Hamid Hamid-K

## Not so charming Kittens.md

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              1 star
            
          
                Hamid-K
                / Not so charming Kittens.md
            
            
              Last active
              October 29, 2025 11:13
            
              
                A Gemini crunched and produced report based on the leaks from https://github.com/KittenBusters/CharmingKitten . If more contents are leaked, I'll update this with better manual reviews.
              
          
    Comprehensive Threat Intelligence Report: Charming Kitten

DFIR and CTI Analysis
Date: 2025-10-29
1. Executive Summary

This report provides a comprehensive analysis of the Tactics, Techniques, and Procedures (TTPs), operational tradecraft, and targeting patterns of the threat actor group known as "Charming Kitten." The analysis is based on a leaked dataset of the group's internal documents, logs, and operational reports. The findings indicate a sophisticated and well-organized actor with a clear focus on espionage and disruptive attacks.
A groundbreaking finding from the Episode 4 leak is the direct link between Charming Kitten and the previously distinct threat groups known as "Moses-Staff" and "Qassam". Analysis of the group's internal infrastructure and payment records reveals that these are not separate entities, but rather pseudo-names or campaigns operated by Charming Kitten. This attribution, which has not been publicly documented before, is a critical development in understa

  
## ios-backup-reconstruct.py
#!/usr/bin/env python3
"""
iOS Backup Reconstructor
Version: 0.1

iOS encrypted backups by default are not meant to be human-readable. The folder structure needs to be reconstructed, before it is consumable by most other tools.
This script provides a way to reconstruct the folder structure of an iOS backup, making it easier to analyze and work with.
Actual file names are extracted from the backup's manifest.db database.
Note that it is expected for the script to produce a lot of "source file not found" errors.

## GeoCellID.py
#!/usr/bin/env python3
"""
Look-up the approximate position of a cell tower with Google’s Geolocation API
and print a Google-Maps link for easy visualisation.

hamid@darkcell.se

pip install requests
"""

## ISC_Iran_Cyber_Jul-2025.md

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                Hamid-K
                / ISC_Iran_Cyber_Jul-2025.md
            
            
              Created
              July 11, 2025 22:19
            
              
                ISC "Iran" Reoport cyber-specific summary (HC 1116, Jul 2025)
              
          
    Iran: Cyber Dimension of the ISC Report (HC 1116, July 2025)

*(All material drawn exclusively from the public text of the report; all redactions **/ are reproduced exactly as printed.)
Original report:
https://isc.independent.gov.uk/wp-content/uploads/2025/07/Intelligence-and-Security-Committee-of-Parliament-Iran.pdf


## graphite.yara
rule Paragon_Spyware_IOCs
{
    meta:
        description = "Indicators of compromise (IOCs) for Paragon Solutions Graphite spyware from the Citizen Lab report 'Virtue or Vice? A First Look at Paragon’s Proliferating Spyware Operations'"
        author = "ChatGPT"
        date = "2025-03-29"
        reference = "https://citizenlab.ca/2025/03/a-first-look-at-paragons-proliferating-spyware-operations/"

    strings:
        // Suspected customer domains (Table 4)

## gist:fedcf1dbd68789da27b3d6934fbe28bf
Draziw.Button.Mines
ag.video_solutions.wedotv
ahf.dummynation
ai.socialapps.speakmaster
air.com.beachbumgammon
air.com.freshplanet.games.SongPop2
air.com.gamesys.mobile.slots.jpj
air.com.goodgamestudios.empirefourkingdoms
air.com.kitchenscramble.goo
air.com.lalaplay.rummy45

## tor-renew.py
#!/usr/bin/env python3
"""
Tor Identity Manager - A tool to manage Tor identities and exit nodes.

This script allows you to renew your Tor identity and optionally set the exit node
country. It provides enhanced error handling, configuration options, and feedback.

hamid@darkcell.se

"""

## whisper.py
# Sample script to use OpenAI Whisper API
# This script demonstrates how to convert input audio files to text, fur further processing.
# The code can be still improved and optimized in many ways. Feel free to modify and use it
# for your own needs.
#
import openai
from openai import OpenAI

client = OpenAI(api_key="sk-proj-....")

## eml-extractor.py

#!/usr/bin/env python
# This script will go through a given directory recursively, extracting all attachments from .eml files.
# .eml files are often how full mailbox dumps are leaked online.
# If an attachment with the same filename already exists, MD5 sum of the files are calculated and if not
# a match, the new file will be saved with _# suffix.
#
# Hamid Kashfi (@hkashfi)

import os

## telescope.lua
local previewers = require('telescope.previewers')
local Job = require('plenary.job')

local new_maker = function(filepath, bufnr, opts)
  filepath = vim.fn.expand(filepath)
  Job:new({
    command = 'cat',
    args = { filepath },
    on_exit = function(j)
      local result = j:result()
	#!/usr/bin/env python3
	"""
	iOS Backup Reconstructor
	Version: 0.1

	iOS encrypted backups by default are not meant to be human-readable. The folder structure needs to be reconstructed, before it is consumable by most other tools.
	This script provides a way to reconstruct the folder structure of an iOS backup, making it easier to analyze and work with.
	Actual file names are extracted from the backup's manifest.db database.
	Note that it is expected for the script to produce a lot of "source file not found" errors.
	#!/usr/bin/env python3
	"""
	Look-up the approximate position of a cell tower with Google’s Geolocation API
	and print a Google-Maps link for easy visualisation.

	hamid@darkcell.se

	pip install requests
	"""
	rule Paragon_Spyware_IOCs
	{
	meta:
	description = "Indicators of compromise (IOCs) for Paragon Solutions Graphite spyware from the Citizen Lab report 'Virtue or Vice? A First Look at Paragon’s Proliferating Spyware Operations'"
	author = "ChatGPT"
	date = "2025-03-29"
	reference = "https://citizenlab.ca/2025/03/a-first-look-at-paragons-proliferating-spyware-operations/"

	strings:
	// Suspected customer domains (Table 4)
	Draziw.Button.Mines
	ag.video_solutions.wedotv
	ahf.dummynation
	ai.socialapps.speakmaster
	air.com.beachbumgammon
	air.com.freshplanet.games.SongPop2
	air.com.gamesys.mobile.slots.jpj
	air.com.goodgamestudios.empirefourkingdoms
	air.com.kitchenscramble.goo
	air.com.lalaplay.rummy45
	#!/usr/bin/env python3
	"""
	Tor Identity Manager - A tool to manage Tor identities and exit nodes.

	This script allows you to renew your Tor identity and optionally set the exit node
	country. It provides enhanced error handling, configuration options, and feedback.

	hamid@darkcell.se

	"""
	# Sample script to use OpenAI Whisper API
	# This script demonstrates how to convert input audio files to text, fur further processing.
	# The code can be still improved and optimized in many ways. Feel free to modify and use it
	# for your own needs.
	#
	import openai
	from openai import OpenAI

	client = OpenAI(api_key="sk-proj-....")

	#!/usr/bin/env python
	# This script will go through a given directory recursively, extracting all attachments from .eml files.
	# .eml files are often how full mailbox dumps are leaked online.
	# If an attachment with the same filename already exists, MD5 sum of the files are calculated and if not
	# a match, the new file will be saved with _# suffix.
	#
	# Hamid Kashfi (@hkashfi)

	import os
	local previewers = require('telescope.previewers')
	local Job = require('plenary.job')

	local new_maker = function(filepath, bufnr, opts)
	filepath = vim.fn.expand(filepath)
	Job:new({
	command = 'cat',
	args = { filepath },
	on_exit = function(j)
	local result = j:result()