Void Verge

The firewall required a routing update, and several CDN service IPs were added to enable access for certain government‑affiliated individuals and organizations. We have successfully injected most of the IP ranges from the company’s cloud-based NS (AWS, Akamai, etc.) into the routing table. The changes are currently propagating and are expected to be fully applied by 06:00 AM Iran local time. Connectivity should now be smoother, allowing most users to connect more easily. For now, focus on the following ranges (eventually, the full subnets will be applied): 2.144.x.x/24 3.160.x.x/20 18.154.x.x/24 23.49.x.x/20 You can also scan the range under 50.x.x.x, which has now been fully applied.

We performed a controlled lab test on several messaging apps. Observations are based solely on network traffic; no payload decryption or app reverse engineering was done. 1. DNS behavior Some apps (e.g., Bale) requested DNS from multiple sources outside the device’s configured servers. At least three DNS servers were contacted, all located outside the country. 2. Tunnel-flag behavior When the tunnel flag was toggled on and off (no real network change), some apps behaved unusually. Eita repeatedly closed otherwise successful server connections when the tunnel was on. This behavior did not occur when the tunnel was off. 3. DNS resolution inconsistencies Eita sometimes resolved a domain to an IP (e.g., a.b.c.d) but connected to a different IP (e.g., a.b.c.e), ignoring the resolved IP for extended periods. 4. Reconnection and traffic patterns Eita repeatedly re-established connections after closing them. We saw forground netowork activity in app that firts thought is for notifications. We tested with a chat message showed the app did not load the message or notifications.but meanwhile Upload traffic volume was much higher than download, which is not typical for getting notification request 5. Comparison with other apps Rubika: similar to Eita, opening multiple connections to different servers, sending data, and closing connections frequently. Bale: maintained a single, persistent TCP connection to its server, behaving normally. These apps exhibit unusual and potentially suspicious network behavior. Some easy to undrestand info are in the zip below:

New leak from Iran's regime censorship docs: They’ve got ways to spot Starlink users and people on VPNs. Some popular Iranian apps come bundled with hidden networking scripts that run in the background. These scripts keep sending DNS queries and TCP requests outside your network — even when VPN is active (and in some apps, it doesn't even care if VPN is on). They do it in 3 main ways: to public/blocked servers (just to check if they connect) to regime-controlled endpoints (to figure out how you're connecting) to special DNS resolvers (to detect your leaks/IP) Then they collect all this data and either send you threatening messages or pinpoint if you're on Starlink. Be careful what apps you run. Stay sharp. we  may publish a complete report later , but for now just learn to use  app proxing or split tunneling

We are watching the traffic coming from Iran, and it’s starting to look unusual. Some techniques that previously worked are now widely used, and they have become visible at the firewall level. Let me give you some advice. When you play chess against an opponent who is more experienced, has studied your games, and already controls the center of the board, you don’t rush your queen into the middle. The center is where the board is most contested. If your opponent already controls those squares, placing your most valuable piece there only makes it an easy target. Instead, strong players develop quietly, protect their pieces, and look for indirect ways to challenge control of the board. The Thirty-Eight Barrier is close to run !

Until the data centers be inaccessible, why dont we just do the below? We have tested the implementation and saw its benefits 😉 https://telegra.ph/The-Idea-of-dns-multiplexing-03-08

We pulled gigabytes of data straight from Iran's regime censorship network. Inside: Millions of IPs whitelisted during shutdowns (external ones locals use + the ones they allow) Their plans to hunt down Starlink terminals inside the country Ways they try to trace who’s still online during blackouts and plenty more We’ll drop some parts that can actually help people get to the free internet.

We are fighting...

Sample ips for dns are as below: (They are other ranges that are open now, scan and find out ) 102.133.160.77 102.133.139.154 102.133.235.79 102.133.128.244 102.22.82.129 102.22.81.212 102.22.82.17 102.22.81.249 102.22.27.125 102.22.82.53 102.22.83.78 102.22.81.20 102.22.81.195 102.22.83.114 102.22.83.149 102.22.83.72 102.22.81.122 102.22.83.102 102.22.195.246 102.22.108.25 102.22.81.37 102.22.80.182 102.22.81.140 102.22.83.155 102.22.82.5 102.22.82.45 102.22.82.94 102.22.82.242 102.23.163.244 102.23.226.71 102.23.226.70 102.37.158.250 102.37.142.149

CIDRS can be calculated wrongly We shouldnt write such important things in notepad though Someone will accidentally come and replace range 103 with 102 Or just adds an ip like 217.60... at the end of 217.219 range Or maybe worse Opens a hole 195 range We should be carefull !

The iran government  preparing  itself  for a  complete cut out on emergency. Ive been told that they want to cut out the chain of connection in domestic internet  so they dont let people share there tools to connect to international  internet. They plan to : - Block the free fileshare services  on mobile ISP's . - block sharing links and content  in all domestic  messengers   vastly. - threatening  people  blindly  by sending sms massages. - gathering info about remaining  connected vpns from vpn channels  and groups manually or using crawlers like sparta  to block them These are happening right now. In this situation  i suggest three things: -learn how to share youre files  from youre computer for the hole internet (it is possible). - send the links in base64  or be creative .there are otherways sending  links and configs to people. - for channels its better to send there configs in base64 or other creative ways. We are going to help publicly or anonymously too.

For only first minute Look at the traffic passing..

We are in :)

The clinic and the edge router up to north had to be reset based Well thats some work 😅

Nice job boy searching for internal servers to find proxy A liitle mistke you did! But We will erase youre trace No worries 😉

Public dns servers like : google , cloudflare and quad9 will be closed soon in iran . ReScan and replace those in youre configs.

They redeployed the servers fast