MizarVision, Iranian Cyber Channels, and the New Axis of Open-Source ISR

How Chinese commercial satellite imagery is feeding Iranian regime-aligned networks—and why exploitable vulnerabilities at the source now matter for counterintelligence.

When people talk about intelligence, they still tend to picture state-owned spy satellites and classified tasking orders. The reality emerging out of the Middle East today is far more complex: commercial imagery providers, encrypted social platforms, regime-aligned propaganda channels, and exploitable weaknesses in the very infrastructure that powers them.

​

A recent report from CACI’s DarkBlue Intelligence Group highlights this shift through a single case study: MizarVision, a Chinese commercial space and geospatial intelligence firm whose high-resolution satellite imagery is now circulating across multiple Persian-language Telegram channels aligned with the Iranian regime. The imagery is not generic; it is focused directly on U.S. and allied force posture in the Middle East at a moment of heightened regional tension involving Iran.

​

Chinese commercial ISR meets Iranian dissemination networks

DarkBlue analysts identified MizarVision-produced imagery embedded in several Iranian regime-aligned military and defense-focused Telegram channels. These images track the movement and positioning of U.S. and allied military aircraft, naval vessels, missile and air defense systems, and related logistics infrastructure. One prominent channel—IRGC Cyber Corps (@sepahcybery)—explicitly names MizarVision as the Chinese commercial satellite provider supplying imagery of U.S. deployments in the region.

​

Across the network, at least 16 Persian-language Telegram channels have referenced MizarVision imagery in the last 30 days. These include:

​

• IRGC Cyber Corps (@sepahcybery)​

• Iranian Naval Force (@navy_iranian)​

• Red Lion Corps (@RedLionCorps)​

• NEMESIS (@nemesis_military)​

• Defender IRAN (@defender_iran)​

• Final Battle (@final_battle313)​

وقایع الاتفاقیه نظامی (news_defence) *

Commentary in these channels strongly suggests that China is providing imagery in near real time, even though timestamps and collection times are not embedded directly into the imagery shared on Telegram.

​

This convergence—Chinese commercial ISR capability, Iranian regime-linked dissemination, and continuous monitoring of U.S. force posture—creates a blended threat space where open-source, commercial, and state-aligned interests overlap.

​

What exactly is being exposed?

Machine-translated posts from February 2026 show just how specific and operationally relevant the exposed content is.

​

• At Al-Salti Air Base in Jordan, imagery highlighted EA-18G electronic warfare aircraft, MQ-9 UAVs, and Patriot air defense deployments. Additional posts referenced THAAD deployments in Jordan and Patriot PAC‑3 systems in Bahrain.​

• Naval-focused imagery identified an Independence-class coastal patrol vessel in the Arabian Sea and assessed the position of the USS Abraham Lincoln (CVN‑72) operating roughly 310 kilometers east of Duqm, Oman, accompanied by destroyers and V‑22 Ospreys staged ashore.​

• At Prince Sultan Air Base in Saudi Arabia, images showed 6 E‑3G AWACS, 3 E‑11A BACN platforms, 13 KC‑135R tankers, 7 KC‑46A tankers, 6 C‑130J aircraft, and more than 60 U.S. fighter aircraft.​

• Satellite imagery of Khania International Airport in Crete revealed an F‑15 fighter, 2 RC‑135V Rivet Joint aircraft, and 11 KC‑135 refuelers, with commentary suggesting use of AI-assisted image processing to enhance interpretation.

  ​

The pattern is consistent: precise aircraft counts, equipment types, day-to-day comparisons, and detailed assessments of posture, all paired with commentary implying near real-time visibility into movements and deployments. For adversaries and sympathizers, this converts commercial imagery into a living operational picture.

​

IRGC-linked amplification: from collection to narrative

The IRGC Cyber Corps (@sepahcybery) channel plays a central role in amplifying this content. DarkBlue assesses that this high-volume propaganda platform may be operated by the Islamic Revolutionary Guard Corps Cyber Division. Between January 2024 and February 2026, posts on the channel routinely reached between about 37,200 and 116,000 views per post.

​

The channel mixes:

• Military updates

• Geopolitical commentary

• Anti-Israeli and anti-American messaging

• Showcases of Iranian military capabilities

  ​

Within that stream, at least one recent post explicitly identifies MizarVision as the Chinese commercial satellite provider feeding imagery of U.S. deployments in the Middle East. Once that imagery is integrated into an IRGC-linked ecosystem with high engagement, it stops being passive open-source content and becomes part of a structured, strategic messaging campaign.

​

In other words, commercial satellite data is not just helping watchers count airplanes; it is reinforcing narratives about Western vulnerability, encirclement, and the reach of Iran’s partners.

The unexpected weak link: MizarVision’s own infrastructure

DarkBlue’s work did not stop at identifying imagery in Telegram channels. Analysts also used DarkPursuit’s built‑in Site Vulnerability Scan to assess the technical exposure of mizarvision.com, the company’s website. The scan identified an externally accessible SSH service running OpenSSH 7.4 on port 22, with successful protocol negotiation recorded on 22 February 2026.

​

OpenSSH 7.4 is associated with several high and critical vulnerabilities, including:

​

• CVE‑2021‑41617 – Privilege escalation (CVSS 7.0)​

• CVE‑2023‑38408 – Remote code execution (CVSS 9.8)​

• CVE‑2020‑15778 – OS command injection (CVSS 7.4)​

• CVE‑2023‑51767 – Authentication bypass (CVSS 7.0)

  ​

Additional open ports on mizarvision.com include 9033, 8441, 8123, 8066, 7177, 7178, 6379, 6060, 5211, 3308, 3307, 443, and 80. While exploitation depends on configuration and additional context, the presence of an externally exposed service with known high-severity CVEs represents a measurable weakness that could potentially be leveraged by capable actors.

​

This flips the script: a commercial imagery provider enabling foreign situational awareness may itself be vulnerable to compromise, tasking manipulation, data theft, or disruptive activity originating from adversaries, competitors, or state actors.

​

Why this matters for policymakers, defenders, and investigators

DarkBlue’s analyst commentary distills the strategic picture: the persistent appearance of MizarVision imagery across Iranian military-affiliated Telegram channels suggests coordinated efforts to map U.S. and allied posture during a period of elevated tension with Iran. Integration into an IRGC-linked, high-engagement platform significantly increases visibility and operational utility.

​

For defenders and policymakers, several implications stand out:

​

• Commercial ISR as a contested space: The line between “commercial” and “state-aligned” intelligence capabilities is eroding as firms like MizarVision supply imagery that is rapidly absorbed into regime-linked influence and operational ecosystems.​

• Encrypted platforms as distribution hubs: End-to-end encrypted messengers like Telegram have become primary distribution channels for near-real-time ISR products, commentary, and targeting-relevant analysis.​

• Infrastructure security as counterintelligence: Vulnerabilities such as MizarVision’s exposed OpenSSH 7.4 instance create opportunities not only for disruption but also for collection and manipulation, adding a counterintelligence dimension to what might otherwise appear to be a straightforward commercial provider.

  ​

As CACI’s DarkBlue Intelligence Suite emphasizes, operating effectively in this environment requires fusing dark web exploitation, vulnerability analysis, and open-source intelligence to identify, track, and potentially disrupt threat actors leveraging commercial tools and platforms.

​

The MizarVision case shows that the battlespace now includes not just military bases and carrier strike groups, but also commercial satellite APIs, Telegram channels, and misconfigured SSH daemons. For intelligence professionals, cyber defenders, and policymakers, ignoring that overlap is no longer an option.

​

Primary source: “MizarVision: Chinese Satellite Imagery in Iranian Cyber Channels,” DarkBlue Intelligence Group, CACI International Inc., DarkBlue Intelligence Suite Knowledge Base, February 24, 2026.

Know More. Investigate Better.