Skip to main content

Introduction

Episode 2 continues the exposure of the Iranian APT affiliated with the Counterintelligence Division (Unit 1500) of the IRGC-IO, known as Charming Kitten, operating under Department 40 and managed by Abbas Rahrovi.

IRGC-IO Division Structure

Before describing the new evidence, several important clarifications about the organizational structure:

IRGC Intelligence Organization (IRGC-IO)

  • The unit responsible for intelligence gathering in the IRGC is called the IRGC Intelligence Organization (also known as IRGC-IO)
  • Under this unit, there are several divisions, each with a cyber unit that serves the division’s needs
  • In the cyber community, the term “Charming Kitten” is often used as a general term for the activities of the IRGC-IO without distinguishing between the various divisions

Counterintelligence Division (Division 1500)

  • The Counterintelligence Division (Division 1500) operates under the IRGC-IO
  • Department 40 operates under this division – this is the Charming Kitten whose activities are now being exposed
  • The division utilizes the department’s capabilities for its own needs (counterintelligence)

Department 40 Operations

Department 40 advances cyberattacks against:
  • Iranian citizens
  • Iranian exiles (“regime opponents”)
  • European citizens
  • Israeli citizens
  • Arab citizens
All of this is done to promote terrorist activities.

Malware Tools

Publicly available reports on malware tools used by the department include:
  • BellaCiao - Dropper malware
  • CYCLOPS - Attack tool
Future episodes will provide information linking the publicly available data to the department’s private reports.

Evidence Released in Episode 2

The files uploaded in this episode include:

Attack Reports

  • Additional attack reports on government entities
  • Reports on civilian companies
  • Reports on media organizations
  • Attacks in countries including Jordan, Iran, Kuwait, Saudi Arabia, Turkey, and more

Daily Operations

  • Daily work reports of department employees
  • Hours tracking reports
  • Department server logs

Infrastructure Logs

  • AMEEN ALKHALIJ server logs - A website the department set up to recruit former government and security employees from the United Arab Emirates
  • Web server access logs showing attack infrastructure activity
  • Shell deployment logs across multiple countries

Key Findings

The evidence demonstrates:
  • Systematic targeting of government entities across the Middle East
  • Exploitation of ProxyShell vulnerabilities in Microsoft Exchange servers
  • Use of webshells for persistent access
  • Coordinated attacks across multiple countries
  • Recruitment operations targeting UAE security personnel

Mission Statement

“Let’s eliminate this APT once and for all!”
The exposure includes comprehensive documentation proving the malicious activities of Department 40 under the IRGC-IO Counterintelligence Division.

Build docs developers (and LLMs) love

Get started for freeTalk to us