Iran – Chat-Treadstone

The preceding poster is the center piece between querying using the Treadstone Chat interface and collecting information on hacking organizations protected by the IRGC.

I am on my third course with Treadstone71. I am also on their mailing list. In Treadstone’s last email to me, they provided a pointer to their chat interface for prompts to collect intelligence about Iran. This interface is tailored toward Iran. I am assuming that Russia and China are in the pipeline. This is my second or third pass understanding what is and what is not possible with the interface. Treadstone has made significant progress with the Iranian interface. The underlying engine is ChatGPT. The underlying engine is “buggy” – to be expected. But these bugs have caused Treadstone to have to redo work.

I do have issues with any chat engine, their collection of prompts, the information replied, and tracking the flow of prompts. As long as Treadstone anonymizes my access, I feel a tad better, but not convinced about validity of replies. More on this to follow.

In the following text, I will start with a prompt, show the reply, and comment on the reply. Keep in mind, this interface is somewhere between alpha and beta. My goal was to understand if replies provided a nugget that I could use as a pivot point. The answer is both yes and no.

My baseline is the hacker group defined by the FBI as the “Iranian Mabna Hackers“. Little dated (2018), but there should be and is a fair amount of open-source (OSINT) data on-line. And there is. All the better to use as a baseline to compare and evaluate.

Starting now:


“Who are the hackers in iran supported by irgc?”



The Islamic Revolutionary Guard Corps (IRGC), a branch of Iran’s armed forces, has been known to support various cyber groups and hackers. These groups are involved in cyber espionage, cyber warfare, and cyber attacks. Some notable groups believed to be supported or directed by the IRGC include:

APT33 (Shamoon): This group has been implicated in destructive cyber attacks against energy sectors, primarily in the Middle East. They are known for deploying the Shamoon disk-wiping malware.

APT34 (OilRig): APT34 focuses on cyber espionage and has targeted various regional and international organizations, particularly those linked to the energy sector and financial institutions.

MuddyWater (SeedWorm): This group primarily targets telecommunications and government sectors in the Middle East. MuddyWater is known for its espionage campaigns.

These groups have been attributed various cyber operations, ranging from espionage to spreading malware and conducting destructive attacks. Their activities are often aligned with the strategic interests of the Iranian government, and they are considered part of Iran’s broader cyber capabilities.


Not bad. Didn’t give me a list of named hackers but did give me a short list of hacker groups in Iran and an over-view of the groups.


What is the structure of OilRig in Iran?”


As of my last update in April 2023, detailed organizational structures of specific hacking groups like OilRig (APT34) are often not publicly disclosed or well-documented due to the covert nature of their operations and the secrecy maintained by such groups. However, I can provide some general insights based on the typical structure of advanced persistent threat (APT) groups and what is known about OilRig:

Leadership: Like most sophisticated cyber operations, OilRig is likely directed by a leadership team. This team would be responsible for setting the group’s objectives, aligning them with broader strategic goals (potentially those of the Iranian government or the IRGC), and overseeing operations.

Operational Cells: These groups are usually divided into cells or teams, each specializing in different aspects of cyber operations. For OilRig, these might include teams for initial reconnaissance, exploitation, maintaining access, data exfiltration, and developing or deploying specific tools like malware.

Technical Experts: These are individuals skilled in various aspects of cyber operations, including but not limited to malware development, network penetration, encryption, and obfuscation techniques. OilRig has been known for its sophisticated malware and spear-phishing campaigns, indicating a strong team of technical experts.

Intelligence Analysts: These members are responsible for gathering and analyzing information to identify targets and tailor cyber attacks. For a group like OilRig, which has targeted organizations in the energy sector, analysts with knowledge of this sector would be crucial.

Support Infrastructure: This includes individuals or teams responsible for maintaining the technical infrastructure used in cyber operations, such as servers, domains, and other logistical elements.


Not bad. Multiple pivot points.


“What are the names of members of the group MuddyWater in Iran?”


The specific identities of members belonging to hacking groups like MuddyWater are typically not publicly disclosed for several reasons:

Operational Security: These groups maintain a high level of operational security to avoid detection and preserve their effectiveness. Revealing the identities of their members would compromise their operations.

Classified Information: If such information is known, it is often classified and held by intelligence agencies. This information is not typically shared with the public to protect ongoing investigations and intelligence methods.

Dynamic Nature: The membership of these groups can be dynamic, with individuals joining or leaving, and roles changing over time.

Legal and Ethical Considerations: Publicly disclosing the names of individuals suspected of cybercriminal activities can have legal and ethical implications, especially if the evidence is not conclusive or if legal proceedings are underway.

MuddyWater, an advanced persistent threat group associated with Iranian interests, is known for its cyber espionage activities targeting entities in the Middle East and globally. The group’s specific membership details, however, remain undisclosed in open-source information. This lack of public disclosure is standard for most state-aligned or state-sponsored cyber groups.”


Not entirely true. The point about Legal and Ethical is nice. But my goal is to learn names, locations, etc. But not bad for a first pass.


“Who are the IRANIAN MABNA HACKERS in iran?”


The Iranian Mabna Hackers refer to a group of Iranian nationals who were charged by the United States Department of Justice in 2018 for conducting a massive cyber theft campaign. This campaign targeted universities, companies, and government agencies worldwide. The group is believed to be connected to the Mabna Institute, an Iran-based company, which officials stated was created for the purpose of stealing scientific resources from other countries.

Key details about the Mabna Hackers include:

Scope of Operations: The Mabna Hackers were involved in one of the largest state-sponsored hacking campaigns ever prosecuted by the United States. They reportedly targeted more than 100,000 university professors worldwide and compromised about 8,000 of them. Their activities spanned across 21 countries.

Targets and Objectives: The primary targets were academic institutions, but the group also targeted private sector companies and government entities. Their objective was primarily intellectual property theft, focusing on scientific, technological, and medical research.

Method of Operation: They used sophisticated phishing techniques to trick victims into providing their login credentials. Once they had access, they stole academic resources, research, and intellectual property.

Connection to the Iranian Government: While the Mabna Institute claimed to be a private entity, U.S. officials alleged that it was working on behalf of the Islamic Revolutionary Guard Corps (IRGC) and other Iranian government clients.

Indictment and Charges: In March 2018, the United States Department of Justice indicted nine Iranians associated with the Mabna Institute. The charges included conspiracy to commit computer intrusions, wire fraud, and aggravated identity theft.

The indictment of the Mabna Hackers highlighted the increasing trend of state-sponsored cyber espionage targeting academic and intellectual resources globally. The naming and charging of these individuals represented a significant move by the U.S. to combat and publicly expose state-sponsored cyber theft.


Good pivot points. But the poster shows members, their images and their names. Applying OCR would have provided significantly more information about who FBI thinks are members. But still not bad.


“Who is the iranian hacker roozbeh sabahi?”

I did a quick search and here’s what I found.

Roozbeh Sabahi is an Iranian national who was identified as a contractor for the Mabna Institute, a group involved in a wide-reaching cyber theft campaign. Here’s what is known about him and his activities:

Role in Mabna Institute: Sabahi assisted in various hacking activities of the Mabna Institute, including a significant campaign targeting universities. His role included organizing stolen credentials obtained by Mabna Institute hackers​​.

Criminal Activities and Charges: Sabahi was involved in obtaining unauthorized access to computer systems, stealing proprietary data from those systems, and then selling that stolen data to Iranian customers, including Iranian universities and the Iranian government. This operation was performed on behalf of the Iranian government, allegedly at the behest of the Islamic Revolutionary Guard Corps (IRGC)​​.

Scope of Cyber Theft: The victims of this scheme included approximately 144 universities in the United States, 176 foreign universities across 21 countries, several U.S. federal and state government agencies, 36 private companies in the United States, 11 foreign private companies, and two international non-governmental organizations​​.

Legal Proceedings: On February 7, 2018, a grand jury in the United States District Court for the Southern District of New York indicted Roozbeh Sabahi on charges of computer intrusion, wire fraud, and aggravated identity theft. A federal arrest warrant was issued for his arrest​​.

This case highlights the extent of state-sponsored cyber espionage and theft activities, with significant implications for international cybersecurity and diplomatic relations. The involvement of individuals like Roozbeh Sabahi in such extensive cyber operations underlines the growing challenge of combating cybercrime that is supported or directed by nation-states.”


Not bad. Should have addressed relationship with other hackers.

Overall Impressions:

Great amount of improvement over the last couple of weeks.

ChatGPT is not out of Beta. I experienced a crash and no easy way to recover.

If the Treadstone effort is of interest to you, and if you have some spare cycles, and if you are interested in exploring Iran, China and Russia, what they are doing on the cyber and cognitive level, reach out to Treadstone and sign up so that you can test and supply feedback. IT IS FREE TO TEST.

Discover more from Threat Detection

Subscribe to get the latest posts to your email.

Leave a Reply

Discover more from Threat Detection

Subscribe now to keep reading and get access to the full archive.

Continue reading