irna.ir: 50+ farsnews.ir: 30+ Hezbollah network: 20+ Total unique IPs mapped: 75+ Government ASNs identified: 6 Private IPs leaked: 1 (10.30.41.85) VPN endpoints exposed: 1 Admin portals found: 2 TRACKING & ANALYTICS ───────────────────────────────────────────────── Google Analytics properties: 7 Google Tag Manager containers: 2 Microsoft Clarity projects: 3 Clicky Analytics properties: 1 Google Site Verification tokens: 2 Self-hosted analytics (Matomo): 1 Total tracking IDs: 16 DATA EXTRACTION ───────────────────────────────────────────────── Debug logs dumped: 1 (almanar 100KB) API endpoints with data: 1 (khamenei.link) .git directories confirmed: 1 (alahednews — 403) Session hashes collected: 4 EXIF metadata files: 4 Intelligence reports: 14 files, 3,854 lines HTML files archived: 90+ Media files (with EXIF): 20 JavaScript files analyzed: 3 HEZBOLLAH SPECIFIC ───────────────────────────────────────────────── Active .lb domains: 5 US DOJ seized domains: 13 Email addresses found: 2 Social media accounts: 6+ WordPress debug logs: 1 BLOCKED / INACCESSIBLE ───────────────────────────────────────────────── Domains behind ArvanCloud WAF: 6+ confirmed Domains requiring Tor: 4 (farsnews, moqawama, alahednews.com.lb, APK) SSL handshake failures: 2 (farsnews.ir, dl.farsnews.ir) Connection timeouts: 2 (moqawama.org.lb, alahednews.com.lb) ════════════════════════════════════════════════════════════════════════════════ RECOMMENDATIONS ════════════════════════════════════════════════════════════════════════════════ 1. TOR ACCESS (CT 105/106 on Proxmox): - Download farsnews APK for reverse engineering - Full probe of moqawama.org.lb endpoints - Bypass ArvanCloud WAF on .ir government domains - Access alahednews.com.lb (currently times out) 2. .GIT BYPASS (english.alahednews.news): - Path traversal variants on 403-protected .git - Case sensitivity tricks - Alternate git object paths 3. ALMANAR.COM.LB DEEP DIVE: - WP user enumeration via ?author=N - Plugin version detection (hide_my_wp bypass) - Upload directory listing - XMLRPC brute force potential 4. APK REVERSE ENGINEERING: - Once downloaded via Tor, decompile with jadx/apktool - Extract hardcoded API keys, endpoints, secrets - Map authentication flow - Identify device fingerprinting logic 5. REMAINING HEZBOLLAH TARGETS: - jihadbinaa.org.lb (Jihad al-Bina construction arm) - alemdad.net (Emdad Committee charity) - Other .lb domains from target list 6. IRANIAN UNIVERSITIES (.ac.ir): - Often weaker security than government - Subdomain enumeration via crt.sh - Check for exposed research portals, Moodle, etc. ╔══════════════════════════════════════════════════════════════════════════════╗ ║ ║ ║ Generated: 2026-02-25 ║ ║ All data recovered from publicly exposed files and unauthenticated ║ ║ endpoints. No authentication was bypassed or credentials exploited. ║ ║ ║ ║ Sources: crt.sh, DNS records, HTTP headers, robots.txt, JavaScript ║ ║ source analysis, Certificate Transparency logs, EXIF metadata, ║ ║ US Treasury/OFAC/DOJ public records, open-source intelligence. ║ ║ ║ ╚══════════════════════════════════════════════════════════════════════════════╝