Overview
In Episode 3, we deliver on our promise by releasing new information regarding IRGC-IO Counterintelligence Division (Unit 1500) “Department 40” malware activity and source code. This episode includes the complete source code of the BellaCiao malware, which has been previously analyzed and published by BitDefender.BitDefender Analysis
Read the original BitDefender technical analysis of BellaCiao malware
What’s Included
This release contains four major categories of evidence:1. BellaCiao Malware Source Code
- Complete source code for both variants of BellaCiao
- .NET-based dropper implementation
- C# webshell components
- PowerShell-based reverse proxy scripts
2. Python & Webshells Framework
- Dedicated webshells for victim systems
- Python command management interface
- Command execution and output relay system
3. TAGHEB System Documentation
- System designed for infecting Windows operating systems
- Access obtaining mechanisms
- Deployment strategies
4. Intelligence Documents
- AV evasion testing results (Microsoft Defender, Kaspersky, Avira, ESET)
- Training programs and technical documentation
- Intelligence reports on Israeli entities
- Exposure of front company JARF/ZHARF ANDISHAN TAFACOR SEFID
- Personnel identification: MANOOCHEHR VOSOUGHI NIRI and MOHAMMAD ERFAN HAMIDI AREF
Real-World Attacks
The source code release includes evidence of actual attacks carried out by CharmingKitten:- Attack on the Turkish Foreign Ministry using BellaCiao
- Multiple additional attacks using their webshell framework
- Infrastructure used in campaigns targeting Middle Eastern entities
Significance
This release provides unprecedented insight into:- The technical capabilities of IRGC-IO’s cyber operations
- Operational security practices and AV evasion techniques
- The organizational structure behind CharmingKitten operations
- Direct evidence linking Abbas Rahrovi to malware deployment
Next Steps
Explore the detailed technical and intelligence analysis in the following pages:BellaCiao Malware
Technical analysis of both BellaCiao variants
Webshells Framework
Python & Webshells framework documentation
Intelligence Analysis
MOSESS STAFF, front companies, and personnel