Overview
Abbas Rahrovi, the IRGC official heading CharmingKitten operations, has established several front companies to manage the APT and provide operational cover. These companies serve as legitimate business facades while conducting cyber operations.Primary Front Company
JARF/ZHARF ANDISHAN TAFACOR SEFID
JARF/ZHARF ANDISHAN TAFACOR SEFID
ژرف انديشان تفكر سفيد
MANOOCHEHR VOSOUGHI NIRI (منوچهر وثوقی نیری)
MANOOCHEHR VOSOUGHI NIRI - IRGC-IO Official
- Director: MANOOCHEHR VOSOUGHI NIRI (serving dual role as company director and IRGC-IO official)
- Known Employees:
- MOHAMMAD ERFAN HAMIDI AREF (محمد عرفان حمیدی عارف)
- Other APT operatives
- Document: 5e98006a2cf1c15a164279558eed4a15018e34a0_بسمه تعالی
- Contents: Official company documents signed by the director
- Signature: MANOOCHEHR VOSOUGHI NIRI in capacity as both company director and IRGC-IO official
- Exposure Date: Episode 3
Additional Front Companies
Abbas Rahrovi’s Network
Abbas Rahrovi has established multiple front companies over recent years to manage APT operations. While the primary identified company is JARF/ZHARF ANDISHAN TAFACOR SEFID, evidence indicates existence of additional cover companies. Characteristics:- Established in recent years (post-2020)
- Provide operational cover for cyber activities
- Used to manage APT infrastructure and personnel
- Enable legitimate business appearance for illegal operations
Documentation references “several front companies” established by Abbas Rahrovi, but JARF/ZHARF ANDISHAN TAFACOR SEFID is the only company explicitly named and documented with evidence in the leaked materials.
Operational Cover Activities
Business Functions
The front companies likely provide cover through: Technology Services:- IT consulting
- Software development
- Cybersecurity services (ironically)
- Network infrastructure services
- Actual business contracts to maintain cover
- Real employees alongside APT operatives
- Standard business documentation and registration
Intelligence Operations
Behind the business facade, the companies enable: Infrastructure Management:- Server procurement and hosting
- Domain registration
- Network infrastructure acquisition
- Payment processing for operational resources
- Employment records for operatives
- Legitimate salary payments
- Business travel justification
- Professional credentials and cover identities
- Cryptocurrency payments (BTC documented in Episode 4)
- International payments for servers and services
- Procurement of attack infrastructure
- Operational funding laundering
Infrastructure Procurement
Service Providers Used
Documented in Episode 4 infrastructure sheets: Hosting Providers:- namecheap.com
- namesilo.com
- modernizmir.net
- theonionhost.com
- bill.pq.hosting
- temok.com
- prq.se
- namecheap
- namesilo
- modernizmir.net
- ProtonMail accounts for registration
- Bitcoin (BTC) payments documented
- Various procurement identities
Procurement Identities
Front companies enable use of multiple procurement identities: Example Email Accounts (from infrastructure sheets):- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
Associated Infrastructure
Known Operational Domains
Attack Infrastructure:- cavinet.org
- bbmovements.com
- secnetdc.com
- tecret.com
- moses-staff.io
- moses-staff.to
- moses-staff.se
The moses-staff domains indicate connection to the MOSES STAFF campaign, demonstrating the scope of operations conducted through these front companies.
Server Infrastructure
The companies managed:- VPS servers for attack operations
- Tunnel servers for proxy operations
- File storage servers
- Command and control infrastructure
- Web hosting for phishing operations
Exposure Impact
Operational Compromise
What Was Exposed:- Company Identity: JARF/ZHARF ANDISHAN TAFACOR SEFID publicly identified
- Key Personnel: Director and IRGC-IO official MANOOCHEHR VOSOUGHI NIRI identified
- Company Documents: Official papers with signatures exposed
- Employee List: MOHAMMAD ERFAN HAMIDI AREF and other APT personnel linked to company
- Infrastructure Records: Complete server and procurement documentation
- Loss of operational cover
- Exposure of IRGC connection
- Identification of key personnel
- Infrastructure attribution to state actor
- International exposure and potential sanctions
Attribution Chain
The front company exposure creates clear attribution chain:Business Registration
JARF/ZHARF ANDISHAN TAFACOR SEFID:- Persian name: ژرف انديشان تفكر سفيد
- Transliteration variations: JARF/ZHARF indicates possible spelling variations
- Meaning (approximate): “Deep Thinkers of White Thought”
- Likely registered in Iran as legitimate business entity
- Director with dual IRGC-IO official capacity
Detection and Monitoring
Indicators
Organizations should monitor for: Business Relationships:- IT contracts with Iranian companies
- Procurement from identified front companies
- Financial transactions with linked entities
- Hosting providers used by Department 40
- IP ranges and ASNs associated with operations
- Domain registration patterns matching exposed data
- Business contacts with named individuals
- LinkedIn profiles of front company employees
- Conference attendance and business events
Additional Companies
While specific details are limited, evidence indicates Abbas Rahrovi established multiple additional companies. Organizations should:- Monitor for new Iranian IT companies with similar characteristics
- Track associations with identified personnel
- Analyze infrastructure procurement patterns
- Investigate companies with IRGC-linked directors
As additional episodes are released, more front companies may be identified and documented. This page will be updated as new information becomes available.