Episode 4: Infrastructure Exposure
Overview
In this critical release, we expose the unified infrastructure Excel sheet used by CharmingKitten to document their entire operational infrastructure. This represents one of the most significant exposures of the group’s technical capabilities and operational security practices.What’s Exposed
This episode includes comprehensive documentation of:Infrastructure Documentation
- Unified infrastructure Excel sheets containing complete server inventory
- Procurement identities used to register and purchase services
- Server login credentials for all operational infrastructure
- Attack server details including tunnel servers and C2 infrastructure
- File storage servers used for data exfiltration
- Internal network credentials for communication platforms
Key Personnel
Two key individuals maintained these infrastructure records:-
MOHAMMAD NAJAFLOO (National ID:
4270878835)- Former senior employee who maintained the infrastructure Excel sheets for years
- Responsible for initial infrastructure documentation and credential management
-
MOHAMMADERFAN HAMIDIAREF (National ID:
0023199709)- Took over infrastructure management after Najafloo’s departure
- Continued maintaining and updating the unified infrastructure sheets
Verification of CharmingKitten Attribution
To verify the direct connection to CHARMING KITTEN operations, security researchers can:- Cross-reference server IPs listed in the infrastructure sheets with known CharmingKitten operations
- Analyze BELLACIAO malware connections to the documented servers
- Examine CYCLOPS infrastructure overlaps with the exposed servers
- Correlate domains with previously identified CharmingKitten phishing campaigns
Internal Systems Exposed
The infrastructure sheets reveal credentials for:Communication Platforms
- ISABELLE - Internal team communication system
- 3CX - Voice and messaging platform
- SIGNAL - Encrypted messaging for operational security
Operational Systems
- File extraction and exfiltration systems
- Storage servers for stolen data
- Tunnel servers for maintaining persistence
- Phishing infrastructure and hosting services
Operational Impact
This exposure provides:- Complete mapping of CharmingKitten’s infrastructure
- Attribution evidence linking infrastructure to known campaigns
- Credential disclosure compromising their operational security
- Procurement patterns revealing their acquisition methods
- Identity exposure of the personnel managing critical infrastructure
Additional Materials
Beyond the infrastructure documentation, this episode includes:- Dubai Police materials - Documents obtained by the group from Dubai Police systems
- Phishing operations guide - Internal documentation on phishing techniques and procedures
- Penetration testing reports - Reports targeting medical entities and other organizations
Call to Action
We encourage security researchers, threat intelligence analysts, and defenders to:- Analyze the exposed infrastructure data
- Correlate with known CharmingKitten indicators
- Share findings with the security community
- Block identified infrastructure
- Hunt for related activity in your networks
Related Resources
- Infrastructure Details - Detailed breakdown of servers, domains, and credentials
- Personnel Profiles - Information on key infrastructure managers
- Additional Materials - Dubai Police documents, phishing guides, and penetration reports