Source Code of Iranian Surveillance Tool Leaked

GhostSec make source code openly available in a 26Gb file

Hacker group GhostSec is disclosing the source code for software developed by the Iranian FANAP group, alleging it to be surveillance software used by the Iranian state on its own citizens.
The group claims to have cracked FANAP groups proprietary code, and has analyzed around 26GB of compressed data which it is releasing a file at a time, according to a series of
Telegram posts
. GhostSec has so far released various core components of the code, such as configuration files and API data.
The FANAP group is an Iranian provider of technology to financial services and the IT sector, but has
apparently expanded
its wares into a comprehensive surveillance system used by the Iranian government to monitor its citizens, according to GhostSecs findings — with features akin to the
Pegasus spyware
from the NSO group, or tools from
Cellebrite
.
The first messages were posted on August 27, with GhostSec saying it had discovered facial recognition and various other privacy invading features and tools within the FANAP groups software. These were later disclosed as:
Behnama – Video surveillance using facial recognition
Behyab – Car GPS and tracking system
Behkhan – Car license plate recognition system
Behcard - Facial recognition system for printing ID cards
In particular, GhostSec alleges that the software was deployed across all branches of Irans Pasargad Bank,
an investor
in FANAP.
Behnama in particular is not just a tool, but a powerful instrument of surveillance that is used by the Iranian government, law enforcement agencies, and military personnel, GhostSec said, noting that its intention of exposing FANAP is in the interests of the Iranian people, but also in the interests of protecting the privacy of each and every one of us.
It is built on microservice architecture, and contains Kafka from Apache that is likely used for real-time processing of video data from multiple sources; Redis and Postgres to store metadata or analysis results; functions to interact with IP cameras; and services for system monitoring, according to the findings.
GhostSecs official statement regarding its motives for the breach and subsequent exposure is in line with its aims for human rights, it said. The group formed in the last decade as a hacktivist and online vigilante operation, and has participated in
operations against ISIS
and
supported Ukraine
in the conflict with Russia.
In a message on Telegram, a GhostSec member said they were able to capture the source code by getting access to the FANAP infrastructure, then compromising a server with Ha-Proxy that had a metric page accessible.
This page showed all the connections to the backend, and I tested them one by one until I came across one containing an open index: all the files were there, according to the post. I then downloaded everything and studied the files for two months before I could really explain what it was.
In a statement published by GhostSec, FANAP denied the reports about the leak, and said the claims were made without technical expertise and aimed at inciting public opinion. FANAP denied that the attack was successful, and said that only a part of the software logs and Docker files were made available.
On the products functionality, FANAP said the software only has the ability to recognize faces that have been introduced to the device with the persons presence and consent (similar to what is found in fingerprint registration in these devices). It also said that the use by the product to recognize the identity of citizens as a pure lie and said the facial recognition feature was designed for some needs within the organization and was not provided to organizations outside the FANAP group.
In response, GhostSec said that it has discovered extensive components, making the code available for download once it understood the purpose of the Behnama software.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Source Code of Iranian Surveillance Tool Leaked