# Fars News Agency (IRGC) — Infrastructure Intelligence > Probed through Tor via CT105 on Feb 28, 2026 > farsnews.ir is ONLY accessible through Tor (geo-blocks US clearnet) ## Infrastructure Map (from CSP Header) The Content-Security-Policy header leaked the entire farsnews infrastructure: | Subdomain | Purpose | Status | |-----------|---------|--------| | farsnews.ir | Main frontend (Vue.js PWA) | LIVE (Tor only) | | api.farsnews.ir | Backend API (MsgPack format) | LIVE, returns 401 Unauthorized | | cdn.farsnews.ir | Static CDN | LIVE | | ccdn.farsnews.ir | Secondary CDN | LIVE | | stream01.farsnews.ir | Streaming server #1 | Unknown | | stream02.farsnews.ir | Streaming server #2 | Unknown | | stream03.farsnews.ir | Streaming server #3 | Unknown | | og.farsnews.ir | Open Graph image service | LIVE, returns 400 without params | | dl.farsnews.ir | Downloads (APK) | LIVE | | trace.farsnews.ir | **Self-hosted Matomo analytics** | LIVE (login page exposed) | | media.farsnews.ir | Media assets | Unknown | ## APK Download - **URL:** `https://dl.farsnews.ir/app.apk` - **Size:** 10,305,416 bytes (10.3 MB) - **Server:** "ninja" (Nginx fork) - **Last Modified:** Nov 8, 2025 - **Successfully downloaded through Tor** ### APK Server Headers (Intel) ``` Access-Control-Allow-Headers: X-Token, APPVERSION, X-RFID, X-VERSION, Cache-Control, project, token, app-version, api-version, accept-language, duid, platform, os, x-requested-with, application-type, content-encoding, app-market, app-scope, app-scope-tenant ``` This reveals the API authentication scheme uses: - `X-Token` — authentication token - `APPVERSION` / `app-version` — version tracking - `X-RFID` — request fingerprinting/tracking - `duid` — device unique ID - `platform` / `os` — client identification - `app-market` — which app store variant - `app-scope` / `app-scope-tenant` — multi-tenant architecture ## Self-Hosted Matomo Analytics **trace.farsnews.ir** runs **Matomo (formerly Piwik)** — self-hosted open-source analytics. This is significant because: - IRGC-linked news agency tracks its own analytics independently - No data flows to Google/Western analytics providers - Login page is publicly exposed (potential brute-force vector) ## Content Architecture - **Frontend:** Vue.js Progressive Web App (PWA) with service worker - **API:** MsgPack-encoded REST API (api.farsnews.ir) - **Sitemaps:** - Main: `farsnews.ir/sitemap.xml` (1.7 KB) - Profiles: 3 profile sitemaps (~568 KB each, last modified Feb 27, 2026) - Sections: showcase, TV, campaigns - **Third-party:** Google Analytics + Google Tag Manager (ironic for IRGC) - **Video:** Uses Aparat (Iranian YouTube clone) for live streams ## Key Observations 1. **farsnews.ir was actively publishing content as of Feb 27, 2026** (profile sitemaps modified yesterday) 2. **Geo-blocks clearnet but allows Tor** — unusual stance; possibly using Tor-friendly to allow domestic users to access via Tor during the internet blackout 3. **Google Analytics on an IRGC propaganda site** — data flowing to US company 4. **3 streaming servers** — significant video/live broadcasting capacity 5. **Multi-tenant API architecture** — suggests the platform serves multiple properties ## Data Dumped | File | Size | Location | |------|------|----------| | farsnews-app.apk | 10.3 MB | CT105:/tmp/ (pending transfer) | | farsnews-sitemap.xml | 1.7 KB | CT105:/tmp/ | | farsnews-profiles-001.xml | 568 KB | CT105:/tmp/ | | farsnews-index.html | 295 KB | CT105:/tmp/ | --- *Collected: Feb 28, 2026 via Tor (CT105)*