Skip to main content

Overview

This documentation exposes the Iranian Advanced Persistent Threat (APT) known as CharmingKitten, which operates under the Counterintelligence Division (Unit 1500) of the IRGC Intelligence Organization (IRGC-IO). The operation is managed through Department 40, a cyber unit serving the division’s counterintelligence needs.
The unit responsible for intelligence gathering in the IRGC is called the IRGC Intelligence Organization (IRGC-IO). Under this unit, there are several divisions, each with a cyber unit that serves the division’s needs.

What is CharmingKitten?

In the cyber community, the term “CharmingKitten” is often used as a general term for the activities of the IRGC-IO without distinguishing between the various divisions. This exposure specifically focuses on:
  • Organization: IRGC Intelligence Organization (IRGC-IO)
  • Division: Counterintelligence Division (Unit 1500)
  • Department: Department 40
  • Classification: Advanced Persistent Threat (APT)

Scope of the Exposure

This unprecedented exposure includes:

Official Documents

Internal documents from the APT’s network including attack reports, translation documents, and operational records

Personnel Information

Employee photos, identities, and national identification numbers of operators

Source Code

Complete source code of malware tools including BellaCiao and associated webshells

Infrastructure Data

Server credentials, procurement identities, and operational infrastructure details

Evidence Categories

The exposure contains multiple types of evidence proving malicious activities:
  1. Internal Communications: Files from the APT’s internal chat networks (Isabelle, 3CX, Output Messenger, Signal)
  2. Attack Reports: Detailed reports on attacks against government entities, civilian companies, and media organizations
  3. Daily Work Reports: Employee work logs and operational activities
  4. Server Logs: Infrastructure logs including recruitment websites and attack platforms
  5. Malware Analysis: Source code and technical details of tools like BellaCiao, CYCLOPS, and TAGHEB system
  6. Training Materials: Programs for testing malware against antivirus products and espionage techniques

Geographic Targets

The primary focus of this APT is on countries in the Middle East and Gulf region:
  • Turkey
  • United Arab Emirates (UAE)
  • Qatar
  • Afghanistan
  • Israel
  • Jordan
  • Kuwait
  • Saudi Arabia
  • Iran (targeting regime opponents)
Under the guidance of the head of the Counterintelligence division, this APT has also targeted and tracked Iranians both within Iran and abroad who have been identified as “regime opponents.”

Target Categories

Attacks have been directed against dozens of targets including:
  • Telecommunications companies
  • Aviation companies
  • Intelligence organizations
  • Government entities
  • Media organizations
  • Medical entities
  • Security organizations

Purpose of This Documentation

These individuals believed they were operating under the protective cover of the IRGC. Through this exposure, they will be recognized worldwide as agents of the IRGC engaged in:
  • Cyberattacks against Iranian citizens and exiles
  • Attacks against European, Israeli, and Arab citizens
  • Promotion of terrorist activities
  • International espionage operations
Every few days, new episodes release more evidence about their activities, along with additional information about operators and their operations.

How to Use This Documentation

This documentation is organized into several sections:
  • Overview: Introduction, background, leadership, and timelines
  • Operations: Detailed attack reports and target analysis
  • Personnel: Individual operator profiles and organizational structure
  • Technical: Malware analysis, infrastructure, and tools
  • Evidence: Primary source documents and materials
For quick navigation, refer to the Quick Reference guide.

Contact

For further questions, reach out via email: [email protected]

Build docs developers (and LLMs) love

Get started for freeTalk to us