On 28 October 2025, researcher Nariman Gharib detailed leaked CSV files reportedly tied to Charming Kitten containing domain registrations, hosting activity, payment records, and operational email infrastructure spanning 2023 to 2024, along with references to Iranian telecom blocks and suspected IRGC-aligned procurement channels. The disclosure appears to map core service providers, cryptocurrency-based payments, and active operator accounts used to support phishing and infrastructure rotation.
Analysis: If authentic, these files provide actionable insight into Charming Kittenโs procurement and infrastructure lifecycle, including financial flows and service dependencies that could accelerate attribution, blocking, and proactive disruption. Public exposure of operators, service vendors, and domestic network blocks may pressure Tehranโs cyber units to retool, yet historical behavior suggests Iran will likely maintain tempo and diversify infrastructure rather than cease activity. This case underscores the importance of tracking adversary logistics and payment mechanisms as a means of degrading persistent state-aligned access operations.
A recent Financial Times report revealed that the US has quietly provided intelligence support to enable Ukraineโs long-range strikes on Russian energy infrastructure, representing a significant evolution in the strategic landscape of the war. This isnโt just about Ukraine landing successful drone or missile strikes. Itโs about deliberately going after the economic base that keeps Russiaโs war machine running.
According to the reporting, US intelligence has played a central role in shaping Ukraineโs route planning, timing, and target prioritization. This has allowed Ukrainian forces to bypass layers of Russian air defense and strike energy assets far beyond the frontline. Over the last few months, at least 16 of Russiaโs 38 oil refineries have been hit, disrupting more than one million barrels per day of refining capacity. These strikes have forced Moscow to cut diesel exports and rely more on imports, tightening supply chains across sectors vital to its economy and military.
Flames and smoke rise from a Russian oil refinery after a Ukrainian drone strike in October 2025, part of a US-backed campaign targeting energy infrastructure. Source: The Moscow Times
The operation points to a deliberate shift in US strategy. Rather than direct military engagement, the US appears to be enabling Ukraine to impose economic costs through precision strikes on energy infrastructure. These assets are crucial to financing and sustaining Russian military operations. By degrading this capacity, Ukraine is eroding the Kremlinโs ability to wage a prolonged war.
The timing is notable, too. The escalation in intelligence sharing reportedly followed a July conversation between President Donald Trump and President Volodymyr Zelenskyy, signaling a change in Washingtonโs willingness to support deeper strikes. This is a departure from earlier caution, signaling a move toward indirect pressure on Moscow, as opposed to direct escalation.
The operational implications are just as significant. Ukraine has combined improved domestic drone production with high-quality targeting data to achieve strategic effects once reserved for major powers. This model of intelligence-enabled, long-range strikes highlights how modern warfare increasingly relies on precision, adaptability, and economic disruption rather than massed forces alone.
In the months ahead, Russia is likely to face mounting financial pressure as repeated strikes force expensive repairs, disrupt production cycles, and strain export revenue. Even if individual facilities recover, the cumulative effect of sustained targeting will weaken Moscowโs economic resilience. This campaign is designed to shift the balance through systemic pressure on the Kremlinโs capacity to sustain its war.
On 3 October 2025, GreyNoise reported a ~500% increase in unique IPs scanning Palo Alto Networks GlobalProtect/PAN-OS login portals, the highest level in 90 days; open-source coverage between 4โ8 October corroborated elevated reconnaissance volumes and noted US-heavy scanning with additional clusters hitting Pakistan. In parallel, Cisco has warned of a large-scale brute-force campaign against VPN, web auth, and SSH services tracked by Talos since 18 March 2024, and with active exploitation of Cisco ASA/FTD VPN web services disclosed 25 September 2025.
Analysis: The GlobalProtect scan spike is highly likely preparatory reconnaissance for credential-stuffing or exploit development rather than noise, based on the scale and concentration GreyNoise reported. It is likely that cross-vendor VPN and portal infrastructure will face elevated probing in the near term given the concurrent, actively exploited Cisco ASA and FTD web-services flaws and the US government’s emergency order on 25 September 2025 requiring agencies to immediately hunt for and mitigate compromise on those Cisco ASA/FTD devices.
The KittenBusters repository publicly discloses internal materials tied to the Iranian APT known as Charming Kitten (IRGC-IO Counterintelligence Unit 1500). The disclosures include official documents, employee photos, malware samples, chat logs, attack reports, and translations, all intended as evidence of the groupโs operations. The repo also names a purported leader (Abbas Rahrovi/Abbas Hosseini) associated with front companies, asserts the group has targeted telecoms, aviation, intelligence, and dissidents in the Middle East and beyond, and announces future releases of additional evidence.
Analysis: The release of these materials tied to Charming Kitten gives us a rare visibility into the structure, leadership, and tradecraft of an Iranian state-sponsored actor. If real, these disclosures are highly likely to aid defenders in attribution and detection, but they also risk prompting the group to adapt its operations and shift infrastructure. The exposure of individual operators and front companies could pressure Iran’s cyber apparatus, but it is likely Tehran will deny involvement while continuing on with other campaigns under modified units or identities. Should be a fun one to follow.
China Criticizes Canadian And Australian Warships Transiting Taiwan Strait – 6 SEPT 2025
Reuters (BEIJING) โ Beijing criticized the passage of Canadian and Australian warships through the Taiwan Strait, framing the transit as provocation. The Peopleโs Liberation Army (PLA) monitored and issued warnings as the allied vessels conducted a routine passage, marking the first such join transit by Canberra and Ottawa. Source: (Reliability: Very High)
Analysis: It is likely that Beijing will intensify diplomatic protests and military shadowing in response to the growing number of allied transits, but it is unlikely that China will attempt direct interdiction in the near term, as escalation risks remain high. (Analytic Confidence: Moderate)
Comment: By joining the U.S. and U.K. in conducting Taiwan Strait passages, Australia and Canada add weight to a growing allied pattern by the West that makes it more difficult for Beijing to depict these operations as isolated provocations.
A Chinese Navy ship shadows HMAS Brisbane during a joint naval activity in the South China Sea, 3 September 2025. The Guardian
FBI Adapts Hunt Methods For Salt Typhoon And Volt Typhoon – 10 SEPT 2025
Cyberscoop (WASHINGTON) – Major intrusions into U.S. telecommunications groups and infrastructure by Chinese groups Salt Typhoon and Volt Typhoon have forced changes in FBI hunting tradecraft, reflecting persistence on critical networks and adaptation to stealthy techniques. An FBI official noted that the two groups have improved their tactics and methods . Source (Reliability: High)
Analysis: It is likely that Peopleโs Republic of China (PRC) state actors will sustain cyber operations against critical U.S. and allied infrastructure, with campaign tempo increasing as Taiwan tensions escalate. (Analytic Confidence: Moderate)
Taiwan Minister Warns of โDomino Effectโ if China Takes Island – 12 SEPT 2025
Reuters (WASHINGTON) – Chiu Chui-cheng, head of Taiwanโs Mainland Affairs Council, warned that Chinaโs growing military activity and refusal to renounce force against Taiwan suggests that Beijing might be preparing for war. Chiu argues that if Taiwan were to fall, it could trigger a โdomino effectโ destabilizing the Asia-Pacific and directly threatening U.S. influence and security. Source: (Reliability: Very High)
Analysis: It is highly likely that Taiwan and its foreign partners will increase diplomatic and military signaling in response to Chinaโs rhetoric, to deter further escalation. (Analytic Confidence: High)
Philippines Protests PRC “Nature Reserve” Plan At Scarborough Shoal – 12 SEPT 2025
The Diplomat (WASHINGTON) – Manila filed a diplomatic protest over Beijingโs plan to designate a nature reserve at Scarborough Shoal, warning it could serve as a pretext for occupation of the contested feature. Source: (Reliability: High)
Comment: Environmental framing has emerged as a recurring tool for Beijing to justify administrative control at disputed features while complicating counter-messaging by claimant states.
China’s Third Carrier Fujian Departs Shanghai; Detected Near Senkaku Islands – 13 SEPT 2025
The Diplomat (WASHINGTON) – The Peopleโs Liberation Army Navy (PLAN) carrier Fujian departed Jiangnan Shipyard on 10 September 2025. Japanโs Joint Staff detected the Fujian and two destroyers roughly 200 km northwest of the Senkaku Islands, heading southwest. Source: (Reliability: High)
Analysis: It is highly likely that the PLAN intends to conduct Fujianโs first long-range trial deployment within weeks, signaling advancing carrier readiness and pressuring Japanโs near seas defense posture. (Analytic Confidence: High)
China’s third aircraft carrier, the Fujian, in the East China Sea, 11 September 2025. Japanese Ministry of Defense
On 15 September 2025, CyberNews reported that over 500 GB of internal data tied to Chinaโs Great Firewall leaked via Geedge Networks. The files included source code, internal work logs, communications, Jira tickets, and system configurations.
The leak revealed that Geedge markets its surveillance and censorship technologies abroad. Confirmed export locations in the documents include Myanmar, Pakistan, Ethiopia, and Kazakhstan. The materials suggest these are part of a broader push under Chinaโs global influence strategies.
This exposure provides a rare look into how censorship is engineered and sold. It highlights the interaction of technical design, political objectives, and global ambition in digital control systems.
Summary: On 19 September 2025, three Russian MiG-31 fighters violated Estonian airspace near Vaindloo Island, remaining inside NATO territory for about twelve minutes before being intercepted by Italian F-35s deployed under NATOs Baltic Air Policing mission. The aircraft entered without flight plans, had their transponders off, and failed to communicate with air traffic control, prompting a rapid NATO response.
Estonia reported the jets penetrated up to five nautical miles into its territory. NATO officials framed the incident as another deliberate provocation, testing alliance readiness along the eastern flank. Reports indicate these MiG-31s were carrying Kinzhal hypersonic missiles during the incursion.
Analysis: Russia is deliberately testing the NATO alliance by sending strategic assets into allied territory to measure response times and resolve. Putin likely views NATOs restraint as an opportunity to exploit through unconventional warfare and hybrid tactics. These incidents are likely to also shape his perception of alliance weakness, influencing future decisions in possible future conflicts in the Baltics or APAC region.
Military raids and high-profile arrests make headlines, but they do not end the business of cartels. Mexican and South American trafficking organizations operate like multinational corporations: diversified revenue streams, global supply chains, and deep local recruitment pipelines. Long-term disruption will require a different approach. The US must pursue strategies that make the cartel business model financially unsustainable and logistically difficult. This means combining proven tactics with fresh ideas.
The points below are presented as broad concepts to help spark discussion, rather than full write-ups. Bullet points allow the ideas to be absorbed quickly, keep the focus on the main themes, and give room for others to share their perspectives or expand on them with their own insights.
Hit the Money
Cartels are profit-driven, so hitting their finances directly is one of the most effective tactics.
Sanctions: Use the Foreign Narcotics Kingpin Act and related tools to freeze assets and bar cartel associates from the global financial system.
AML enforcement: Monitor wire transfers, front companies, trade-based laundering, and crypto flows.
Asset forfeiture: Seize properties, accounts, and equipment tied to trafficking.
Gatekeeper accountability: Extend AML requirements to lawyers, accountants, and company formation agents who unintentionally aid laundering.
Cartels are resilient because they operate across multiple domains: finance, logistics, community, and technology. Disrupting one area temporarily hurts them; attacking all at once can slowly erode their power. The US can combine financial sanctions, supply chain disruption, legal pressure, recruitment prevention, and intelligence innovation into a long-term strategy. Success will not be a single decisive victory, but a steady squeeze that makes cartel operations unprofitable and unsustainable.
More than 3,200 union workers at Boeingโs fighter jet plants in the St. Louis area have rejected a new contract proposal, triggering a countdown to a possible strike starting 4 August. Boeing has attempted to downplay the risk, but the potential disruption carries broader consequences. These facilities support production of the F/A-18 Super Hornet, the T-7A Red Hawk, and the F-47 fighter; an aircraft tied to the Air Force’s next-generation air dominance (NGAD) strategy.
A group of union representatives gathered for a meeting, emphasizing solidarity amidst ongoing contract negotiations affecting Boeing workers.
Strategic Implications for the Defense Sector
Supply Chain Fragility: A strike at Boeing could create upstream delays across the defense industrial base (DIB). Shared suppliers supporting multiple prime contractors may face scheduling conflicts, part shortages, or capacity shifts. This poses a risk to Boeing defense peers, which rely on a consistent flow of components for time-sensitive programs.
Labor Risk as an Industry Pressure Point: If the union secures a stronger contract, it may prompt similar labor movements elsewhere. Contractors managing fixed-price defense contracts will feel the pressure most, particularly those already dealing with narrow profit margins and tight delivery schedules.
Program Disruption Risk: The F-47 serves as a key stepping stone in the NGAD program. Delays in its production could affect milestone evaluations, budget cycles, or capability delivery timelines. The disruption would not be isolated to Boeing but could affect program participants and government planning across the board.
Competitive Repositioning: Boeingโs internal friction may create opportunity for competitors. A significant delay or loss of government confidence in Boeingโs delivery could lead to reallocation of roles or funding toward other firms positioned to absorb new responsibilities.
Artist rendering of the advanced F-47 fighter aircraft, part of the Air Force’s next-generation air dominance strategy.
Analyst Comment
Labor disruption poses a broader risk to national defense planning. The tightly connected nature of the DIB means that even a localized strike can create delays across programs. High-priority efforts like NGAD, B-21, Sentinel, GPI, etc. operate on narrow timelines with little room for disruption. A breakdown at one contractor can ripple across the system and set capability development back.
This should trigger a serious conversation within the Department of Defense and across the DIB. Workforce continuity and human capital planning need to be prioritized at the same level as supply chain security and cybersecurity. The consequences of ignoring this risk are real.
In the wake of escalating tensions in the Middle East this past spring, Iranian state-sponsored hackers turned their focus toward a new frontier: US critical infrastructure.
From May through June 2025, cybersecurity telemetry revealed a 133% surge in Iran-attributed cyber activity targeting US industrial and operational technology (OT) environments. These campaigns hit transportation and manufacturing sectors, but energy and water infrastructure remain long-standing targets. While espionage remains a primary objective, the evidence increasingly suggests Iran is preparing for more overt disruption.
Strategic Escalation
Iran’s cyber posture has always mirrored its geopolitical environment. In Spring 2025, that meant responding to Israeli and US airstrikes with asymmetric cyber operations. Groups like APT33 (Elfin), APT34 (OilRig), and MuddyWater (Static Kitten) ramped up traditional espionage, while more aggressive actors like CyberAv3ngers and Fox Kitten (tied to recent Pay2Key.I2P ransomware operations) pursued OT-focused sabotage and ransomware deployment.
Iran’s messaging through pseudo-hacktivist fronts and deepening ties with ransomware operators clearly framed this activity as retaliation for “Western aggression.” That framing is part of a broader Iranian cyber doctrine that views critical infrastructure compromised as a form of coercion and deterrence.
In parallel with APT activity, pro-Iranian hacktivists ramped up operations against US defense and critical infrastructure sectors. Groups like “Mr. Hamza” claimed responsibility for defacing and leaking data tied to defense contractors, including Raytheon technologies (RTX), following US involvement in strikes against Iranian facilities. While attribution remains murky, these operations often mirror Iranian state objectives and timelines, suggesting coordination or at least ideological alignment. The targeting of US DIB entities serves Tehran’s broader goal of projecting reach and retaliation across both digital and strategic domains.
๐จ DDoS Alert ๐จ
Mr Hamza claims to have targeted multiple websites
-RTX Corporation ๐บ๐ธ -Parsons Corporation ๐บ๐ธ -Kratos Defense and Security Solutions ๐บ๐ธ -CACI International Inc. ๐บ๐ธ -Ultra Group ๐ฌ๐ง -Cobham ๐ฌ๐ง -Serco Group plc ๐ฌ๐ง -Elbit Systems ๐ฎ๐ฑ -Israel Aerospace Industries ๐ฎ๐ฑโฆ pic.twitter.com/YGHB1tTPmt
Iran’s shift toward OT environments is the most significant development.
MuddyWater and APT33 continued to exfiltrate intellectual property from manufacturing and defense-adjacent industries.
CyberAv3ngers targeted water control systems and other ICS devices with their custom malware, IOControl, discovered embedded in US and allied OT environments.
Fox Kitten evolved into a ransomware-as-a-service operator with an 80% (up from 70%) profit-share for affiliates targeting the US or Israel.
Alongside collecting information, these actors are also establishing persistence. In many cases, backdoors were quietly planted and left dormant; signaling an intent for future activation should the need arise.
Actor
Affiliation
Focus
Objective
MuddyWater
MOIS
Aerospace & Defense, Utilities, Gov, Civil & NGOs
Espionage
APT33
IRGC
Aerospace & Defense, Energy, Gov, Healthcare
Espionage and Access
CyberAv3ngers
IRGC
Water, ICS, Finance
Disruption
Fox Kitten
Unkown
IT/OT Gateways
Ransomware-as-a-service
OilRig
MOIS
Finance, Gov
Credential Theft
Implications for the US DIB
Iran’s campaigns are displaying a willingness to target logistics, aerospace, and manufacturing suppliers that support US and Israeli defense sectors. The Defense Industrial Base (DIB) should expect more of this; not only from state-sponsored actors, but from criminal or hacktivist affiliates acting on behalf of Iran’s IRGC or MOIS cyber arms.
Some immediate implications:
DIB contractors should hunt for Iranian TTPs and malware like IOControl and DNSpionage.
OT segmentation, remote access policies, and endpoint hygiene are foundational.
Incident response (IR) planning must include scenario-based escalation modeling: what happens if the access Iran gains today becomes a wiper event tomorrow?
US Response: Shields Up
Initially, the federal response may have felt quieter than prior cyber alerts like those during the Ukraine conflict but the signals were still there.
On LinkedIn, Jen Easterly, former CISA Director, reactivated the Shields Up mantra within hours of US strikes on Iranian nuclear sites. Her post explicitly warned US critical infrastructure operators to expect:
Credential theft and phishing
ICS-specific malware
Wipers masquerading as ransomware
Propaganda-laced hacktivist campaigns
Easterly urged sectors to segment OT networks, patch internet-facing systems, enforce MFA, rehearse ICS isolation, and actively monitor ISAC channels.
The various critical infrastructure-related ISACs followed suit. And while no single campaign bannered over the response, the defense posture matched the moment.
Jen Easterly emphasizes the importance of cybersecurity vigilance for US critical infrastructure in response to recent Iranian cyber activities.
So What’s Next?
Iranโs recent activity represents a shift in focus, not necessarily a shift in capability. The targeting of OT environments and critical infrastructure may reflect aspirational doctrine as much as operational readiness. While thereโs no conclusive evidence that Iranian actors have staged disruptive payloads in U.S. networks, the direction of their targeting and tooling, particularly the development of ICS and OT-specific malware, suggests a growing interest in operational disruption, and not just information gathering.
For the US defense and critical infrastructure communities, this creates a clear mandate to prepare for the next phase before it arrives.
Monitor beyond the perimeter: Iranian threat actors have historically gained access through default credentials, exposed devices, and lateral movements through flat networks.
Expect dual-use operations: Intelligence collection and pre-positioning are not mutually exclusive.
Reassess assumptions: Iranian groups are traditionally viewed as less sophisticated than Russian or Chinese APTs, but recent coordination and tooling suggest they’re evolving quickly.
In short, we’re seeing a doctrinal pivot. Iran is exploring offensive options in OT environments, and testing how far it can go without triggering escalation. This makes detection, attribution, and sector-wide coordination more important than ever.
The Security Brief 