Work

Selected research, dossiers, and analysis from Digital Impact Lab and our threat intelligence brand, CERTFA. Filter by focus area to find work in a specific domain.

Filter by focus
19 results
2026.06.10 CERTFA Radar

Security Alert: Telegram & WhatsApp “Session-Grabber” Phishing Targeting Iranian Journalists

CERTFA documents a real-time session-hijacking campaign targeting Iranian journalists and civil-society figures using a homoglyph domain (teiegram[.]site, capital “I” for lowercase “l”) to relay live Telegram login codes and harvest 2FA cloud passwords. The operator delivers lures via WhatsApp impersonating known contacts with a “new number,” proposing collaboration or interviews, then relays victims’ one-time codes to Telegram’s authentication system to seize accounts within seconds. CERTFA assesses with moderate-to-high confidence that the operation is conducted by the MOIS-linked Banished Kitten cluster (Storm-0842 / “Dune”), operated via contractor Parsian Afzar Rayan Borna, based on victimology, tradecraft, and native Persian social engineering.

Cyber Operations
2026.06.08 Digital Impact Lab Substack

Traffic Laundering, Part II: How Iran Made Azerbaijan Third in the World for ChatGPT Usage

This analysis extends DIL’s June 2 reporting on Iran’s proxy routing through Delta Telecom (AS29049) in Azerbaijan, documenting four phases of operation correlated with Iranian internet blackouts and restorations from January through May 2026. OpenAI’s Q4 2025 data shows Azerbaijan ranked third globally in per-capita ChatGPT usage, climbing 41 ranking positions over five quarters coinciding with the TIC-Delta Telecom agreement, while OpenAI simultaneously banned hundreds of IRGC-linked accounts, including CyberAv3ngers operators. The routing architecture defeats IP-based sanctions compliance for AI tools explicitly excluded from OFAC General License D-2, presenting Iranian state traffic as Azerbaijani and bypassing geographic blocks that companies like OpenAI and GitHub implement for Iran.

Network Infrastructure
2026.06.02 Digital Impact Lab Substack

Traffic Laundering: Iran’s Azerbaijani Proxy and the Architecture of Controlled Access

Following Iran’s May 26, 2026 internet restoration after a three-month blackout, Cloudflare data revealed Iranian traffic masquerading as Azerbaijani through AS29049 (Delta Telecom Ltd.), enabling both sanctions bypass and granular filtering of Cloudflare-hosted content. MTN Irancell routes connections through two paths: DNS spoofing directing traffic through Hetzner servers in Germany, and SNI proxying through Delta Telecom’s Azerbaijani network for users with custom DNS. A formal April 2025 agreement between Iran’s state backbone operator TIC and Delta Telecom provides government-level structure for this proxy architecture, which grants whitelisted access to sanctioned platforms like OpenAI while enabling connection-level detection of circumvention tools.

Network Infrastructure
2026.05.28 Digital Impact Lab Substack

Iran Digital Pulse: Intranet to Filternet

After 88 days of near-total internet blackout, Iranian officials announced partial restoration on May 26, 2026, with Cloudflare Radar showing traffic reaching only 40% of pre-shutdown levels and 91.6% of restored HTTP requests originating from Tehran. The regime abandoned its failed Internet Pro monetization scheme but maintained the underlying filtering infrastructure blocking Telegram, YouTube, Instagram, and WhatsApp for the general population, while most data centers remained isolated from international peers. Iranian voices rejected official framing of the restoration as a concession, identifying it instead as a tactical shift from intranet to filternet that reset public expectations so heavily filtered connectivity now registers as relief rather than ongoing control.

Network Infrastructure
2026.05.25 Digital Impact Lab Substack

Iran Digital Pulse: Code Against the Blackout

Iranian developers inside the country built dozens of circumvention tools between February 28 and May 25, 2026, exploiting the government’s exemption of Google services from its nationwide internet blackout. Tools disguise traffic as Google requests, tunnel through Google Apps Script and Drive, or use DNS queries as data channels, distributed freely on GitHub with no commercial backing. One project bypasses the internet entirely, broadcasting VPN configs and news via satellite as QR codes readable by any Android phone, funded by direct donations and accessible to tens of millions with existing satellite dishes.

Network Infrastructure
2026.05.21 Digital Impact Lab Substack

Iran Digital Pulse: A Luxury Few Can Afford

StatCounter data documents a 23-percentage-point drop in Android traffic share (86.3% to 66.8%) and near-tripling of iOS share (13.5% to 30.7%) in Iran between February and April 2026, indicating that the internet blackout economically filtered users by forcing reliance on costly VPN configs priced up to 300,000 Tomans ($1.5) per gigabyte or state-approved Internet Pro subscriptions. The shift reflects class-based access stratification: iPhone users (wealthier demographics) remained online while tens of millions of Android users (lower-income households) were priced out, with grey-market VPN costs reaching 15 million Tomans ($83) monthly against a statutory minimum wage of approximately $90. The blackout converted internet access from a utility bypassing class barriers into a governable, monetizable commodity available only to those who could afford identity-linked paid tiers or grey-market workarounds.

Network Infrastructure
2026.05.19 Digital Impact Lab Substack

Iran Digital Pulse: The Cybersecurity Debt of a Blackout

Iran’s 81-day internet shutdown beginning February 28, 2026, severed all standard update paths for Android, iOS, Windows, macOS, and Linux systems, leaving devices and servers unpatched against over 100 vulnerabilities disclosed during that period, including CVE-2026-28950 (iOS notification retention) and CVE-2026-42945 (18-year nginx heap overflow, CVSS 9.2). Organizations with Internet Pro partial connectivity now operate heterogeneous networks where unpatched devices serve as lateral movement vectors, while Security Operations Centers and Intrusion Detection Systems run on pre-shutdown signature databases. The shutdown compressed the attack surface domestically while degrading the defenses needed to detect internal compromise, inverting the stated security justification.

Cyber Operations
2026.05.15 Digital Impact Lab Substack

Iran Digital Pulse: Education Under Blackout

Documents how Iran’s internet shutdown, beginning February 28, 2026, has dismantled educational infrastructure across primary schools and universities. Based on 117,477 tweets over 77 days, traces cascading damage from disrupted coursework to institutional collapse, private education closures, and widening skill gaps in technical fields. Predicts irreversible losses in educational access that reconnection alone cannot repair, with secondary consequences likely to push skilled workers toward informal economic activities.

Network Infrastructure
2026.05.10 Digital Impact Lab Substack

Iran Digital Pulse: Living Around What’s Missing on Day 72

Documents Iran’s 72-day internet shutdown and how citizens are adapting through expensive VPN configurations and reduced bandwidth consumption, with public discourse shifting from collective protest to private accommodation. Reports sharp price increases for connectivity and widespread loss of access to personal data, email, and cloud services. Online dissent is visibly diminishing as those most affected by the cutoff exhaust financial resources to maintain platform access.

Network Infrastructure
2026.05.06 Digital Impact Lab Substack

Iran Digital Pulse: Day 67 of the Blackout

Documents the economic impact of Iran’s prolonged internet shutdown on tech workers, the introduction of a paid “Internet Pro” tier perceived as a state revenue mechanism, and how the regime has captured the VPN circumvention market. The blackout coincides with reported executions and tightened restrictions on journalists’ international access.

Network Infrastructure
2026.01.16 CERTFA Radar

Security Alert: IranGuard Spyware Campaign

A spear-phishing campaign distributing surveillance malware named IranGuard. Delivered via emails impersonating an Iranian law enforcement intelligence agency. Distributes both Android (APK) and Windows (EXE) variants of the spyware.

Cyber Operations
2026.01.14 CERTFA Radar

Mobile Phone: New Android Surveillance Malware Targeting Persian Speakers

A malicious Android application disguised as a mobile phone utility. Analysis shows a sophisticated surveillance tool with strong indicators linking it to Domestic Kitten (APT-C-50), an Iranian state-backed group associated with the IRGC.

Cyber Operations
2023.07.09 CERTFA Radar

Document.exe: New Malicious Word File by Iranian State-Backed Hackers

Analysis of a malicious Word document containing an OLE object and an AutoOpen macro that decodes obfuscated text and drops a payload onto the victim’s system.

Cyber Operations
2022.09.08 CERTFA Blog

Charming Kitten: “Can We Have A Meeting?”

Important puzzle pieces of Charming Kitten’s cyber espionage operations. Documents APT42 phishing campaigns running since late 2021, including infrastructure indicators and social engineering patterns used against Iranian and foreign targets.

Cyber Operations
2021.01.08 CERTFA Blog

Charming Kitten’s Christmas Gift

During the Christmas holidays and the beginning of the new year, the Charming Kitten group began a targeted phishing campaign of espionage against different individuals to collect information.

Cyber Operations
2020.01.30 CERTFA Blog

Fake Interview: The New Activity of Charming Kitten

A new series of phishing attacks from Charming Kitten targeting journalists and political and human rights activists. Documents the fake-interview social engineering vector and connects it to previously reported activity by ClearSky and Microsoft.

Cyber Operations
2019.05.28 CERTFA Blog

Weaponizing of Google Cloud Storage for Phishing Attacks

A mass-distributed general phishing campaign that has managed to evade the anti-spam systems of email service providers by hosting phishing kits on Google Cloud Storage. Documents how attackers use trusted-service URLs to bypass automated defenses.

Cyber Operations
2018.12.13 CERTFA Blog

The Return of The Charming Kitten

A review of the latest wave of organized phishing attacks by Iranian state-backed hackers. Documents the campaign targeting individuals involved in economic and military sanctions against Iran, alongside politicians, activists, and journalists.

Cyber Operations
2018.08.04 CERTFA Blog

PushIran.DL Malware Family

The botnet of fraudulent advertising in Iran. A major network of cyber criminals using malicious Android apps to make money by undermining Iranian users’ privacy and online security. The first Digital Impact Lab/CERTFA report on the PushIran.DL malware family.

Cyber Operations
Stay informed

New analysis arrives when there’s something substantive to say.

Subscribe directly to either publication to receive new work in your inbox. Threat intelligence dossiers and incident reporting on CERTFA Radar; analytical research on the Digital Impact Lab Substack.

Subscribe to CERTFA Radar Subscribe to Digital Impact Lab Substack