Organizational Structure
IRGC Intelligence Organization (IRGC-IO)
The unit responsible for intelligence gathering in the IRGC is called the IRGC Intelligence Organization (also known as IRGC-IO for short). Under this unit, there are several divisions, each with a cyber unit that serves the division’s needs.In the cyber community, the term “CharmingKitten” is often used as a general term for the activities of the IRGC-IO without distinguishing between the various divisions.
Counterintelligence Division (Unit 1500)
The Counterintelligence Division (Division 1500) operates under the IRGC-IO. Department 40 operates under this division – this is the CharmingKitten unit whose activities have been exposed in this documentation. The division utilizes Department 40’s capabilities for its own needs (counterintelligence) – advancing cyberattacks against:- Iranian citizens
- Iranian exiles (“regime opponents”)
- European citizens
- Israeli citizens
- Arab citizens
Operational Activities
Primary Mission
Department 40 conducts sophisticated cyber operations targeting multiple sectors and countries. Under the guidance of the head of the Counterintelligence division, this APT has:International Operations
Attacks against government entities, civilian companies, intelligence organizations, and media in multiple countries
Domestic Surveillance
Tracking and targeting Iranians within Iran and abroad who are identified as “regime opponents”
Target Sectors
The APT has directed attacks against dozens of targets including:- Telecommunications companies: Critical infrastructure for communications interception
- Aviation companies: Transportation and travel tracking
- Intelligence organizations: Counterintelligence and espionage
- Government entities: Political and diplomatic intelligence
- Media organizations: Information control and journalist targeting
- Medical entities: Personal information and health data
- Security organizations: Including Dubai Police and others
Geographic Targets
Primary Focus: Middle East and Gulf Region
The primary focus of this APT is on countries in the Middle East and Gulf region:Turkey
Turkey
Multiple operations including attacks on the Turkish Foreign Ministry using BellaCiao malware and associated webshells.
United Arab Emirates (UAE)
United Arab Emirates (UAE)
Department 40 established the AMEEN ALKHALIJ server and website to recruit former government and security employees from the UAE.
Qatar
Qatar
Ongoing intelligence gathering and cyber operations.
Afghanistan
Afghanistan
Targeted operations for intelligence collection.
Israel
Israel
Extensive intelligence reports focusing on Israeli entities in various ways, including espionage and cyber attacks.
Jordan
Jordan
Attack reports on government entities, civilian companies, and media organizations.
Additional Target Countries
The exposed materials include attack reports on entities in:- Iran: Targeting regime opponents and dissidents
- Kuwait: Government and civilian targets
- Saudi Arabia: Security and government entities
Methods and Tactics
Malware Tools
The department uses several sophisticated malware tools, including:- BellaCiao: A .NET-based dropper with multiple variants for establishing persistent access
- CYCLOPS: Another malware tool used by the department
- TAGHEB System: Intended for infecting and obtaining access to Windows operating systems
- Custom Webshells: Python and PHP-based webshells for remote command execution
Infrastructure Operations
- Attack Servers: Including tunnel servers for covert communications
- File Storage Servers: For exfiltrated data and operational materials
- Phishing Platforms: Social engineering and credential harvesting
- Recruitment Sites: Front companies and fake websites like AMEEN ALKHALIJ
Internal Communications
The department maintains internal communications through:- Isabelle: Internal chat network
- 3CX: Communication platform
- Output Messenger: Internal messaging system
- Signal: Encrypted communications
Front Companies
Leadership has established several front companies through which the APT is managed:JARF/ZHARF ANDISHAN TAFACOR SEFID
ژرف انديشان تفكر سفيد (JARF/ZHARF ANDISHAN TAFACOR SEFID) is one of the cover companies used by the campaign. Documents are signed by:- Company director and IRGC-IO official: Manoochehr Vosoughi Niri (منوچهر وثوقی نیری)
- Employee: Mohammad Erfan Hamidi Aref (محمد عرفان حمیدی عارفا)
Campaign Connections
MOSESS STAFF
The Iranian directive reflected in the campaign’s activity includes Iranian involvement in cyber attacks and public influence platforms such as MOSESS STAFF.Public Analysis Correlation
Publicly available tools and analysis can be correlated with the department’s private reports:- BellaCiao: Analyzed and published by BitDefender, source code now exposed from Department 40
- CYCLOPS: Linked to servers in the infrastructure Excel sheets maintained by department personnel
The exposed files provide information linking publicly available data to the department’s private reports, confirming the connection between CharmingKitten activities and Department 40.
Operational Timeline
Department 40 has been operating for years, with:- Continuous infrastructure management and documentation
- Evolving malware development and testing
- Expanding target list across multiple countries
- Personnel changes and organizational growth
Intelligence vs. Terrorism
While the unit operates under the guise of intelligence gathering and counterintelligence, the activities exposed in this documentation demonstrate:- Attacks on civilian infrastructure
- Targeting of journalists and media
- Surveillance of dissidents and regime opponents
- International cyber warfare operations
- Support for terrorist activities