P4Tr!0T3CH Channel Doxxing & Disinfo Assessment
Blog
threat intelligence

P4Tr!0T3CH Channel Doxxing & Disinfo Assessment

By
Profero IRT
March 4, 2026

Executive Summary

On March 3, 2026, the Hebrew-language Telegram channel P4Tr!0T3CH published a post (Message ID 639) claiming to release doxxing data and breach material targeting Iranian judiciary figures, IRGC intelligence operations, and APT35 cyber units.

The post included alleged doxxing packages (home addresses, daily routines, safe houses), an APT35 operator persona (0xAlphaWolf / Behnam Pouladi), and claims of access to SWIFT logs, telecom databases, airport records, and a German medical clinic. It also named a backdoored Persian messaging app called Payvast.

Profero OSINT validation: the post mixes real public information with fabricated or unverifiable claims, consistent with an influence operation rather than genuine intelligence. The primary named target, Judge Mohammad Moghiseh (Branch 28, Tehran Revolutionary Court), was killed in January 2025 — 14 months before this post. The one testable cyber IOC (185[.]141[.]63[.]122) falls in an IP range from the 2025 KittenBusters APT35 leak, but the specific address needs independent validation. The Payvast company exists but builds ERP/payroll software, not a messaging app. The 0xAlphaWolf persona has no corroboration in APT35 reporting. Hebrew text and channel branding point to an Israeli-aligned audience targeting the Iranian regime.

In an era of sophisticated misinformation, it is critical to perform deep-dive verification of open-source data to distinguish factual events from manipulated narratives.

Analysis

  • Confirmed: APT35 Infrastructure Range — The IP range 185[.]141[.]63[.]* appears in the KittenBusters APT35 infrastructure leak (GitHub, September 2025), documented in the leaked “0-SERVICE-Service.csv” showing EDIS Global-procured servers. The specific IP (.122) needs passive DNS and TLS certificate validation before it can be attributed with confidence.

  • Confirmed but Anachronistic: Judge Mohammad Moghiseh — Moghiseh was the head judge of Branch 28, Tehran Revolutionary Court. US Treasury sanctioned (2019), EU sanctioned (2011) for human rights abuses. He was killed on January 18, 2025 in an assassination at Iran’s Supreme Court — 14 months before this post. Doxxing a dead person as a current target is a credibility failure that suggests recycled or fabricated data.

  • Unverifiable: 0xAlphaWolf / Behnam Pouladi — No GitHub profile at the claimed URL matches APT35-linked activity. The KittenBusters leak identified Abbas Rahrovi as APT35’s operational leader — not “Behnam Pouladi.” This persona is either fabricated or deliberately misleading.

  • Misattributed: Payvast — Payvast Software Group (payvast.com) is a real Tehran-based company founded in 2005, employing 200–500 people. However, it builds ERP, payroll, and organizational automation software — not a messaging app. There is no evidence Payvast operates or has ever operated a messaging platform. Known Iranian state-backed messaging apps are Rubika, Bale, and Soroush.

  • Unverifiable: Masoud Ashami (Evin Interrogator) — Evin Prison Ward 2A is a documented IRGC Intelligence facility, but no records of an interrogator named “Masoud Ashami” appear in human rights databases, sanctions lists, or investigative reporting. Known IRGC interrogators at Evin include aliases “Raouf,” “Sattar,” and the documented Masoud Safdari.

IOCs

IPv4 Address

  • Value: 185[.]141[.]63[.]122
  • Confidence: Medium-High
  • Notes: Range validated in KittenBusters APT35 leak; specific IP needs confirmation

URL

  • Value: https://github[.]com/Alphawolf
  • Confidence: Low
  • Notes: No matching APT35-linked profile found

Handle

  • Value: 0xAlphaWolf
  • Confidence: Low
  • Notes: Claimed APT35 persona; no corroboration in existing reporting

Application

  • Value: Payvast
  • Confidence: Very Low
  • Notes: Real company (ERP/payroll), but not a messaging app

Verdict

This post reads as an influence operation, not genuine intelligence. It uses a “leak validation” pattern: claiming cross-correlated access to multiple premium sources (airport + medical + SWIFT; prison staff + telecom + facial recognition) that are individually hard to check but together make the author look capable. Mixing real public information — the Moghiseh profile, Evin Ward 2A details, an IP range from the publicly available KittenBusters leak — with fabricated or misattributed claims (Payvast, unverifiable personas) is how disinfo operators lend false credibility to an otherwise unsubstantiated package.

The strongest red flag is the anachronistic targeting: doxxing a judge killed 14 months ago as if he were a current target. This points to recycled or outright fabricated data. The invitation to “compromise or infiltrate” the alleged C2 server may also function as a honeypot or bait for counter-operations. The 185[.]141[.]63[.]* range should be treated as a validated APT35 infrastructure indicator based on the independent KittenBusters data. Everything else from this post needs independent corroboration before anyone acts on it.

References

  1. KittenBusters/CharmingKitten — GitHub Repository — https://github[.]com/KittenBusters/CharmingKitten
  2. Nariman Gharib — Massive Leak Exposes Inner Workings of Charming Kitten — https://blog[.]narimangharib[.]com/posts/2025/09/1759266283738
  3. Nariman Gharib — Inside Charming Kitten’s Financial Operations and Infrastructure — https://blog[.]narimangharib[.]com/posts/2025/10/1761609810950
  4. UANI — Mohammad Moghiseh: The Iranian Supreme Court’s New Hanging Judge — https://www[.]unitedagainstnucleariran[.]com/mohammad-moghiseh-iranian-supreme-courts-new-hanging-judge
  5. Wikipedia — 2025 Assassination of Iranian Supreme Court Judges — https://en[.]wikipedia[.]org/wiki/2025_assassination_of_Iranian_Supreme_Court_judges
  6. US Treasury — Sanctions on Moghiseh (December 2019) — https://home[.]treasury[.]gov/news/press-releases/sm862
  7. OTF — Iranian Messaging Apps Security Audit — https://www[.]opentech[.]fund/security-safety-audits/iranian-messaging-apps-security-audit/
  8. Iran Briefing — Torture Behind the Walls of Evin’s Wards 2A, 209 and 240 — https://iranbriefing[.]net/torture-behind-the-walls-of-evin-wards-2a-209-240
  9. HRANA — IRGC Intelligence Members Identified — https://www[.]en-hrana[.]org/hrana-has-identified-revolutionary-guard-intelligence-members-raouf-and-sattar/
  10. SOCRadar — Cyber Reflections of the US and Israel-Iran War — https://socradar[.]io/blog/cyber-reflections-us-israel-iran-war/
  11. MITRE ATT&CK — Magic Hound / APT35 — https://attack[.]mitre[.]org/groups/G0059/
  12. Costin Raiu on KittenBusters Leak — https://x[.]com/craiu/status/1974817142240399862
Written by
Profero IRT