Risky Bulletin: "Between Three Nerds: The Evolution of Iranian Cyber Espionage"

Date: December 15, 2025
Host: Tom Uran (A), with The Gruk (B)
Guest: Hamid Kashvi (C), CEO and founder of DarkCell
Topic: The impact of the "Kitten Buster" leaks on Iranian cyber espionage, with deep insights into the evolution, structure, and tactics of Iranian APT groups, especially "Charming Kitten."

Episode Overview

This episode dives into the recent "Kitten Buster" leaks, which exposed details about Iran’s Charming Kitten (aka APT 40, among other aliases), a group connected to the Revolutionary Guard (IRGC). Tom, The Gruk, and Hamid Kashvi unpack not only the leaks but also the broader evolution of Iran’s cyber ecosystem—how state attitudes, technical proficiency, community dynamics, and operational tactics have shifted over decades.

Key Discussion Points & Insights

1. Do Leaks Help or Hurt Iranian APTs?

• Debate on Exposure: Tom and The Gruk discuss whether being exposed damages Iranian APTs, drawing parallels to Chinese groups who were forced to restructure after exposure, or if exposure could actually be validating (00:03–01:42).
• Hamid’s Take:
  • Exposure often rewards Iranian APT operatives, leading to promotions and increased budgets:

    "I know individuals that have literally got rewarded... solely based on the fact that they have made a big splash in media and they literally go, hey look, I've been doing some awesome work and I'm a big deal, so give me more of that." (C, 02:17)

  • But exposure isn't harmless—can trigger intense counterintelligence crackdowns, including arrests and interrogations:

  "Counterintelligence brands. They go medieval... they arrest people, they interrogate people, they turn things upside down." (C, 04:15)

2. Culture of Operational Security (OPSEC)

• Low OPSEC Awareness: Iranian actors historically displayed a lack of OPSEC, e.g. listing APT work on LinkedIn profiles (03:41)

  "People would actually put it in their LinkedIn profile that we are doing this kind of work. I'm not joking." (C, 03:44)

• Gradual Shift: Recent events have forced better OPSEC, but the old culture and new security realities clash.

3. Evolution of Iran’s Hacker Community

• Community Suppression:
  • Between 2005–2010, the Iranian government suppressed independent hacker forums/communities, aiming to co-opt talent:

    "They literally forced pretty much all security forums, all open neutral gatherings... to dissolve and disappear and close, mostly out of the fear of being outed openly and unwillingly." (C, 07:23)

  • This not only thinned the technical community but created a gap in innovation and technical depth.
• Pivot to Training Pipelines:
  • Post-crackdown, the government adopted new strategies—“security training companies” as recruitment/indoctrination tools, similar to patterns seen in China and North Korea.

4. Technical Progression (Or Its Limits)

• Comparison With North Korea:

  • The Gruk observes North Korea’s leap from "PHP scripts and commercial RATs" to sophisticated 0-day work, wondering if Iran kept pace (B, 11:02).
  • Hamid says Iran has improved but lags behind:
    • Investment in organized training, especially in Windows internals, hardware/ICS, and red teaming
    • Shift in technical tools: From “web shells and PowerShell scripts” to “lightweight disposable implants... incorporating EDR bypasses.” (C, 13:41)

    "There is a growth... where they actually try to focus on technical sites that matter operationally, not just looking fancy or over engineering things." (C, 14:37)

• Iranian APTs and 0-days:

  • Iran rarely uses 0-day exploits at scale:

    "We have never seen, not that I know of, a case where an Iranian attributed threat actor group go pop, I don't know, firewall appliances... at scale." (C, 17:19)

  • Instead, focus remains on infrastructure attacks, phishing, and exploiting “cheaper” vectors.

5. Changing Government Strategy and Talent Pipelines

• Recognizing the Flaw in “Hammer” Tactics:
  • Old methods of forced compliance failed to foster deep technical skills and innovation; led to talent loss and brain drain.
• New Model:

  "There was no systematic way of growing hackers... you need a factory. You need to build the pipeline of producing talent." (C, 22:13)

  • Echoes China/North Korea's pivot: seek, train, and organize talent en masse, rather than rely on “kids who like computers.” (B, 23:02)
• Ongoing Outsourcing:
  • Iranian authorities are now outsourcing tasks to private and semi-private companies—and even individuals abroad—sometimes using “red teaming” as cover.
  • Bounties and recruitment of young or naive operators is a growing trend—sometimes without candidates realizing the legal or moral consequences.

6. Defensive Learning and Repurposing Attacks

• Learning From Adversaries:

  • Iran has grown sophisticated at analyzing incoming attacks, reverse engineering tools, and repurposing offensive techniques—evidenced by operations like Shamoon (a wiper based on techniques used against Iran) and how they handled Stuxnet.

    "They have also learned and have made a system around getting hacked, finding samples, having people at it... to study how it works... and sling it back at where it came from." (C, 25:51)

• Paranoia and Secrecy:

  • Iran almost never discloses public technical details of successful attacks against its own infrastructure—prefers quiet, internal forensics and targeted defensive action.

7. Outsourcing, Recruitment, and Social Engineering

• Recruitment Practices:

  • Iran's cyber units now farm out work not just domestically, but across the region—posing as “red teaming” or “pen testing” gigs to lure talent and unwitting participants (C, 37:56–41:44).
  • Nonchalant about requesting “challenges” as part of the hiring process, sometimes straying into outright illegal acts.

• Young, Naive Recruits:

  • The government exploits legal/ethical ignorance, particularly among young or new entrants.

    "You’re like, pen test, sure. If it's a pen test, it means legal... So they... steer people into that direction during job interviews.... If you do it, then we know you're actually good at it and we hire you." (C, 39:52)

8. Kitten Buster Leak: Surprises and Key Findings

• Organization and Scale:
  • Charming Kitten was more organized and larger than anticipated:

    "They turned out a little bit more organized than I thought they would be... you can reflect that in... the number of buildings. They have a whole dedicated team of translators..." (C, 42:59)

• Clustering of Threat Actors:
  • The leak linked "separate" groups previously believed to work independently.
• Kinetic-Cyber Integration:
  • A standout reveal: direct links between cyber operations and kinetic attacks (like drones and assassination attempts).

    "[They] have literally prototyped... explosive UAVs as part of this... package that they drew delivered to cyber." (C, 44:09)

  • Not only theorizing, but evidence of live operations integrating cyber intelligence with physical outcomes.
• Tactical Adaptability:
  • Iranian operators quickly adapt adversary tactics for their own use, seen in maritime tracking and missile targeting.

    "They learn and repurpose what comes at them... translate those samples into incidents, into information, into knowledge, into operational capability." (C, 49:03)

Notable Quotes & Memorable Moments

• Validation from Exposure:

  "Whenever... their name appears up there in reward for justice or sanction list... they have literally got rewarded and have been promoted and have been securing extra budgets..." (C, 02:17)

• On OPSEC:

  "People would actually put it in their LinkedIn profile that we are doing this kind of work. I'm not joking." (C, 03:44)

• Pipeline Model:

  "You need a factory. You need to build the pipeline of producing talent." (C, 22:13)

• On learning from being hacked:

  "They have... made a system around getting hacked, finding samples... to study how it works... and repurpose it and sling it back at where it came from." (C, 25:51)

• On mixing kinetic and cyber:

  "They gather intelligence to target people and then they also offer a solution to actually execute the operation and do the terror attacks..." (C, 44:09)

• Gruk’s wry summary:

  "Most compromises are caught by someone going, huh, that's funny..." (B, 29:40)

• On naivety in recruitment:

  "If you're like 20 years old and this is your first opportunity, you buy it. Oh, yeah." (B, 39:35)

Key Timestamps

• 00:03–01:42 – Framing debate: does doxxing help or harm Iranian APTs?
• 03:41–06:06 – OPSEC failures and exposure consequences
• 07:23–11:02 – Community crackdown, recruitment failures, and technical stagnation
• 11:02–17:19 – Comparison to NK, tooling evolution, and technical gaps
• 21:00–23:50 – The “pipeline” vs. “hobbyist” gap and shift in talent model
• 25:51–29:40 – Defensive learning, Shamoon, Stuxnet, and secrecy
• 34:52–41:44 – Outsourcing, recruitment, and the dilemma for young hackers
• 42:46–44:49 – Kitten Buster leak revelations: scale, organization, and kinetic mix
• 47:15–49:28 – Cyber-kinetic case studies: tracking ships, missile ops, and operational adaptability

Takeaways

• The exposure of Iranian APTs through leaks often validates and benefits the exposed individuals and their organizations internally, even as it creates operational risk.
• Iran's cyber capabilities have matured but still lag behind top-tier adversaries in technical depth, though recent coordinated training is closing the gap.
• The Iranian state first destroyed its independent hacker community, then attempted to “manufacture” talent via training programs, echoing strategies in China and North Korea.
• Sophisticated outsourcing, both domestically and to regional actors, is now common—often blurring lines between legitimate and criminal hacking.
• Kitten Buster leaks revealed a complex, compartmentalized organization, surprising scale, and an unprecedented link between cyber and physical (kinetic) operations.
• Iran quickly learns from adversaries, adapting their tools and tactics for re-use, as seen in documented repurposing of techniques after high-profile attacks.

This episode is a comprehensive, insider’s view of Iran’s evolving cyber ecosystem—valuable for both technical audiences and those tracking cyber power geopolitics.