Skip to main content

Essential Information

Primary Target

CharmingKitten (Department 40)
IRGC-IO Counterintelligence Division (Unit 1500)

Leader

Abbas Rahrovi
(aka Abbas Hosseini)
National ID: 4270844116

Geographic Focus

Middle East & Gulf Region
Turkey, UAE, Qatar, Afghanistan, Israel, Jordan, Kuwait, Saudi Arabia, Iran

Evidence Types

Documents, Source Code, Infrastructure Data, Personnel IDs, Communications

Key Terminology

Organizational Terms

TermFull NameDescription
IRGCIslamic Revolutionary Guard CorpsIranian military organization
IRGC-IOIRGC Intelligence OrganizationIntelligence gathering unit of IRGC
Unit 1500Counterintelligence DivisionDivision under IRGC-IO
Department 40-Cyber unit under Unit 1500, the specific CharmingKitten unit exposed
APTAdvanced Persistent ThreatSophisticated, long-term cyber threat actor

Technical Terms

TermDescription
BellaCiao.NET-based dropper malware with two variants for establishing persistent access
CYCLOPSMalware tool used by Department 40
TAGHEB SystemTool for infecting and obtaining access to Windows operating systems
WebshellScript that provides remote command execution on compromised servers
C2 / C&CCommand and Control server for malware communication

Quick Navigation

Overview Section

Detailed attack reports, target analysis, and operational activities across multiple countries
Individual operator profiles, national IDs, and organizational roles
Malware analysis, infrastructure documentation, and technical tools
Primary source documents, reports, and materials from Department 40’s internal network

Key Personnel Quick Reference

Leadership & Management

NameNational IDRoleStatus
Abbas Rahrovi (Abbas Hosseini)4270844116Department HeadActive
Mohammad Najafloo4270878835Infrastructure ManagerFormer
Mohammaderfan Hamidiaref0023199709Infrastructure ManagerCurrent
Manoochehr Vosoughi Niri-Front Company DirectorActive

Operators

NameNational IDTeamRole
Vahid Molawi0323217087Karaj TeamAttacker
More personnel identities are being released in ongoing episodes. Check individual episode pages for the latest information.

Target Countries at a Glance

Primary Targets

  • Turkey: Foreign Ministry and government entities
  • UAE: Government and security employees (AMEEN ALKHALIJ recruitment)
  • Israel: Extensive intelligence gathering and cyber operations
  • Jordan: Government entities, civilian companies, media
  • Iran: Regime opponents within country and abroad

Additional Targets

  • Qatar, Afghanistan, Kuwait, Saudi Arabia

Evidence Categories

1. Internal Documents

  • Attack reports on government and civilian entities
  • Daily work reports from department employees
  • Translation documents
  • Training materials

2. Source Code & Tools

  • BellaCiao malware complete source code
  • Python & Webshells Framework
  • Custom PowerShell scripts
  • TAGHEB system details

3. Infrastructure Data

  • Unified infrastructure Excel sheets
  • Server credentials and login information
  • Procurement identities
  • Attack server details

4. Communications

  • Isabelle chat network logs
  • 3CX communications
  • Output Messenger files
  • Signal messages

5. Personnel Information

  • Employee photos
  • National identification numbers
  • Work hours reports
  • Organizational roles

Malware Quick Reference

BellaCiao

Type: .NET-based dropperVariants:
  1. Variant 1: Drops a C# webshell enabling:
    • File upload
    • File download
    • Command execution
  2. Variant 2: Drops a PowerShell script that:
    • Establishes reverse proxy using Plink (PuTTY suite)
    • Executes customized PowerShell webserver
Public Analysis: BitDefender report availableEvidence: Complete source code exposed in Episode 3Known Use: Turkish Foreign Ministry attack

Other Tools

  • CYCLOPS: Malware tool linked to Department 40 servers
  • TAGHEB System: Windows infection and access tool
  • Python & Webshells Framework: Custom command management interface

Front Companies

Company NameFarsi NameDirectorPurpose
JARF/ZHARF ANDISHAN TAFACOR SEFIDژرف انديشان تفكر سفيدManoochehr Vosoughi NiriCover company for operations
AMEEN ALKHALIJ--UAE recruitment website

Episode Structure

1

Episode 1

Initial exposure - Leadership introduction, operational overview, evidence categories
2

Episode 2

Clarifications, additional attack reports, first operator identity (Vahid Molawi)
3

Episode 3

BellaCiao source code, front company exposure, MOSESS STAFF connection
4

Episode 4

Infrastructure Excel sheets, server credentials, personnel transitions
5

Ongoing

New episodes released every few days with additional evidence and personnel information

How to Verify Information

Linking Public Analysis to Department 40

  1. BellaCiao Connection:
    • Compare BitDefender analysis with exposed source code
    • Match servers in infrastructure sheets to known C2 servers
  2. CYCLOPS Connection:
    • Analyze servers listed in Excel sheets
    • Cross-reference with public threat intelligence
  3. Infrastructure Correlation:
    • Review procurement identities
    • Match server credentials to known CharmingKitten infrastructure
The exposed files provide concrete evidence linking publicly available threat intelligence to Department 40’s internal operations and documentation.

Key Takeaways

Who

Department 40 under IRGC-IO Unit 1500, led by Abbas Rahrovi

What

Advanced persistent threat conducting cyber espionage and attacks

Where

Middle East and Gulf region: Turkey, UAE, Qatar, Afghanistan, Israel, Jordan, Kuwait, Saudi Arabia, Iran

Why

Counterintelligence operations, regime opponent tracking, terrorist activity promotion

Important Notes

CharmingKitten Terminology: In the cyber community, “CharmingKitten” is often used generally for IRGC-IO activities. This exposure specifically focuses on Department 40 under Unit 1500.
Ongoing Exposure: New episodes are released every few days. This documentation is continuously updated with additional evidence, personnel information, and operational details.

Contact Information

For further questions: [email protected]

Next Steps

  1. Read the full Introduction for comprehensive context
  2. Review Leadership for detailed personnel information
  3. Check Timeline for episode release schedule
  4. Explore specific episodes for detailed evidence and analysis

Build docs developers (and LLMs) love

Get started for freeTalk to us