A while back and following Apple’s notification about mercenary actors (Parsgon) targeting iOS, I got a hunch. After just two rounds of multicast to Farsi speaking folks, turns out there has been over a dozen cases (that reached back) who’ve received Apple or WhatsApp warnings!🧵

This is probably the first time that I’m aware of, we’ve such cases in Iran. Contrary to typical cases often reported, targets do not fit the typical political/journalism profiles. Mostly IT/Tech staff. My guess is more of targeted prepositioning ops and less espionage. Sadly—

most people spook out when they learn about the seriousness of their case and refuse help with forensic. One wonders why would Apple/FB would notify Iranian users or draw the line about interference with legitimate gov ops? In Iran, due to sanctions, Apple users use VPN for —

AppStore or most of their daily usage, or use virtual numbers to activate their iCloud. That might have caused some confusions at Apple. This makes me question accuracy ofApple’s internal profiling too. It’s relatively easy for them to figure our real location of users. So…? 🤷🏻‍♂️

Here’s where this can get ugly and the lack of transparency (rightfully so) from Citizen-labs or Apple backfires:
Some of the victims are trained to reach out to MoIS (or their in-org representatives) in such cases. Many also use older iPhone models. The combo means there’s more

chance of successful dump of a live implant or traces from devices, falling in hands of the last gov and agency on earth you want to have advanced iOS implant/exploit capabilities. This is just my theory at this point, but if a solo nobody like me can dig this far up, you bet -

they have much more possibilities to travel back in time/logs/dumps & acquisition of handsets. Bottom line is, full chain iOS/Android usage against devices in Iran, by non-gov actors, is not as rare as previously assumed. It’s just another unexplored rabbit hole nobody looked at