Skip to main content

Overview

The CharmingKitten Department 40 exposure is released in episodes every few days, with each episode containing new evidence, personnel information, and operational details. This timeline documents the key revelations from each episode.
New episodes are released regularly. This timeline is continuously updated as new information becomes available.

Episode Releases

Episode 1: Initial Exposure

Release Theme: Initial exposure of CharmingKitten’s Department 40

Key Revelations

Leadership Identified:
  • Abbas Rahrovi (aka Abbas Hosseini, National ID: 4270844116)
  • IRGC official managing Department 40 through front companies
  • Directed attacks against dozens of targets over the years
Organizational Context:
  • APT affiliated with Counterintelligence Division (Unit 1500) of IRGC-IO
  • Known publicly as CharmingKitten
Target Categories:
  • Telecommunications companies
  • Aviation companies
  • Intelligence organizations
Geographic Focus:
  • Middle East and Gulf region
  • Turkey, UAE, Qatar, Afghanistan, Israel, Jordan
  • Iranian regime opponents (within Iran and abroad)
Evidence Types Introduced:
  • Official documents from APT’s internal network
  • Employee photos
  • Attack reports
  • Translation documents
  • Files from internal chat networks (Isabelle, 3CX, Output Messenger)
Mission Statement:
“These individuals believed they were operating under the protective cover of the IRGC — today, they will be recognized worldwide as agents of the IRGC.”

Episode 2: Clarifications and First Operator

Release Theme: Structural clarifications and expanded attack documentation

Important Clarifications

IRGC-IO Structure Explained:
  • IRGC-IO is the intelligence gathering unit of IRGC
  • Multiple divisions under IRGC-IO, each with cyber units
  • CharmingKitten terminology used generally in cyber community
  • This exposure specifically focuses on Counterintelligence Division (Unit 1500), Department 40
Operational Mission:
  • Division uses Department 40 for counterintelligence needs
  • Cyberattacks against Iranian citizens and exiles (“regime opponents”)
  • Operations against European, Israeli, and Arab citizens
  • All activities support terrorist activities and counterintelligence

New Evidence Released

Attack Reports:
  • Government entities in Jordan, Iran, Kuwait, Saudi Arabia, Turkey
  • Civilian companies across multiple countries
  • Media organizations
Operational Documents:
  • Daily work reports of department employees
  • Department server logs
Infrastructure Exposure:
  • AMEEN ALKHALIJ server: Website set up to recruit former government and security employees from UAE

First Operator Identity

Vahid Molawi:
  • National ID: 0323217087
  • Team: Karaj team
  • Evidence: Hours report from Episode 1
  • Role: Attacker
Significance: First operational personnel publicly identified

Commitment

“Let’s eliminate this APT once and for all!”

Episode 3: Source Code and Front Companies

Release Theme: Malware source code and front company operations

Major Technical Release

BellaCiao Malware Source Code:
  • Complete source code exposed
  • Previously analyzed by BitDefender
  • Links public analysis to Department 40 operations
BellaCiao Technical Details:
  1. .NET-based dropper with two variants:
    • Variant 1: C# webshell (file upload/download, command execution)
    • Variant 2: PowerShell script (reverse proxy via Plink, customized webserver)
  2. Example Attack: Turkish Foreign Ministry using BellaCiao
Additional Malware and Tools:
  • Python & Webshells Framework:
    • Python scripts as command management interface (attacker side)
    • Webshells deployed on victim systems (execute commands, relay output)
  • TAGHEB System: Windows infection and access tool
Security Evasion:
  • Testing malware against AV products:
    • Microsoft Defender
    • Kaspersky
    • Avira
    • ESET
    • Others

Intelligence Revelations

Document 682089f4bd1c3e6636e15b89e967bf4fa9d7861a_#78TPDD:
  • Iranian directive in campaign activity
  • Iranian involvement in cyber attacks
  • Public influence platforms: MOSESS STAFF connection
Front Company Exposed:
  • Name: JARF/ZHARF ANDISHAN TAFACOR SEFID (ژرف انديشان تفكر سفيد)
  • Document 5e98006a2cf1c15a164279558eed4a15018e34a0_بسمه تعالی
  • Signatories:
    • Manoochehr Vosoughi Niri (منوچهر وثوقی نیری) - Company director and IRGC-IO official
    • Mohammad Erfan Hamidi Aref (محمد عرفان حمیدی عارفا) - Employee

Additional Materials

  • Training programs
  • Technical espionage details
  • Intelligence reports on Israeli entities

Leadership Assessment

“Abbas Rahrovi is leading the campaign’s activity, assets, and malicious activity against international targets. Abbas is a ‘shadow man’, but the campaign he has set up has now been exposed, and is very embarrassing for the Iranian leadership.”

Episode 4: Infrastructure and Credentials

Release Theme: Complete infrastructure documentation and server credentials

Critical Infrastructure Exposure

Unified Infrastructure Excel Sheet:
  • Documents all Department 40 servers
  • Comprehensive infrastructure mapping
  • Years of operational data
Excel Sheet Contents:
  • Procurement identities
  • Server login credentials
  • Attack server details (e.g., Tunnel servers)
  • File storage servers
  • Other operational infrastructure

Key Personnel in Infrastructure Management

Mohammad Najafloo:
  • National ID: 4270878835
  • Role: Former senior employee
  • Responsibility: Maintained Excel sheets for years
  • Status: Departed from position
Mohammaderfan Hamidiaref:
  • National ID: 0023199709
  • Role: Current infrastructure manager
  • Responsibility: Took over after Najafloo’s departure, continues managing infrastructure

Verification of CharmingKitten Connection

Proof Method:
  • Analyze servers listed in Excel sheet
  • Servers used by BellaCiao malware
  • Servers used by CYCLOPS malware
  • Cross-reference with public threat intelligence
Result: Concrete link between publicly known CharmingKitten activities and Department 40

Additional Sensitive Information

Internal Network Credentials:
  • Passwords for internal network servers
  • Access to internal communication platforms:
    • Isabelle
    • 3CX
    • Signal
  • File extraction systems access
  • Storage server credentials

Additional Files Included

  1. Materials from Dubai Police: Data obtained by Department 40 from Dubai Police
  2. Phishing Guide: Department 40’s internal phishing methodology
  3. Penetration Report: Medical entity compromise documentation

Call to Community

“We encourage you to analyze the provided files and share your insights. Your findings will help further expose the group’s operations and infrastructure.”

Timeline Summary

1

Episode 1

Initial Exposure
Leadership identified (Abbas Rahrovi), organizational context, target categories, evidence types introduced
2

Episode 2

Structure & Operations
IRGC-IO clarification, first operator identity (Vahid Molawi), expanded attack reports, infrastructure exposure (AMEEN ALKHALIJ)
3

Episode 3

Source Code & Front Companies
BellaCiao complete source code, front company exposure (JARF/ZHARF ANDISHAN TAFACOR SEFID), MOSESS STAFF connection
4

Episode 4

Infrastructure & Credentials
Unified Excel sheets, server credentials, infrastructure personnel (Najafloo, Hamidiaref), Dubai Police materials
5

Ongoing

Continuous Releases
More evidence, personnel information, and operational details released every few days

Cumulative Personnel Exposed

EpisodeNameNational IDRole
1Abbas Rahrovi (Abbas Hosseini)4270844116Department Head
2Vahid Molawi0323217087Karaj Team Attacker
3Manoochehr Vosoughi Niri-Front Company Director, IRGC-IO Official
3Mohammad Erfan Hamidi Aref0023199709Front Company Employee
4Mohammad Najafloo4270878835Former Infrastructure Manager
4Mohammaderfan Hamidiaref0023199709Current Infrastructure Manager
Mohammad Erfan Hamidi Aref and Mohammaderfan Hamidiaref appear to be the same person with different name transliterations.

Evidence Categories by Episode

Documents & Reports

  • Episode 1: Initial attack reports, translation documents, employee photos
  • Episode 2: Daily work reports, expanded attack reports across Jordan, Iran, Kuwait, Saudi Arabia, Turkey
  • Episode 3: Training programs, technical espionage details, intelligence reports on Israel
  • Episode 4: Phishing guide, penetration reports, materials from Dubai Police

Source Code & Technical

  • Episode 3: BellaCiao complete source code, Python & Webshells Framework, TAGHEB system
  • Episode 4: Infrastructure documentation, server credentials

Infrastructure

  • Episode 2: AMEEN ALKHALIJ server and recruitment website
  • Episode 4: Unified infrastructure Excel sheets, all server credentials and details

Communications

  • Episode 1: Isabelle, 3CX, Output Messenger files
  • Episode 4: Additional Signal communications access

Organizational

  • Episode 3: Front company documentation (JARF/ZHARF ANDISHAN TAFACOR SEFID)
  • Episode 3: MOSESS STAFF connection

Key Themes Across Episodes

Progressive Disclosure

Each episode builds on previous revelations, adding depth and connecting evidence

Multi-faceted Evidence

Documents, source code, infrastructure, personnel, and communications all exposed

Attribution Proof

Linking public threat intelligence to internal Department 40 operations

Ongoing Exposure

Regular releases every few days with commitment to expose more personnel and operations

Impact and Significance

For Threat Intelligence Community

  • Direct link between publicly known CharmingKitten operations and Department 40
  • Source code enables better detection and defense
  • Infrastructure documentation enables tracking and blocking

For Attribution

  • Specific personnel identified with national IDs
  • Organizational structure mapped
  • Front companies exposed
  • Leadership directly named

For Iranian Leadership

  • Described as “very embarrassing”
  • Removes protective cover from operations
  • Exposes IRGC-IO involvement in terrorist activities
  • International recognition of agents

Future Episodes

Ongoing Exposures: Every few days, more evidence will be released about Department 40’s activities, along with additional information about personnel and their personal lives.

Expected Content in Future Episodes

  • More operator identities and national IDs
  • Additional front company documentation
  • Expanded attack reports and target details
  • More malware source code and tools
  • Personal information about department personnel
  • Additional infrastructure and communications data

Stay Updated

For the latest episode information and new revelations:
  1. Check this timeline regularly for updates
  2. Review individual episode pages for detailed analysis
  3. Monitor personnel directory for new identities
  4. Contact: [email protected] for questions
This timeline is a living document and will be updated as new episodes are released. The exposure aims to eliminate Department 40’s operations by removing their protective cover and exposing their activities to the world.

Build docs developers (and LLMs) love

Get started for freeTalk to us