{
	"id": "09ca1154-21b6-45bf-8ea0-946f2f068878",
	"created_at": "2026-04-06T01:32:02.896438Z",
	"updated_at": "2026-04-10T03:34:00.464653Z",
	"deleted_at": null,
	"sha1_hash": "2820cbcdbce7817f0f805acbb7d5a32388b4cbe0",
	"title": "GitHub - KittenBusters/CharmingKitten: Exposing CharmingKitten's malicious activity for IRGC-IO Counterintelligence division (1500)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 88620,
	"plain_text": "GitHub - KittenBusters/CharmingKitten: Exposing\r\nCharmingKitten's malicious activity for IRGC-IO\r\nCounterintelligence division (1500)\r\nBy KittenBusters\r\nArchived: 2026-04-06 00:13:15 UTC\r\nExposing CharmingKitten's malicious activity for IRGC-IO division Counterintelligence division (1500)\r\nEpisode 1\r\nToday, we begin exposing the Iranian APT affiliated with the Counterintelligence Division (Unit 1500) of the\r\nIRGC-IO, known as Charming Kitten.\r\nLeadership\r\nHeading this operation is Abbas Rahrovi (aka Abbas Hosseini, National Number: 4270844116), an IRGC\r\nofficial who has established several front companies in recent years through which he manages the APT. Over the\r\nyears, he directed attacks against dozens of targets including:\r\nTelecommunications companies\r\nAviation companies\r\nIntelligence organizations\r\nand more...\r\nThe primary focus of this APT is on countries in the Middle East and Gulf region, including Turkey, UAE, Qatar,\r\nAfghanistan, Israel, Jordan and others.\r\nActivities\r\nUnder the guidance of the head of the Counterintelligence division, this APT has also targeted and tracked\r\nIranians both within Iran and abroad who have been identified as “regime opponents.”\r\nEvidence of Operations\r\nThe exposure includes:\r\nOfficial documents from the APT’s internal network\r\nEmployee photos\r\nAttack reports\r\nTranslation documents\r\nFiles from the APT’s internal chat networks (Issabelle, 3CX, Output Messenger)\r\nhttps://github.com/KittenBusters/CharmingKitten\r\nPage 1 of 5\n\n…and much more evidence proving their malicious activities.\r\nThese individuals believed they were operating under the protective cover of the IRGC — today, they will be\r\nrecognized worldwide as agents of the IRGC.\r\nEpisode 2\r\nAs we mentioned, every few days, we will upload more materials from the Charming Kitten network (Department\r\n40) under the management of Abbas Rahrovi.\r\nBefore describing the new content we have uploaded, we would like to address several clarifications based on\r\nyour questions:\r\nThe unit responsible for intelligence gathering in the IRGC is called the IRGC Intelligence Organization\r\n(also known as IRGC-IO for short). Under this unit, there are several divisions, each with a cyber unit that\r\nserves the division's needs.\r\nIn the cyber community, the term \"Charming Kitten\" is often used as a general term for the activities of the\r\nIRGC-IO without distinguishing between the various divisions.\r\nThe Counterintelligence Division (Division 1500) operates under the IRGC, and as mentioned, Department\r\n40 operates under it – this is the Charming Kitten whose disgraceful activities have now been exposed.\r\nFor example, see reports on publicly available tools (such as BellaCiao and CYCLOPS) – these are\r\nmalware tools used by the department. How do we know this? In the following episodes, we will provide\r\ninformation linking the publicly available data to the department's private reports.\r\nThe division utilizes the department's capabilities for its own needs (counterintelligence) – advancing cyberattacks\r\nagainst Iranian citizens, Iranian exiles (\"regime opponents\"), European, Israeli, and Arab citizens. All of this is to\r\npromote terrorist activities.\r\nThe files we have uploaded include:\r\nAdditional attack reports (on government entities, civilian companies, media organizations, etc., in\r\ncountries such as Jordan, Iran, Kuwait, Saudi Arabia, Turkey, and more)\r\nDaily work reports of department employees\r\nDepartment server logs (e.g., the AMEEN ALKHALIJ server, a website the department set up to recruit\r\nformer government and security employees from the United Arab Emirates)\r\nAs we mentioned, we will begin exposing the identities of the unit's employees – one of the attackers from Karaj\r\nteam we published in Episode 1 is called Vahid Molawi (see the hours report) – his national ID number is\r\n0323217087.\r\nLet's eliminate this APT once and for all!\r\nEpisode 3\r\nhttps://github.com/KittenBusters/CharmingKitten\r\nPage 2 of 5\n\nFollowing through on our promise, this time adding new information regarding IRGC-IO , the counterintelligence\r\ndivision (unit 1500) \"department 40\" malware activity and source code.\r\nIn this episode, you’ll find the source code of the BellaCiao malware, which has been analyzed and published\r\nby BitDefender (https://www.bitdefender.com/en-us/blog/businessinsights/unpacking-bellaciao-a-closer-look-at-irans-latest-malware.).\r\nTechnological analysis:\r\n1. BellaCiao is a .NET-based dropper with two known variants:\r\nThe first variant drops a C# webshell that enables file upload, file download, and command execution.\r\nThe second variant drops a PowerShell script that establishes a reverse proxy using Plink (part of the\r\nPuTTY suite) and executes a customized version of a publicly available PowerShell webserver.\r\n(https://github.com/r00t-3xp10it/venom/blob/master/aux/Start-Webserver.ps1).\r\n2. For example, look how Charming-Kitten carried out an attack on the Turkish Foreign Ministry using\r\nBellaciao, and additional attacks using their webshells.\r\n3. Additionally, a dedicated Python \u0026 Webshells Framework is included. This framework comprises\r\ndedicated webshells and Python scripts. The Python scripts act as a command management interface on the\r\nattacker’s side, while the webshells deployed on the victim’s system execute commands and relay the\r\noutput back.\r\n4. Details on the \"TAGHEB system\" intended for infecting and obtaining access to the Windows operating\r\nsystems.\r\n5. Furthermore, the documents include information such as: Testing of malware tools against AV products for\r\nstealthier operation (e.g., Microsoft Defender, Kaspersky, Avira, ESET, and others), Training programs,\r\nTechnical details about espionage, malware tools, and Intelligence reports focusing on the Israeli entity in\r\nvarious ways.\r\nIntelligence analysis\r\n1. 682089f4bd1c3e6636e15b89e967bf4fa9d7861a_#78TPDD - The Iranian directive reflected in the\r\ncampaign's activity, which includes Iranian involvement in cyber attacks and public influence platforms\r\nsuch as MOSESS STAFF, can also be seen.\r\n2. 5e98006a2cf1c15a164279558eed4a15018e34a0_تعالی بسمه - Another cover company used by the campaign\r\nis now exposed.– \" JARF/ZHARF ANDISHAN TAFACOR SEFID\" (سفيد تفكر انديشان ژرف( . The document\r\nis signed by the company director and an IRGC-IO official - MANOOCHEHR VOSOUGHI NIRI (منوچهر\r\nنیری وثوقی (and indicates another employee in this APT - MOHAMMAD ERFAN HAMIDI AREF ( .( محمد\r\nعرفان حمیدی عارفا\r\n3. Abbas Rahrovi is leading the campaign's activity, assets, and malicious activity against international\r\ntargets. Abbas is a \"shadow man\", but the campaign he has set up has now been exposed, and is very\r\nembarrassing for the Iranian leadership.\r\nEpisode 4\r\nhttps://github.com/KittenBusters/CharmingKitten\r\nPage 3 of 5\n\nOverview\r\nIn the previous release, we shared the SOURCE CODE files of the BELLACIAO malware. This release is a\r\nsignificant follow-up, exposing the unified infrastructure Excel sheet used by the group to document all their\r\nservers:\r\nProcurement identities\r\nServer login credentials\r\nDetails of attack servers (e.g., Tunnel)\r\nFile storage servers\r\nOther operational infrastructure\r\nKey Personnel\r\nMOHAMMAD NAJAFLOO (ID: 4270878835 ): A former senior employee who maintained these Excel\r\nsheets for years.\r\nMOHAMMADERFAN HAMIDIAREF (ID: 0023199709 ): Took over the role after NAJAFLOO's\r\ndeparture and continued managing the infrastructure.\r\nProof of CHARMING KITTEN Connection\r\nTo verify the link to CHARMING KITTEN, analyze the servers listed in the Excel sheet. You will find that these\r\nservers were used by:\r\nBELLACIAO\r\nCYCLOPS\r\nOther related groups\r\nSensitive Information Exposed\r\nThe files include:\r\nPasswords for servers on the group's internal network.\r\nAccess details for systems such as:\r\nInternal communication platforms (ISABELLE, 3CX, SIGNAL)\r\nFile extraction systems\r\nStorage servers\r\nAdditional Files Included\r\n1. Materials obtained by the group from the Dubai Police\r\n2. \"The Group's Phishing Guide\"\r\n3. Penetration report for a medical entity\r\nCall to Action\r\nhttps://github.com/KittenBusters/CharmingKitten\r\nPage 4 of 5\n\nWe encourage you to analyze the provided files and share your insights. Your findings will help further expose the\r\ngroup's operations and infrastructure.\r\nStay tuned for the next episode!\r\n⚠️ Ongoing Exposures:\r\nEvery few days, we will release more evidence about their activities, along with additional information about their\r\npersonal lives.\r\nFor further questions, feel free to reach out via email: orangemulator@outlook.com.\r\nSource: https://github.com/KittenBusters/CharmingKitten\r\nhttps://github.com/KittenBusters/CharmingKitten\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/KittenBusters/CharmingKitten"
	],
	"report_names": [
		"CharmingKitten"
	],
	"threat_actors": [
		{
			"id": "82b92285-4588-48c9-8578-bb39f903cf62",
			"created_at": "2022-10-25T15:50:23.850506Z",
			"updated_at": "2026-04-10T02:00:05.418577Z",
			"deleted_at": null,
			"main_name": "Charming Kitten",
			"aliases": [
				"Charming Kitten"
			],
			"source_name": "MITRE:Charming Kitten",
			"tools": [
				"DownPaper"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "029625d2-9734-44f9-9e10-b894b4f57f08",
			"created_at": "2023-01-06T13:46:38.364105Z",
			"updated_at": "2026-04-10T02:00:02.944092Z",
			"deleted_at": null,
			"main_name": "Charming Kitten",
			"aliases": [
				"iKittens",
				"Group 83",
				"NewsBeef",
				"G0058",
				"CharmingCypress",
				"Mint Sandstorm",
				"Parastoo"
			],
			"source_name": "MISPGALAXY:Charming Kitten",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4",
			"created_at": "2022-10-25T15:50:23.808974Z",
			"updated_at": "2026-04-10T02:00:05.291959Z",
			"deleted_at": null,
			"main_name": "Magic Hound",
			"aliases": [
				"Magic Hound",
				"TA453",
				"COBALT ILLUSION",
				"Charming Kitten",
				"ITG18",
				"Phosphorus",
				"APT35",
				"Mint Sandstorm"
			],
			"source_name": "MITRE:Magic Hound",
			"tools": [
				"Impacket",
				"CharmPower",
				"FRP",
				"Mimikatz",
				"Systeminfo",
				"ipconfig",
				"netsh",
				"PowerLess",
				"Pupy",
				"DownPaper",
				"PsExec"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03",
			"created_at": "2025-08-07T02:03:24.746965Z",
			"updated_at": "2026-04-10T02:00:03.640335Z",
			"deleted_at": null,
			"main_name": "COBALT ILLUSION",
			"aliases": [
				"APT35 ",
				"APT42 ",
				"Agent Serpens Palo Alto",
				"Charming Kitten ",
				"CharmingCypress ",
				"Educated Manticore Checkpoint",
				"ITG18 ",
				"Magic Hound ",
				"Mint Sandstorm sub-group ",
				"NewsBeef ",
				"Newscaster ",
				"PHOSPHORUS sub-group ",
				"TA453 ",
				"UNC788 ",
				"Yellow Garuda "
			],
			"source_name": "Secureworks:COBALT ILLUSION",
			"tools": [
				"Browser Exploitation Framework (BeEF)",
				"MagicHound Toolset",
				"PupyRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f",
			"created_at": "2022-10-25T16:07:23.83826Z",
			"updated_at": "2026-04-10T02:00:04.761303Z",
			"deleted_at": null,
			"main_name": "Magic Hound",
			"aliases": [
				"APT 35",
				"Agent Serpens",
				"Ballistic Bobcat",
				"Charming Kitten",
				"CharmingCypress",
				"Cobalt Illusion",
				"Cobalt Mirage",
				"Educated Manticore",
				"G0058",
				"G0059",
				"Magic Hound",
				"Mint Sandstorm",
				"Operation BadBlood",
				"Operation Sponsoring Access",
				"Operation SpoofedScholars",
				"Operation Thamar Reservoir",
				"Phosphorus",
				"TA453",
				"TEMP.Beanie",
				"Tarh Andishan",
				"Timberworm",
				"TunnelVision",
				"UNC788",
				"Yellow Garuda"
			],
			"source_name": "ETDA:Magic Hound",
			"tools": [
				"7-Zip",
				"AnvilEcho",
				"BASICSTAR",
				"CORRUPT KITTEN",
				"CWoolger",
				"CharmPower",
				"ChromeHistoryView",
				"CommandCam",
				"DistTrack",
				"DownPaper",
				"FRP",
				"Fast Reverse Proxy",
				"FireMalv",
				"Ghambar",
				"GoProxy",
				"GorjolEcho",
				"HYPERSCRAPE",
				"Havij",
				"MPK",
				"MPKBot",
				"Matryoshka",
				"Matryoshka RAT",
				"MediaPl",
				"Mimikatz",
				"MischiefTut",
				"NETWoolger",
				"NOKNOK",
				"PINEFLOWER",
				"POWERSTAR",
				"PowerLess Backdoor",
				"PsList",
				"Pupy",
				"PupyRAT",
				"SNAILPROXY",
				"Shamoon",
				"TDTESS",
				"WinRAR",
				"WoolenLogger",
				"Woolger",
				"pupy",
				"sqlmap"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439122,
	"ts_updated_at": 1775792040,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2820cbcdbce7817f0f805acbb7d5a32388b4cbe0.pdf",
		"text": "https://archive.orkl.eu/2820cbcdbce7817f0f805acbb7d5a32388b4cbe0.txt",
		"img": "https://archive.orkl.eu/2820cbcdbce7817f0f805acbb7d5a32388b4cbe0.jpg"
	}
}