Skip to main content

Introduction

Episode 1 marks the beginning of the exposure of the Iranian Advanced Persistent Threat (APT) group known as CharmingKitten. This cyber espionage group operates under the Counterintelligence Division (Unit 1500) of the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO).
This APT has conducted malicious cyber operations against dozens of targets including telecommunications companies, aviation companies, intelligence organizations, and individuals identified as “regime opponents.”

Organizational Structure

CharmingKitten operates under a clear hierarchical structure:
  • Parent Organization: IRGC Intelligence Organization (IRGC-IO)
  • Division: Counterintelligence Division (Unit 1500)
  • Department: Department 40
  • Code Name: CharmingKitten

Geographic Targeting

The primary focus of this APT is on countries in the Middle East and Gulf region:

Turkey

United Arab Emirates

Qatar

Afghanistan

Israel

Jordan

Target Categories

CharmingKitten has targeted multiple sectors across these regions:
Strategic targets for intelligence gathering and surveillance capabilities.
Targeting critical infrastructure and travel intelligence.
Counter-intelligence operations against regional security services.
Under guidance from the Counterintelligence Division head, the APT has tracked and targeted Iranians both within Iran and abroad who have been identified as “regime opponents.”

Operational Exposure

This initial exposure revealed multiple layers of evidence proving CharmingKitten’s malicious activities:
  • Official documents from the APT’s internal network
  • Employee photographs and identification
  • Attack reports detailing successful and ongoing operations
  • Translation documents showing international targeting
  • Internal chat network files from platforms including:
    • Issabelle
    • 3CX
    • Output Messenger
These individuals believed they were operating under the protective cover of the IRGC. Through this exposure, they are now recognized worldwide as agents of the IRGC.

Significance

Episode 1 represents a watershed moment in the exposure of state-sponsored cyber espionage operations. For the first time, comprehensive evidence linking individual operators, organizational structure, and specific attacks has been publicly revealed.

Next: Leadership Exposure

Learn about Abbas Rahrovi and his role in leading CharmingKitten operations

Timeline

The exposure began with the first public release of documents and evidence, marking the beginning of an ongoing series of revelations about CharmingKitten’s operations.
Every few days, additional materials from the CharmingKitten network (Department 40) are being released to further expose their activities and the personal details of operatives involved.

Build docs developers (and LLMs) love

Get started for freeTalk to us