Skip to main content

Overview

This page documents the key personnel identified as members of the CharmingKitten APT operating under IRGC-IO’s Counterintelligence Division (Unit 1500), Department 40.

Leadership

Abbas Rahrovi (Abbas Hosseini)

name
string
Abbas Rahrovi (aka Abbas Hosseini)
national_id
string
4270844116
role
string
IRGC Official / APT Operations Director
Profile: Abbas Rahrovi is the IRGC official heading the CharmingKitten APT operations. He has established several front companies in recent years through which he manages the APT. Activities:
  • Directed attacks against dozens of targets
  • Managed campaign activity and assets
  • Coordinated malicious activity against international targets
  • Operated as a “shadow man” until exposure
Target Focus:
  • Telecommunications companies
  • Aviation companies
  • Intelligence organizations
  • Countries in Middle East and Gulf region (Turkey, UAE, Qatar, Afghanistan, Israel, Jordan)
Abbas Rahrovi believed he was operating under the protective cover of the IRGC. The exposure is considered highly embarrassing for Iranian leadership.

Operations Personnel

Key Operators Summary

NameNational IDRoleNotes
Abbas Rahrovi4270844116APT Directoraka Abbas Hosseini, IRGC Official
Vahid Molawi0323217087AttackerKaraj team member
MOHAMMAD NAJAFLOO4270878835Infrastructure ManagerFormer senior employee, maintained infrastructure Excel sheets for years
MOHAMMADERFAN HAMIDIAREF0023199709Infrastructure ManagerTook over from Najafloo, continued managing infrastructure
MANOOCHEHR VOSOUGHI NIRIN/AIRGC-IO OfficialCompany director, signed documents for front company JARF/ZHARF ANDISHAN TAFACOR SEFID
MOHAMMAD ERFAN HAMIDI AREFN/AAPT EmployeeListed in front company documents

Detailed Personnel Profiles

Vahid Molawi

National ID: 0323217087 Team: Karaj team Role: Attacker Evidence:
  • Mentioned in hours reports from Episode 1
  • Daily work reports documented his activities

MOHAMMAD NAJAFLOO

National ID: 4270878835 Role: Former Senior Infrastructure Manager Responsibilities:
  • Maintained infrastructure Excel sheets for years
  • Documented server procurement identities
  • Managed server login credentials
  • Tracked attack servers and file storage servers
Infrastructure Documentation: Najafloo was responsible for maintaining comprehensive records of:
  • All operational servers
  • Procurement identities used to acquire infrastructure
  • Login credentials for servers on the internal network
  • Details of attack servers (e.g., Tunnel servers)
  • File storage and extraction systems

MOHAMMADERFAN HAMIDIAREF

National ID: 0023199709 Role: Current Infrastructure Manager Background:
  • Took over infrastructure management role after NAJAFLOO’s departure
  • Continued maintaining the infrastructure Excel sheets
  • Manages operational server documentation
Responsibilities:
  • Server infrastructure management
  • Credential management
  • Infrastructure documentation
  • Operational systems access

MANOOCHEHR VOSOUGHI NIRI

Persian Name: منوچهر وثوقی نیری Role: IRGC-IO Official / Company Director Activities:
  • Serves as director of front company JARF/ZHARF ANDISHAN TAFACOR SEFID
  • Signs official documents for the cover company
  • IRGC-IO official managing cover operations
Evidence:
  • Document 5e98006a2cf1c15a164279558eed4a15018e34a0_بسمه تعالی
  • Signature on company documents

MOHAMMAD ERFAN HAMIDI AREF

Persian Name: محمد عرفان حمیدی عارف Role: APT Employee Connection:
  • Listed as employee in front company documentation
  • Associated with JARF/ZHARF ANDISHAN TAFACOR SEFID
  • Named in official documents signed by MANOOCHEHR VOSOUGHI NIRI
Note: There appears to be a variation in the spelling of this individual’s name in different documents (HAMIDIAREF vs HAMIDI AREF). These may refer to the same person or different individuals.

Team Structure

Karaj Team

Identified member:
  • Vahid Molawi (0323217087) - Attacker role
Documentation:
  • Daily work reports
  • Hours reports
  • Attack reports

Additional Teams

Documentation indicates multiple teams:
  • MJD (Referenced in daily reports)
  • HSN2 (Referenced in report structures)

Evidence Documentation

Internal Records

Personnel activities documented through: Daily Work Reports:
  • MJD_Monthly-Reps_Mehr_1403 series
  • Daily reports from 1403-06-25 through 1403-07-15
  • Hours tracking and activity logs
Attack Reports:
  • Monthly performance reports (بهمن ماه)
  • Target-specific operation reports
  • Technical exploitation reports (e.g., CVE-2024-1709)
Infrastructure Records:
  • Excel sheets with server details
  • Service procurement records
  • Payment tracking (including BTC payments)

Communication Platforms

Personnel used internal communication systems:
  • Issabelle
  • 3CX
  • Output Messenger
  • Signal
All identified personnel should be considered active IRGC-IO operatives conducting cyber operations under the Counterintelligence Division (Unit 1500), Department 40.

Operational Security Failures

The exposure of these personnel resulted from:
  1. Network Breach: Complete compromise of Department 40’s internal network
  2. Documentation Leaks: Excel sheets, reports, and internal documents
  3. Communication Logs: Chat logs from internal platforms
  4. Photo Evidence: Employee photos from internal network
These individuals believed they were operating under IRGC protection but are now publicly identified as agents of the IRGC Intelligence Organization.

Build docs developers (and LLMs) love

Get started for freeTalk to us