Skip to main content

Personnel: Infrastructure Managers

This page exposes the identities of two key IRGC operatives responsible for maintaining CharmingKitten’s critical infrastructure documentation.

Overview

The unified infrastructure Excel sheets exposed in this episode were maintained by two individuals who served as infrastructure managers for the CharmingKitten APT group. These operatives had access to all server credentials, procurement identities, and operational infrastructure details.

MOHAMMAD NAJAFLOO

Identity Information

Full Name: MOHAMMAD NAJAFLOO
National ID: 4270878835
Role: Senior Infrastructure Manager
Status: Former employee
Tenure: Multi-year infrastructure management role

Responsibilities

Mohammad Najafloo served as a senior employee within CharmingKitten’s operational structure and was responsible for:
  • Infrastructure documentation - Creating and maintaining the unified Excel sheets
  • Credential management - Documenting all server login credentials and procurement accounts
  • Service tracking - Recording domain registrations, hosting services, and renewal dates
  • Financial tracking - Documenting payment methods and cryptocurrency transactions
  • Operational continuity - Ensuring infrastructure information was preserved for future operations

Documented Infrastructure

During his tenure, Najafloo maintained documentation for:
  • Hundreds of operational domains across multiple TLDs
  • Server credentials for attack infrastructure, tunnel servers, and storage systems
  • Procurement identities including email accounts and fake personas
  • Service provider accounts with hosting companies and domain registrars
  • Payment records including Bitcoin wallet addresses and transaction details
  • Internal system access for communication platforms (ISABELLE, 3CX, SIGNAL)

Operational Security Impact

Najafloo’s role meant he had:
  • Complete visibility into all CharmingKitten infrastructure
  • Root access credentials to critical operational servers
  • Knowledge of procurement methods and operational security procedures
  • Access to financial information about group operations
  • Understanding of campaign structure through infrastructure organization
This level of access makes the exposure of his documentation particularly damaging to IRGC operations.

Professional Background

While specific employment details are limited, Najafloo’s role suggests:
  • Technical expertise in infrastructure management and system administration
  • Trusted position within the IRGC Counterintelligence Division (Unit 1500)
  • Long-term involvement with CharmingKitten operations
  • Direct reporting to senior IRGC-IO officials

MOHAMMADERFAN HAMIDIAREF

Identity Information

Full Name: MOHAMMADERFAN HAMIDIAREF
Also Known As: MOHAMMAD ERFAN HAMIDI AREF
Persian: محمد عرفان حمیدی عارف
National ID: 0023199709
Role: Infrastructure Manager
Status: Active (at time of exposure)
Previous Mention: Episode 3 documentation

Transition and Continuity

Hamidiaref took over infrastructure management responsibilities after Najafloo’s departure:
  • Assumed documentation role - Continued maintaining the unified infrastructure sheets
  • Inherited access - Given credentials to all existing infrastructure
  • Expanded operations - Added new infrastructure as operations scaled
  • Maintained continuity - Ensured no disruption to operational capabilities

Previous Exposure

Hamidiaref was previously identified in Episode 3 documentation:
  • Mentioned in official IRGC documents
  • Linked to the front company JARF/ZHARF ANDISHAN TAFACOR SEFID (ژرف انديشان تفكر سفيد)
  • Documents signed by IRGC-IO official MANOOCHEHR VOSOUGHI NIRI (منوچهر وثوقی نیری)
  • Established connection to the CharmingKitten APT operations

Responsibilities

As the successor to Najafloo, Hamidiaref’s responsibilities included:
  • Updating infrastructure sheets - Adding new servers, domains, and credentials
  • Managing renewals - Tracking service expiration dates and renewal requirements
  • Procurement coordination - Registering new services and managing procurement identities
  • Credential rotation - Updating passwords and access credentials
  • Infrastructure expansion - Documenting new operational capabilities

Documented Operations

Hamidiaref maintained documentation for key operations including:

Moses Staff Campaign

  • Multiple domain registrations (.io, .to, .se)
  • TOR hosting infrastructure
  • Server credentials and IP assignments
  • DNS management through CloudNS
  • SSL certificates and email accounts

Israel-Targeted Operations

  • israel-talent.com and israel-talent.xyz domains
  • Dedicated phishing infrastructure
  • TheOnionHost hosting services
  • ProtonMail accounts for procurement

Abrahams Ax Operation

  • PRQ.se domain registration
  • Impreza hosting infrastructure
  • Server credentials and control panel access
  • TOR and clearnet hosting coordination

Phishing Infrastructure

  • Job-themed phishing domains
  • Arabic-language operations (wazayif-halima.org)
  • Multi-language targeting capabilities
  • Email harvesting systems

Technical Capabilities

Hamidiaref’s role demonstrates:
  • Infrastructure expertise - Managing complex multi-server operations
  • Operational security knowledge - Understanding of anonymity and privacy services
  • Financial management - Handling cryptocurrency payments and service billing
  • Multi-campaign coordination - Supporting various simultaneous operations
  • Documentation discipline - Maintaining detailed records for operational continuity

Organizational Position

Hamidiaref’s position indicates:
  • Trusted operative within Department 40 of Unit 1500
  • Direct access to senior leadership including Abbas Rahrovi
  • Critical role in maintaining operational capabilities
  • Knowledge of multiple campaigns across different targets and regions

Operational Impact of Exposure

The exposure of both Najafloo and Hamidiaref has significant consequences:

For the Operatives

  • Identity compromise - Both individuals are now publicly identified
  • Personal security risk - Exposed as IRGC cyber operatives
  • Career impact - Unable to continue in covert operational roles
  • Legal consequences - Potential for international sanctions and prosecution
  • Travel restrictions - Likely to face visa denials and travel bans

For CharmingKitten Operations

  • Infrastructure compromise - All documented infrastructure now exposed
  • Credential exposure - Servers and accounts must be completely rebuilt
  • Operational disruption - Significant resources required to rebuild infrastructure
  • Trust damage - Operatives may question security of centralized documentation
  • Attribution certainty - Strong evidence linking infrastructure to IRGC operations

For IRGC-IO Unit 1500

  • Capability degradation - Years of infrastructure investment compromised
  • Procedural review - Need to overhaul infrastructure management practices
  • Recruitment challenges - Potential operatives may reconsider involvement
  • International pressure - Increased sanctions and diplomatic consequences
  • Operational pause - Time required to rebuild and re-establish capabilities

Connection to Leadership

Both infrastructure managers operated under the direction of: Abbas Rahrovi (aka Abbas Hosseini, National ID: 4270878835)
  • Head of CharmingKitten operations
  • IRGC-IO official managing Department 40
  • Established multiple front companies
  • Direct oversight of infrastructure operations
  • Previously exposed in Episode 1
Hamidiaref’s association with the front company JARF/ZHARF ANDISHAN TAFACOR SEFID provides additional attribution:
  • Company used to legitimize IRGC cyber operations
  • Director and IRGC-IO official MANOOCHEHR VOSOUGHI NIRI
  • Provided cover for infrastructure procurement and personnel employment
  • Documents signed with official IRGC-IO approval
  • Exposed in Episode 3 materials

Security Community Recommendations

Security researchers and threat intelligence analysts should:
  1. Profile these individuals - Add to threat actor databases
  2. Monitor their activities - Watch for new infrastructure patterns
  3. Link to other operations - Look for additional infrastructure they may have managed
  4. Share intelligence - Contribute findings to community knowledge bases
  5. Attribution confidence - Use this exposure to strengthen attribution in reports

Defensive Actions

Organizations should:
  1. Block known infrastructure - Implement controls for all documented IPs and domains
  2. Hunt for related activity - Search logs for connections to exposed infrastructure
  3. Update threat models - Incorporate CharmingKitten TTPs and infrastructure patterns
  4. Employee awareness - Train staff on CharmingKitten phishing techniques
  5. Monitoring - Watch for new infrastructure following similar patterns

Evidence Authenticity

The infrastructure documentation is verified through:
  • Cross-reference with known operations - Infrastructure matches reported CharmingKitten activity
  • BELLACIAO and CYCLOPS links - Malware C2 servers match documented infrastructure
  • Moses Staff attribution - Direct connection to IRGC influence operations
  • Front company documents - Official paperwork linking Hamidiaref to IRGC
  • Multi-year documentation - Consistent records spanning years of operations

Call to Action

These individuals believed they were operating safely under IRGC protection. Today, they are exposed to the world as agents of the Iranian regime conducting cyber espionage and influence operations. We encourage:
  • Media coverage - Report on these exposed operatives
  • Government action - Implement sanctions and travel bans
  • Industry response - Block infrastructure and share intelligence
  • Community analysis - Examine the documentation and share findings

Next Steps

For detailed technical analysis of the infrastructure these operatives managed, see Infrastructure Documentation. For additional materials exposed in this episode, see Additional Materials.
  • Episode 1 - Leadership exposure, including Abbas Rahrovi
  • Episode 3 - BELLACIAO malware source code and first mention of Hamidiaref

Build docs developers (and LLMs) love

Get started for freeTalk to us