Skip to main content

Overview

CharmingKitten is affiliated with the Counterintelligence Division (Unit 1500) of the IRGC Intelligence Organization (IRGC-IO). The APT operates under Department 40 within this division.

Organizational Structure

IRGC Intelligence Organization

The unit responsible for intelligence gathering in the IRGC is called the IRGC Intelligence Organization (IRGC-IO). Under this unit, there are several divisions, each with a cyber unit that serves the division’s needs.

Counterintelligence Division (Unit 1500)

  • Division: Counterintelligence Division (Unit 1500)
  • Sub-unit: Department 40
  • Operations: Charming Kitten APT activities
  • Leadership: Under the guidance of the head of the Counterintelligence division
In the cyber community, the term “Charming Kitten” is often used as a general term for the activities of the IRGC-IO without distinguishing between the various divisions. The specific unit exposed here is Department 40 under Division 1500.

Malware Tools Connection

BellaCiao

BellaCiao is a confirmed malware tool used by Department 40. The connection has been verified through:
  • Public Analysis: BitDefender published analysis of BellaCiao malware
  • Source Code: Episode 3 leak includes the complete BellaCiao source code from Department 40’s internal network
  • Attack Reports: Documentation of attacks using BellaCiao against targets including Turkish Foreign Ministry

Technical Details

BellaCiao is a .NET-based dropper with two known variants: Variant 1: Drops a C# webshell that enables:
  • File upload
  • File download
  • Command execution
Variant 2: Drops a PowerShell script that:
  • Establishes a reverse proxy using Plink (part of the PuTTY suite)
  • Executes a customized version of a publicly available PowerShell webserver

CYCLOPS

CYCLOPS is another malware tool used by the department. The connection is verified through:
  • Infrastructure analysis showing servers listed in Department 40’s Excel sheets were used by CYCLOPS operations
  • Cross-referencing between publicly available CYCLOPS data and department private reports

Additional Tools

Python & Webshells Framework: A dedicated framework comprising:
  • Custom webshells deployed on victim systems
  • Python scripts acting as command management interface on attacker’s side
  • Webshells that execute commands and relay output back
TAGHEB System: Dedicated system for:
  • Infecting Windows operating systems
  • Obtaining access to Windows systems

Attack Infrastructure

Infrastructure Documentation

Department 40 maintained detailed Excel sheets documenting all their servers:
  • Procurement identities
  • Server login credentials
  • Attack servers (e.g., Tunnel)
  • File storage servers
  • Other operational infrastructure
These infrastructure sheets were maintained by MOHAMMAD NAJAFLOO (ID: 4270878835) and later by MOHAMMADERFAN HAMIDIAREF (ID: 0023199709).

Verification Method

To verify the connection to Charming Kitten:
  1. Analyze servers listed in the exposed Excel sheets
  2. Cross-reference with known BellaCiao command and control servers
  3. Cross-reference with known CYCLOPS infrastructure
  4. Correlate with attack reports from the department

Operational Focus

Mission

The division utilizes Department 40’s capabilities for counterintelligence operations:
  • Cyberattacks against Iranian citizens
  • Targeting Iranian exiles (“regime opponents”)
  • Operations against European, Israeli, and Arab citizens
  • Promotion of terrorist activities

Target Regions

Primary focus on countries in the Middle East and Gulf region:
  • Turkey
  • United Arab Emirates
  • Qatar
  • Afghanistan
  • Israel
  • Jordan
  • Kuwait
  • Saudi Arabia
  • Iran (domestic targets)

Target Types

  • Telecommunications companies
  • Aviation companies
  • Intelligence organizations
  • Government entities
  • Civilian companies
  • Media organizations

Evidence Sources

The exposure includes materials from Department 40’s internal network:
  • Official documents
  • Employee photos
  • Attack reports
  • Translation documents
  • Internal chat network files (Issabelle, 3CX, Output Messenger, Signal)
  • Malware source code
  • Infrastructure credentials
  • Server logs

Testing and Evasion

Department 40 conducted extensive testing of malware tools against antivirus products for stealthier operation:
  • Microsoft Defender
  • Kaspersky
  • Avira
  • ESET
  • Other AV products
Documentation includes:
  • Training programs
  • Technical details about espionage operations
  • Malware tool specifications
  • Intelligence reports focusing on Israeli entities

Build docs developers (and LLMs) love

Get started for freeTalk to us