Skip to main content

CharmingKitten
APT Exposure

Complete documentation exposing IRGC-IO Counterintelligence Division (Unit 1500) Department 40 malicious activities, malware source code, and operational infrastructure.

Get StartedView Malware Analysis
Active Exposure
Key Assets Exposed
BellaCiao Malware
IRGC Personnel
Attack Infrastructure

Understanding the threat

Navigate through episodic releases, technical malware analysis, and intelligence reports documenting CharmingKitten’s operations.

1

Review the background

Start with the introduction to understand the scope of CharmingKitten’s operations under Abbas Rahrovi’s leadership and the IRGC-IO Counterintelligence Division.
2

Explore episode releases

Four episodes document the progressive exposure of personnel, attack reports, malware source code, and infrastructure. Begin with Episode 1.
3

Analyze the malware

Deep dive into BellaCiao malware technical analysis, including C# and PowerShell variants, webshells, and command-and-control frameworks.
4

Review intelligence reports

Examine attack reports, target lists, server logs, and attribution evidence linking operations to IRGC-IO.

Explore by topic

Navigate directly to specific areas of interest

Episode Releases

Four episodic releases documenting progressive exposure of CharmingKitten operations

BellaCiao Malware

Complete source code analysis of .NET dropper and PowerShell reverse proxy variants

Webshells & Tools

Python C2 frameworks and ASP webshells used for command execution

Infrastructure

Server lists, domain infrastructure, and exposed credentials

Attack Reports

Documented attacks across Middle East targets including Turkey, UAE, Saudi Arabia, Iran

Personnel & Attribution

Identified IRGC-IO personnel, front companies, and organizational structure

Key exposed assets

Critical intelligence and technical artifacts

BellaCiao Source Code

Complete C# and PowerShell source code for both variants, including dropper mechanisms and webshell deployment logic

View analysis

Python C2 Framework

Command-and-control interface scripts (connect.py, rce5.py) with custom encoding and webshell communication protocols

View framework

Infrastructure Spreadsheets

Complete server inventory with procurement identities, login credentials, attack servers, and file storage infrastructure

View infrastructure

Personnel Identification

Named individuals including Abbas Rahrovi (leader), national ID numbers, photos, and role documentation within Department 40

View personnel

Ready to explore the intelligence?

Start with the comprehensive introduction or jump directly into technical malware analysis.

Read introductionView timeline