Skip to main content

Primary Leadership

Abbas Rahrovi (Abbas Hosseini)

Abbas Rahrovi (also known as Abbas Hosseini) is the primary leader heading CharmingKitten’s Department 40 operations.

Identity Information

Name: Abbas Rahrovi
Alias: Abbas Hosseini
National Number: 4270844116
Role: IRGC Official & Department Head

Organizational Role

Position: Head of Department 40
Affiliation: IRGC-IO Counterintelligence Division (Unit 1500)
Responsibility: APT Operations Management

Leadership Activities

Abbas Rahrovi’s responsibilities and activities include:
  1. Establishing Front Companies: He has established several front companies in recent years through which he manages the APT
  2. Directing Attacks: He directed attacks against dozens of targets over the years
  3. Campaign Leadership: Leading the campaign’s activity, assets, and malicious activity against international targets
  4. Strategic Management: Overseeing operations across the Middle East and Gulf region
Abbas Rahrovi is described as a “shadow man” – operating covertly under the protective cover of the IRGC. The exposure of Department 40 is considered very embarrassing for the Iranian leadership.

Target Direction

Under Abbas Rahrovi’s leadership, Department 40 has targeted:
  • Telecommunications companies
  • Aviation companies
  • Intelligence organizations
  • Government entities in Turkey, UAE, Qatar, Afghanistan, Israel, Jordan, Kuwait, Saudi Arabia, and Iran
  • Iranian regime opponents both within Iran and abroad

Key Personnel

Infrastructure Management

Mohammad Najafloo

National ID: 4270878835Role: Infrastructure Documentation ManagerResponsibilities:
  • Maintained the unified infrastructure Excel sheets for years
  • Documented all department servers including:
    • Procurement identities
    • Server login credentials
    • Attack server details (e.g., Tunnel)
    • File storage servers
    • Operational infrastructure
Status: Former employee who departed from the roleSignificance: His Excel sheets provide comprehensive documentation of the entire Department 40 server infrastructure, linking publicly known CharmingKitten operations to Department 40.

Mohammaderfan Hamidiaref (Mohammad Erfan Hamidi Aref)

National ID: 0023199709Alternative Name: محمد عرفان حمیدی عارفاRole: Infrastructure Documentation Manager (Current)Responsibilities:
  • Took over infrastructure management after Mohammad Najafloo’s departure
  • Continues managing and documenting department infrastructure
  • Maintains Excel sheets with server credentials and operational details
Additional Information:
  • Listed as an employee in documents related to front company JARF/ZHARF ANDISHAN TAFACOR SEFID (ژرف انديشان تفكر سفيد)

Operational Personnel

Vahid Molawi

National ID: 0323217087Team: Karaj teamRole: Attacker/OperatorEvidence: Named in Episode 1 materials and hours reports as one of the attackersSignificance: First operational personnel identity exposed in the documentation series

Front Company Leadership

Manoochehr Vosoughi Niri

Name (Farsi): منوچهر وثوقی نیریRole:
  • Company director of JARF/ZHARF ANDISHAN TAFACOR SEFID (ژرف انديشان تفكر سفيد)
  • IRGC-IO official
Significance: Signs official documents for the front company, establishing direct link between cover company and IRGC-IO operations

Organizational Structure

Hierarchy

IRGC (Islamic Revolutionary Guard Corps)
└── IRGC-IO (Intelligence Organization)
    └── Counterintelligence Division (Unit 1500)
        └── Department 40 (CharmingKitten)
            ├── Leadership: Abbas Rahrovi
            ├── Front Companies
            │   └── JARF/ZHARF ANDISHAN TAFACOR SEFID
            │       └── Director: Manoochehr Vosoughi Niri
            ├── Infrastructure Team
            │   ├── Mohammad Najafloo (Former)
            │   └── Mohammaderfan Hamidiaref (Current)
            └── Operational Teams
                └── Karaj Team
                    └── Vahid Molawi

Reporting Structure

Department 40 operates under:
  1. Head of Counterintelligence Division: Provides guidance and direction for operations
  2. Department Leadership: Abbas Rahrovi manages day-to-day operations
  3. Team Structure: Multiple operational teams (e.g., Karaj team)
  4. Support Infrastructure: Personnel managing servers, malware, and communications
The organizational structure includes both official IRGC personnel and employees working through front companies to obscure the connection to the Iranian government.

Management Methods

Front Company Operations

Abbas Rahrovi manages the APT through several front companies established in recent years. These companies:
  • Provide cover for hiring personnel
  • Enable financial transactions without direct IRGC connection
  • Allow international operations with plausible deniability
  • Sign official documents to legitimize activities

Infrastructure Management

The leadership maintains detailed documentation of all operational infrastructure through:
  • Unified Excel sheets with server credentials
  • Procurement identity tracking
  • Attack server documentation
  • Internal network access details

Communication Systems

Leadership coordinates operations through:
  • Isabelle: Internal chat network
  • 3CX: Communication platform
  • Output Messenger: Internal messaging
  • Signal: Encrypted communications

Evidence of Leadership Connection

The exposure includes multiple pieces of evidence directly linking leadership to operations:
  1. Official Documents: Signed by IRGC-IO officials and front company directors
  2. Infrastructure Documentation: Managed by named personnel with national IDs
  3. Work Reports: Daily logs showing operational activities and personnel
  4. Attack Reports: Detailing operations directed by leadership
  5. Internal Communications: Chat logs from internal networks
These individuals believed they were operating under the protective cover of the IRGC. Through this exposure, they are now being recognized worldwide as agents of the IRGC engaged in malicious cyber operations.

Impact of Exposure

The exposure of Abbas Rahrovi and Department 40’s leadership is considered:
  • Unprecedented: First time such detailed information has been exposed
  • Embarrassing: Very embarrassing for the Iranian leadership
  • Significant: Removes the protective cover these individuals operated under
  • Ongoing: More personnel identities and personal information will be released in future episodes

Additional Personnel

Every few days, more evidence is released about Department 40’s activities, along with additional information about personnel and their personal lives. This documentation will continue to expand with new episodes.
Future episodes will expose:
  • Additional operator identities and national ID numbers
  • More front company personnel
  • Infrastructure team members
  • Malware developers
  • Supporting staff
For the latest personnel information, check the individual episode releases and the complete personnel directory.

Build docs developers (and LLMs) love

Get started for freeTalk to us