Hello!
A fun fact about the author of this missive: my master’s funding was contingent on taking Persian language and area studies courses every semester, one of many (now defunct) Cold War-era programmes intended to create experts to serve national needs. Unfortunately, the most in-depth paper I wrote on Iran had to do with the adoption of the tomato into the national food culture, and my courses focused more on Cyrus than Khamenei, so this background is not especially useful in my day-to-day role at Binding Hook.
Thankfully there are other people writing on the role of Iran in the world of cyber conflict, advanced persistent threats (APTs), and so on.
Shane Harris’s Atlantic story about his relationship with a source in Iranian cyber operations – and that source’s subsequent death – is a fascinating glimpse into the experiences of a US intelligence asset, the internal culture of Iran’s intelligence ministry, and the risks of talking about it.
I hadn’t heard of Parastoo (Persian for ‘swallow’), an Iranian bird-themed counterpart to the anti-Iran hacker group Gonjeshke Darande (‘Predatory Sparrow’), and I was surprised by the details on how much of Iranian intelligence seems to be a family business.
The source, Mohammad Hossein Tajik, claimed Iran had commandeered US drones using commercial satellite networks and that they had given Hezbollah technical information for hacking global financial systems that was traded to North Korea for missiles.
For all the modern technicalities, the tale ends on a devastatingly human note, straight from a Greek tragedy: Mohammad, apparently betrayed by his little brother on the eve of his flight from Iran, is believed to have been killed at home by his own father.
Meanwhile, another recent DomainTools Investigations’ (DTI) leak investigation provides even more detail on the people behind Iranian cyber operations. The documents in question, leaked on github in October, show how an Islamic Revolutionary Guard Corps (IRGC)-affiliated group known as APT35 works, including performance reports and workflows as well as targets from Turkey to South Korea and inside Iran.
The impression left is of a formal, hierarchical work environment modelled on military structures. DTI writes that ‘this is not a loose network of freelancers’ as is sometimes imagined in these cases; instead, the leaks ‘dismantle any plausible deniability the actors once held under the IRGC’s institutional cover.’
Researcher Nariman Gharib posted more details about the APT35 leak on his blog, including payroll details – there is a women’s division, and a gendered pay gap – and some deeper analysis of some further documents, including one with handwritten marginalia, a relative rarity in a field more used to revealing code comments.
As someone of a more anthropological bent, the details from the DTI report of a conference on the concise and very neutral theme ‘Israel as a fragile mirror reflecting its own internal divisions, social decay, and geopolitical exhaustion’ were intriguing. The US and Europe are clearly not the only states prone to internal strategic soul-searching (cf Matthias Schulze’s analysis of Germany’s cyber posture this time last year) and obsessive rune reading for their adversaries’ imminent collapse.
The IRGC conference apparently also focused on topics of ‘psychological war’, ‘information operations’, and ‘digital sovereignty’. These are all topics that Binding Hook has covered from rather different perspectives, including Monica Kello’s call from this summer for Europe to invest more in cognitive defence against Russia, Anwar Mhajne and Alexandra Trantos’ look at Palestinian and Israeli information operations, and Tobias Liebetrau and Jeppe T. Jacobsen’s exploration of ‘sovereignty-as-a-service’ in the context of the Russian invasion of Ukraine.
At the end of the day, is ‘defensive jihad’ just ‘initiative persistence’ for another audience? Discuss…
Until next month!
Katharine Khamhaengwong
Binding Hook Editor
Read more Binding Hook on Iran:
- Gil Baram and Noya Peer explore the ways Iran and Israel utilised cyber means during the June war.
- In an excerpt from a Virtual Routes report, Aleksandar Milenkoski, Jiro Minier, Julian-Ferdinand Vögele, Max Smeets, and Taylor Grossman detail how Iran uses ransomware to signal strength and retaliate against regional adversaries, especially Israel.
- Anwar Mhajne writes about the ways digital tools have been used domestically in Iran to subjugate women’s rights activists.
- Sujit Raman investigates Iran’s flourishing crypto ecosystem and the ways Tehran uses blockchain to facilitate trade under sanctions.
Related Posts
Predatory Sparrow: cyber sabotage with a conscience?
9 December 2024
Rethinking cyber power beyond the language of war
8 January 2026
Self-attribution as strategy in the Russo-Ukrainian War
9 October 2025
