Skip to main content

Overview

CharmingKitten is an Iranian Advanced Persistent Threat (APT) group affiliated with the Counterintelligence Division (Unit 1500) of the IRGC Intelligence Organization (IRGC-IO). The group operates through a structured organization known as Department 40, conducting sophisticated cyber espionage campaigns against international targets.

Organizational Structure

IRGC-IO Hierarchy

The IRGC Intelligence Organization (IRGC-IO) is the primary intelligence gathering unit within the Islamic Revolutionary Guard Corps. Within this organization:
  • Counterintelligence Division (Division 1500): The division responsible for counterintelligence operations
  • Department 40: The cyber operations unit operating under Division 1500, commonly known as CharmingKitten in the cyber community

Leadership

Abbas Rahrovi (also known as Abbas Hosseini, National Number: 4270844116) heads Department 40’s operations. As an IRGC official, Rahrovi has established several front companies through which he manages the APT’s activities.

Front Companies

The group operates through multiple front companies to obscure its connection to the IRGC:
  • JARF/ZHARF ANDISHAN TAFACOR SEFID (ژرف انديشان تفكر سفيد)
  • Various other shell companies for procurement and operational purposes

Key Personnel

Identified members of Department 40 include:
  • Vahid Molawi (National ID: 0323217087) - Karaj team member
  • Mohammad Erfan Hamidi Aref (National ID: 0023199709) - Infrastructure management
  • Mohammad Najafloo (National ID: 4270878835) - Former senior employee, infrastructure documentation
  • Manoochehr Vosoughi Niri - IRGC-IO official, company director

Operational Model

Division of Capabilities

The Counterintelligence Division utilizes Department 40’s technical capabilities for specific operational needs:
  • Counterintelligence operations: Primary mission focus
  • Cyber attacks: Against Iranian citizens and exiles (“regime opponents”)
  • International espionage: Targeting European, Israeli, and Arab citizens
  • Support for terrorist activities: Intelligence gathering for IRGC operations

Infrastructure Management

Department 40 maintains a sophisticated infrastructure management system:
  • Documented server inventory with procurement identities
  • Server login credentials tracked in Excel sheets
  • Attack server details (e.g., Tunnel servers)
  • File storage servers
  • Internal communication platforms (ISABELLE, 3CX, Output Messenger, SIGNAL)

Operational Teams

The department operates multiple teams identified in leaked documents:
  • Karaj team: Active operational unit
  • MJD team: Regular daily reporting structure
  • HSN2 team: Operational unit with daily reporting

Work Patterns

Evidence from leaked materials shows:
  • Daily work reports submitted by department employees
  • Monthly operational reports (e.g., “گزارش عملکرد ماهانه”)
  • Attack reports on successful operations
  • Translation documents for international targets
  • Internal chat network communications

Operational Focus

Primary Missions

  1. Regime Opposition Tracking: Monitoring and targeting Iranians both within Iran and abroad identified as “regime opponents”
  2. International Intelligence: Gathering intelligence on foreign government entities and organizations
  3. Counterintelligence: Protecting Iranian operations and identifying foreign intelligence activities
  4. Supporting IRGC Operations: Providing cyber capabilities for broader IRGC terrorist activities

Operational Security

Department 40 operated under the belief they were protected by IRGC cover. However, the exposure of their internal network has revealed:
  • Official documents from the APT’s internal network
  • Employee photos and personal information
  • Attack reports and operational details
  • Internal communication logs
  • Infrastructure credentials and access details

Clarifications on Attribution

The term “Charming Kitten” has been used broadly in the cyber community to refer to various IRGC-IO activities. However, the specific group exposed here is:
  • Specifically affiliated with the Counterintelligence Division (Division 1500)
  • Operating as Department 40 under Division 1500
  • Distinct from other cyber units operating under different IRGC-IO divisions
  • Linked to publicly documented malware like BellaCiao and CYCLOPS

Public Exposure Impact

The exposure includes comprehensive evidence:
  • Internal documents proving malicious activities
  • Personal information of operatives
  • Infrastructure details and credentials
  • Attack methodologies and reports
  • Communication logs from internal systems
These operatives, who believed they were operating under IRGC protection, are now recognized worldwide as agents of the Iranian regime.

Build docs developers (and LLMs) love

Get started for freeTalk to us