Evidence Overview
Episode 1 includes a comprehensive package of evidence proving CharmingKitten’s malicious activities. This evidence was obtained from the APT’s internal networks and systems.Categories of Evidence
The exposure includes multiple categories of incriminating evidence:1. Official Documents
Internal Network Documents
Official documents from the APT’s internal network revealing:
- Organizational structure
- Operational planning materials
- Administrative records
- Official communications
2. Employee Photos
Personnel Identification
Photographs of CharmingKitten operatives including:
- Employee identification photos
- Office and workplace images
- Team photographs
- Individual operator images
These photographs allow for positive identification of individuals involved in the APT operations, removing their anonymity and exposing them as IRGC agents.
3. Attack Reports
Operational Documentation
Detailed attack reports documenting CharmingKitten’s operations against:
- Telecommunications companies
- Aviation industry targets
- Intelligence organizations
- Government entities
- Corporate targets
Attack Report Contents
The attack reports typically include:Target Information
Target Information
- Target organization names and details
- Geographic location
- Sector classification
- Strategic value assessment
Operational Details
Operational Details
- Attack vectors used
- Timeline of operations
- Success metrics
- Obstacles encountered
Intelligence Gathered
Intelligence Gathered
- Data exfiltrated
- Access obtained
- Persistent access mechanisms
- Follow-up operation potential
Operational Security
Operational Security
- Infrastructure used
- Attribution concerns
- Operational security measures taken
4. Translation Documents
International Operations
Translation documents revealing:
- Multi-language capabilities
- International targeting
- Phishing content in various languages
- Intelligence reports requiring translation
5. Internal Chat Network Files
Internal Communications
Files from the APT’s internal communication platforms:
Communication Platforms Exposed
Issabelle
Internal chat platform used for operational coordination.
3CX
VoIP and communication system used by the team.
Output Messenger
Messaging platform for team communications.
Chat Content Revealed
The internal chat files expose:- Operational coordination between team members
- Technical discussions about attack methods
- Target selection and prioritization conversations
- Infrastructure management communications
- Personal communications revealing operator identities
- Command and control instructions from leadership
These chat logs provide direct insight into the operational culture, decision-making processes, and personal relationships within the CharmingKitten team.
Evidence Structure
The evidence package released in Episode 1 is organized in several archive files:Archive Contents
- Attack_Reports.zip
- Employees.zip
- Malware_and_Logs.zip
Contains comprehensive attack reports documenting operations against various targets across multiple countries including:
- Turkey
- UAE
- Qatar
- Afghanistan
- Israel
- Jordan
- Iran (internal dissidents)
Official Documents Detail
The official documents exposed in Episode 1 include:Administrative Documents
- Organizational charts showing the structure of Department 40
- Employee records with national ID numbers
- Operational directives from IRGC leadership
- Budget and resource allocation documents
Technical Documents
- Infrastructure diagrams showing server and network topology
- Tool documentation for custom malware and attack frameworks
- Target databases listing potential and active targets
- Operational procedures for conducting attacks
Photographic Evidence
The employee photos provide irrefutable proof of identity:Photo Categories
Official ID Photos
Government-issued identification photos used within the organization, often featuring official IRGC branding or security credentials.
Workplace Photos
Images taken within CharmingKitten offices showing:
- Operational environments
- Team meetings
- Workstations and equipment
- Office locations
Attack Report Analysis
The attack reports reveal CharmingKitten’s methodology and capabilities:Target Selection Criteria
- Strategic Value - Intelligence value to IRGC objectives
- Accessibility - Technical feasibility of compromise
- Risk Assessment - Likelihood of attribution and consequences
- Resource Requirements - Effort needed for successful compromise
Attack Lifecycle Documentation
Reports document the complete attack lifecycle:Communication Platform Evidence
The internal chat network files are particularly revealing:Operational Security Failures
Unencrypted Communications
Unencrypted Communications
Many communications were not properly encrypted, allowing full recovery of conversation histories.
Personal Information Shared
Personal Information Shared
Technical Details Exposed
Technical Details Exposed
Discussions included technical details about:
- Server credentials
- Attack infrastructure
- Malware capabilities
- Victim information
Proof of IRGC Connection
The evidence package conclusively proves the connection to the IRGC:Official Insignia
Documents bear official IRGC seals and markings.
Personnel Records
Employee records list IRGC affiliations and ranks.
Operational Directives
Orders signed by known IRGC-IO officials.
Infrastructure Links
Network infrastructure traced to IRGC facilities.
Verification and Analysis
Security researchers and intelligence analysts worldwide are encouraged to analyze the released evidence. Cross-referencing with known CharmingKitten indicators will confirm attribution.
Analysis Recommendations
- Compare infrastructure - Cross-reference servers and domains with known CharmingKitten campaigns
- Malware analysis - Examine code samples against public malware databases
- OSINT correlation - Verify personnel information through open-source intelligence
- Network indicators - Match IP addresses and domains to previous attacks
- Document authentication - Verify official documents for authenticity markers
Impact of Evidence Release
The comprehensive evidence package has several significant effects:Operational Impact
- Infrastructure exposure - Servers and domains must be abandoned
- Method disclosure - Attack techniques are now known to defenders
- Personnel compromise - Operators are publicly identified
- Network disruption - Communication channels are compromised
Strategic Impact
- Attribution certainty - Undeniable proof of IRGC involvement
- Diplomatic consequences - Evidence usable in international forums
- Sanction support - Documentation for sanctions and legal action
- Intelligence value - Insights into IRGC cyber capabilities and methods
Additional Evidence
Beyond the main categories, the evidence package includes:- Training materials used to onboard new operatives
- Tool development documentation and source code
- Financial records showing funding flows
- Meeting notes from planning sessions
- Procurement records for infrastructure and tools
Ongoing Releases
Every few days, additional evidence is being released, further exposing CharmingKitten’s activities and the individuals involved.
Using This Evidence
Security professionals can use this evidence for:Threat Intelligence
Enhance detection capabilities and threat models with confirmed CharmingKitten TTPs.
Attribution
Definitively attribute attacks to specific threat actors and state sponsors.
Defense
Develop targeted defenses against CharmingKitten’s specific techniques.
Investigation
Support incident response investigations with confirmed indicators.
Conclusion
The Episode 1 evidence package provides irrefutable proof of CharmingKitten’s malicious activities, their connection to the IRGC, and the identities of individuals involved. This unprecedented exposure removes the veil of anonymity that these operatives relied upon.These individuals believed they were operating under the protective cover of the IRGC — today, they are recognized worldwide as agents of the IRGC.