Malware Analysis and Threat Detection Tools

Introduction

For Iranian users, the threat landscape goes beyond common cybercriminal activity. We face targeted attacks from state-sponsored actors (such as MuddyWater/MOIS and APT42/IRGC) utilizing advanced spyware like Pegasus, Predator, and custom-built malware disguised as VPNs or "anti-censorship" tools.

This guide focuses on detection and analysis. Unlike antivirus software which passively protects, these tools allow you to actively investigate whether your device has been compromised or if a file is malicious.

[!danger] Critical Warning for Iranian Users Never scan sensitive, private documents on public cloud scanners like VirusTotal. These platforms share uploaded files with security researchers and government agencies globally. If you must analyze a sensitive document, use Dangerzone or offline tools in an isolated environment (like Tails OS).

---

I. Mobile Forensics and Spyware Detection

Mobile devices are the primary targets for surveillance in Iran due to their role in communication and 2FA.

1. Mobile Verification Toolkit (MVT)

Developed by Amnesty International's Security Lab, MVT is the gold standard for detecting traces of sophisticated spyware like Pegasus.

• Best For: Technologists and forensic investigators.
• Platform: Linux / macOS (Command Line Interface).
• Function: Scans iOS backups and Android systems for "Indicators of Compromise" (IoCs).
• Capabilities:
  • iOS: Decrypts and analyzes encrypted iTunes backups. This is the most effective method for detecting Pegasus.
  • Android: Scans installed applications and SMS via ADB (Android Debug Bridge). Note that Android scanning is more limited than iOS due to system architecture.

[!tip] Civil Society Support If you are a high-risk activist or journalist in Iran and MVT finds suspicious traces, do not panic. Contact Access Now's Digital Security Helpline or Amnesty Tech immediately for professional forensic assistance.

2. iMazing (iOS)

For users uncomfortable with the command line, iMazing offers a "Spyware Analyzer" feature that acts as a graphical interface for MVT.

• Platform: Windows / macOS.
• Usage: Connect your iPhone, select "Detect Spyware," and follow the wizard.
• Note: It relies on the same public IoCs as MVT. A "clean" scan does not guarantee you are safe, only that known indicators were not found.

3. Auditor (Android / GrapheneOS)

For users of GrapheneOS (highly recommended for high-risk Android users), the Auditor app provides hardware-backed verification.

• How it works: It uses the device's secure element to verify that the operating system has not been tampered with or downgraded.
• Usage: Requires two Android devices to verify each other (Auditor and Auditee).

---

II. File Analysis and Sanitization

Iranian users are frequently targeted via phishing emails containing malicious attachments (PDFs, Word docs) or links to fake apps.

1. VirusTotal

A massive online database that scans files and URLs with over 70 antivirus engines simultaneously.

• Use Case: verifying if a generic file (like a VPN installer found on Telegram) is known malware.
• How to Use: Upload the file or paste the URL at virustotal.com.
• Privacy Warning: DO NOT upload private documents, photos, or contact lists.

2. Dangerzone

Created by the Freedom of the Press Foundation, Dangerzone is essential for safely opening suspicious documents.

• How it works: It takes a potentially dangerous PDF, office document, or image and converts it into a safe PDF. It does this by rendering the document into raw pixels in a sandbox and then reconstructing it.
• Why use it: If you receive an attachment from an unknown source (e.g., a "journalist" asking for an interview), run it through Dangerzone before opening. It kills any embedded malware/scripts.
• Platform: Windows, macOS, Linux.

3. URL and Link Analysis

Before clicking a link received via SMS or Telegram (especially those claiming to be from "Sana," "Judiciary," or "Post"):

• URLScan.io: detailed analysis of what a website does when visited.
• Check Shortened Links: If you receive a bit.ly or similar short link, use a URL expander service (like expandurl.net) to see the real destination before visiting.

---

III. System and Network Monitoring (Desktop)

Malware on desktops often reveals itself by "phoning home" to a Command & Control (C2) server.

1. Network Firewalls (Outgoing Traffic)

Standard firewalls block incoming attacks. To detect malware, you must monitor outgoing traffic.

• macOS: LuLu (Free/Open Source) or Little Snitch (Paid). These tools alert you whenever an app tries to connect to the internet. If "Calculator" or a "PDF Viewer" tries to connect to a Russian or Iranian IP, block it and investigate.
• Windows: Portmaster (by Safing). Visualizes all network connections and allows you to block trackers and malware C2 servers.
• Linux: OpenSnitch. An application-level firewall for Linux.

2. System Scanners

• ClamAV (Linux/Windows/macOS): An open-source antivirus engine. Useful for scanning directories for known malware signatures.
• Rkhunter / Chkrootkit (Linux): Tools to scan for rootkits (malware that hides deep in the OS).
• Sysinternals Suite (Windows): Advanced tools like Process Explorer and Autoruns allow you to see exactly what is running and what starts automatically. Use these to find malware that hides from the standard Task Manager.

---

IV. Iranian Threat Landscape: Specific Indicators

In 2026, be vigilant against these specific threats common in the Iranian digital landscape:

1. Fake VPNs and Utilities

State hackers (MuddyWater/APT42) frequently distribute malware disguised as VPNs or Starlink connection tools on Telegram.

• Known Fake Brands (Historical & Current): "Earth VPN," "Comodo VPN," "Hide VPN," and various "Starlink" installers.
• Action: legitimate VPNs should be downloaded only from their official websites or Google Play/App Store, never from a Telegram file attachment.

2. Domestic Apps as Spyware

Applications mandated by the state or heavily promoted often have backdoor capabilities or excessive permissions.

• Risky Apps: Rubika, Eitaa, Soroush, Bale.
• Recommendation: Treat these apps as spyware. If you must use them for daily life (banking/school), install them on a separate, isolated device ("burner phone") or within a secure profile (Android Work Profile/Shelter app).

3. SMS Phishing (Smishing)

• The Lure: SMS messages threatening arrest, court dates (Sana), or unclaimed postal packages.
• The Payload: Links usually download an APK (Android app) that steals your SMS contacts and banking 2FA.
• Detection: Legitimate government agencies in Iran generally do not send links via SMS asking for immediate payment or app installation.

---

V. Incident Response: What if you find something?

If any of these tools confirm a malware infection:

1. Disconnect Immediately: Turn off Wi-Fi, Mobile Data, and Bluetooth.
2. Do Not Login: Do not type passwords on the infected device.
3. No Backups: Do not restore a backup to a new device unless you are sure the backup is clean (malware often persists in backups).
4. Factory Reset? For standard malware, a factory reset usually works. For advanced state spyware (rootkits/firmware implants), a reset may not be enough. The safest option is to physically destroy the device and replace it.
5. Seek Help: Contact the specialized helplines mentioned above (Access Now, Amnesty) using a clean, different device.

Metadata & References

• MVT Repository: mvt.re
• Dangerzone: dangerzone.rocks
• VirusTotal: virustotal.com
• Privacy Guides: privacyguides.org
• Certfa (Iranian Cert): certfa.com