Skip to content

Instantly share code, notes, and snippets.

@Hamid-K

Hamid-K/Not so charming Kittens.md

Last active October 29, 2025 11:13
Show Gist options
  • Save Hamid-K/f4288dae3a1f2dea8905b1cf16d59c1b to your computer and use it in GitHub Desktop.
Save Hamid-K/f4288dae3a1f2dea8905b1cf16d59c1b to your computer and use it in GitHub Desktop.
Download ZIP
A Gemini crunched and produced report based on the leaks from https://github.com/KittenBusters/CharmingKitten . If more contents are leaked, I'll update this with better manual reviews.
Raw
Not so charming Kittens.md

Comprehensive Threat Intelligence Report: Charming Kitten

DFIR and CTI Analysis Date: 2025-10-29

1. Executive Summary

This report provides a comprehensive analysis of the Tactics, Techniques, and Procedures (TTPs), operational tradecraft, and targeting patterns of the threat actor group known as "Charming Kitten." The analysis is based on a leaked dataset of the group's internal documents, logs, and operational reports. The findings indicate a sophisticated and well-organized actor with a clear focus on espionage and disruptive attacks.

A groundbreaking finding from the Episode 4 leak is the direct link between Charming Kitten and the previously distinct threat groups known as "Moses-Staff" and "Qassam". Analysis of the group's internal infrastructure and payment records reveals that these are not separate entities, but rather pseudo-names or campaigns operated by Charming Kitten. This attribution, which has not been publicly documented before, is a critical development in understanding the group's structure and methods.

Furthermore, the latest data reveals a significant operational scope, including a detailed ledger of their infrastructure, use of cryptocurrency, internal phishing guides, and an expanded targeting focus to include the medical engineering sector. This latest leak represents a major operational security failure, providing unprecedented insight into the group's inner workings.

2. Threat Actor Profile: Charming Kitten

The analyzed data confirms that Charming Kitten is a capable threat actor with a structured operational methodology. The group is comprised of skilled operators who are proficient in a wide range of TTPs, from initial reconnaissance to post-exploitation and data exfiltration. The use of custom tools, detailed reporting, and a clear command structure all point to a state-sponsored or state-affiliated group.

2.1. Use of Aliases and Fronts: Moses-Staff and Qassam

A key finding from the Episode 4 leak is the revelation that Charming Kitten operates under multiple fronts, including the previously tracked groups "Moses-Staff" and "Qassam." The file 0-SERVICE-Service.csv, which acts as an internal ledger for the group's domains and servers, contains explicit references to infrastructure for both "moses-staff" and "musalas-alqassam." Financial records in 0-SERVICE-payment BTC.csv also show Bitcoin payments for services directly related to these campaigns (e.g., "SSl moses," "gassam.su"). This provides direct evidence that these are not separate threat actors but rather integrated campaigns or sub-groups managed by Charming Kitten, likely for specific psychological or operational objectives.

2.2. Stated Operational Objectives (from Episode 3)

A high-level report from a group calling itself the "Ofogh Media Institute" outlines several strategic objectives, primarily focused on Israel and associated entities. These objectives include:

  • Critical Infrastructure Attacks: Exfiltrating data from airports and hotel reservation systems, and gaining access to industrial infrastructure and SCADA systems for potential offensive operations.
  • Widespread Ransomware Attacks: Compromising over 300 websites and companies to deploy ransomware.
  • Intelligence Gathering & Surveillance: Infiltrating CCTV cameras in sensitive security and public locations.
  • Psychological and Influence Operations: Conducting psychological warfare (e.g., through the "Moses Staff" hacker group), inciting social unrest through dedicated campaigns, and doxing military and security personnel to enable further targeting.

3. Tactics, Techniques, and Procedures (TTPs)

This section synthesizes the TTPs observed across all four episodes of the data leak.

3.1. Reconnaissance

  • Vulnerability Scanning: The group uses a variety of both public and private tools to scan for vulnerabilities, including Shodan, Censys, ZoomEye, Fofa, Hunter.how, and Nuclei.
  • Target Profiling: They actively gather intelligence on their targets, including identifying key personnel, mapping network infrastructure, and enumerating web application technologies.

3.2. Initial Access

  • Exploitation of Public-Facing Applications: The group has demonstrated success in exploiting a wide range of vulnerabilities, including:
    • Microsoft Exchange: ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207)
    • Ivanti Connect Secure: CVE-2024-21887, CVE-2024-21893, CVE-2024-22024
    • ConnectWise ScreenConnect: CVE-2024-1709
    • Log4j: CVE-2021-44228 (Log4Shell)
    • WordPress, GitLab, Confluence, Jenkins: Various vulnerabilities.
  • SQL Injection: The group uses sqlmap to automate the discovery and exploitation of SQL injection vulnerabilities.
  • Phishing: They conduct sophisticated phishing campaigns targeting Gmail accounts, using a custom phishing kit and detailed internal guides for setting up infrastructure.

3.3. Execution

  • Webshells: The group frequently deploys ASP and ASP.NET webshells for initial command execution.
  • Command and Scripting Interpreter: They make extensive use of Python, shell scripting, and PowerShell (as seen in BellaCiao Variant 2) for automation and post-exploitation.
  • Custom Implants: The group develops and deploys multiple custom RATs and backdoors written in C#/.NET (RAT-2Ac2), native code (Sagheb), and PowerShell (BellaCiao).

3.4. Persistence

  • Webshells: Webshells are a primary means of maintaining persistent access to web servers.
  • Create or Modify System Process: Windows Service: The BellaCiao malware (Variant 2) persists by creating a Windows Service to ensure it runs automatically.
  • Scheduled Task/Job: The Sagheb RAT has a feature to configure "Auto Run" on a weekly or daily basis, indicating persistence through scheduled tasks.
  • Legitimate Account Usage: The group has been observed using compromised credentials to maintain access.

3.5. Privilege Escalation

The group actively seeks to escalate privileges, with a focus on gaining DBA access to databases and Domain Admin rights in Active Directory environments.

3.6. Defense Evasion

  • Log Clearing: Operators have been observed clearing logs and command history to cover their tracks.
  • Timestamp Manipulation: The group alters file timestamps to obfuscate their activities.
  • Custom Encoding and Encryption: The group uses a custom substitution cipher for webshell commands and XOR encryption for the Sagheb RAT's C2 traffic.
  • C2 Obfuscation: The Sagheb RAT routes its C2 communication through custom relay servers and the TOR network. The group also uses DNS forwarders to hide their primary C2 IP address.
  • Header-Based Authentication: The RAT-2Ac2 implant uses a pre-shared secret in an HTTP header to authenticate to the C2, preventing unauthorized analysis.
  • Anti-Debugging: The Sagheb RAT manual explicitly mentions the inclusion of anti-debugging techniques.
  • FUD Design: The Sagheb RAT is designed to be "Fully Un-Detectable" (FUD) and is written in a native language to avoid framework-based signatures.

3.7. Credential Access

  • Brute-Force Attacks: The group uses brute-force attacks against WordPress xmlrpc.php endpoints.
  • Credential Dumping: They have been observed exfiltrating user credentials from databases and internal documents.
  • Browser and Application Stealing: The Sagheb RAT includes a "Stealer" module specifically designed to exfiltrate credentials and session data from Firefox browsers and the Telegram Desktop application.

3.8. Discovery

  • Network and System Enumeration: The custom RATs (Sagheb, RAT-2Ac2) have built-in functionality to gather detailed system information (OS, CPU, RAM, AV, .NET version, etc.) and enumerate the file system.

3.9. Lateral Movement

  • Web Tunnels and SSH Tunneling: The group uses tunnels to pivot within a compromised network, as detailed in their internal phishing guide.
  • Remote Services: The operator notes from Episode 3 show the use of wmic and net use with compromised credentials to access other machines on the network.

3.10. Collection

  • Data from Local System: The RATs provide extensive file system browsing, upload, and download capabilities.
  • Input Capture: Keylogging: Both the Sagheb and RAT-2Ac2 implants include keylogger functionality.
  • Screen Capture: The Sagheb RAT provides the ability to take screenshots of the victim's desktop.
  • Data Exfiltration: The primary objective of many operations is to exfiltrate sensitive data, including emails, user databases, and intellectual property.

3.11. Impact

  • Ransomware: The group's stated objectives include deploying ransomware attacks against over 300 websites and companies.
  • Disruption of OT/SCADA Systems: A key finding from Episode 2 is the targeting of Industrial Control Systems (ICS) and SCADA systems, indicating a potential intent to cause physical disruption.

3.12. Command and Control

  • Multi-Layered Infrastructure: The group uses a complex C2 infrastructure involving custom RATs, webshells, TOR, custom relay servers, and DNS forwarders.
  • Custom RATs: The group operates at least three distinct RATs (BellaCiao, Sagheb, RAT-2Ac2) with C2 communication over HTTP/S.
  • Webshell C2: Simple command and control is achieved via custom Python clients communicating with ASP webshells, often using custom encoding in HTTP headers.

4. Detailed Targeting Analysis

The analyzed data reveals a clear targeting pattern focused on specific countries and sectors. The group's operations appear to be geographically concentrated, with a strong emphasis on the Middle East.

4.1. Geographic Targeting

  • Israel: A significant number of the identified targets are located in Israel. This includes government entities, technology companies, and financial institutions.
  • Jordan: The "Jordan Campaign" report details a large-scale operation targeting a wide range of Jordanian organizations.
  • United Arab Emirates (UAE): The BellaCiao malware and the webshell client scripts have been observed targeting entities in the UAE, including "dubaipolice" and "flydubai".
  • Turkish Republic of Northern Cyprus: The Eposta variant of the BellaCiao malware was used to target the Ministry of Foreign Affairs of the Turkish Republic of Northern Cyprus.
  • Other: The logs also show scanning activity against targets in other countries, including Kuwait, Lebanon, Saudi Arabia, and Turkey.

4.2. Sectorial Targeting

  • Government: Government entities in Israel, Jordan, the UAE, and the Turkish Republic of Northern Cyprus are high-priority targets.
  • Airlines: The group has been observed targeting the airline industry, specifically "flydubai".
  • Technology: The group targets technology companies, including web hosting providers and software development firms.
  • Finance: Financial institutions, such as exchanges and banks, are also key targets.
  • Telecommunications: The group has been observed targeting telecommunications companies.
  • Medical Engineering: The "Episode 4" data reveals a new focus on targeting the medical engineering sector.

4.3. Table of Identified Targets

Afghanistan

Target Country Inferred Industry Leaked In
Roshan Afghanistan Telecommunications Episode 1

Iran

Target Country Inferred Industry Leaked In
qudsdaily.com Iran Media Episode 1
theonecorp.ir Iran Corporate Episode 1
... ... ... ...
mom.ir Iran Government Episode 1

Israel

Target Country Inferred Industry Leaked In
bizportal.co.il Israel Business/Finance Episode 1
bezeq.co.il Israel Telecommunications Episode 1
adama.com Israel Agriculture Episode 1
liveperson.com Israel Technology Episode 1
agri.gov.il Israel Government Episode 1
issta.co.il Israel Travel/Tourism Episode 1
exlibrisgroup.com Israel Technology Episode 1
147.235.149.44 Israel Technology Episode 2
213.151.38.229 Israel Technology Episode 2
035565656.com Israel Unknown Episode 2
benni.co.il Israel Corporate Episode 2
compuall.co.il Israel IT Services Episode 2

Jordan

Target Country Inferred Industry Leaked In
Es.JO Jordan Web Development Episode 1
SwissExchange Jordan Finance Episode 1
Al-Nasir Exchange Jordan Finance Episode 1
Shipping Com JO Jordan Logistics Episode 1
Al-Qistas - CyberLaw Jordan Legal Episode 1
Muhandes Imaar Jordan Engineering Episode 1
Jedco.gov.jo Jordan Government Episode 1
jordandesert.org.jo Jordan NGO Episode 3

Saudi Arabia

Target Country Inferred Industry Leaked In
158.101.230.195 Saudi Arabia Conglomerate Episode 2

Turkish Republic of Northern Cyprus

Target Country Inferred Industry Leaked In
eposta.mfa.gov.ct.tr Turkish Republic of Northern Cyprus Government Episode 3

United Arab Emirates

Target Country Inferred Industry Leaked In
uniforms.flydubai.com United Arab Emirates Airlines Episode 3
dubaipolice (subdomain) United Arab Emirates Government Episode 3

Unknown

Target Country Inferred Industry Leaked In
193.188.88.156 Unknown Unknown Episode 3
Various IPs Kuwait, Lebanon, Saudi Arabia, South Korea, Turkey Unknown Episode 1

5. Comparison with Publicly Available Information

The TTPs and targeting observed in this dataset are highly consistent with publicly available reporting on Charming Kitten (also known as APT35, Phosphorus, and Newscaster).

  • Focus on Israel: Public reports have long identified Israel as a primary target of Charming Kitten.
  • Use of Phishing: The group is well-known for its sophisticated phishing campaigns.
  • Exploitation of Web Vulnerabilities: Charming Kitten has a history of exploiting vulnerabilities in web applications, including WordPress and Microsoft Exchange.
  • Use of Publicly Available Tools: The group's use of tools like sqlmap and nmap is consistent with public reporting.

The data provides new insights into the group's internal operations, including their use of custom tools, their structured reporting methodology, and their consideration of ransomware as a potential payload. The direct attribution of the "Moses-Staff" and "Qassam" personas to Charming Kitten is a significant new finding not previously reported.

6. Identified Personnel

Analysis of the file metadata, logs, and report filenames has identified several individuals by name. These individuals appear to be a mix of threat actors and potential victims.

Name Likely Role/Skillset
Shayan Threat Actor/Operator (Episode 1 & 4): Named in a monthly performance report and in the Episode 4 proposal for "Phishing Infrastructure."
Amirhossein Threat Actor/Operator (Episode 1): Named in a monthly performance report, suggesting a role similar to Shayan's.
Kourosh Threat Actor/Operator (Episode 1 & 4): Named in a monthly performance report and in the Episode 4 proposal for "OSINT" and "Information Gathering."
Majid (MJD) Threat Actor/Operator (Episode 2): Responsible for campaign management, infrastructure setup, and OSINT.
Hossein (HSN) Threat Actor/Operator (Episode 2): Focused on phishing infrastructure and malware development.
Ali (على) Threat Actor/Operator (Episode 4): Named in the Episode 4 proposal for "OSINT" and "Information Gathering."
Hesam (حسام) Threat Actor/Operator (Episode 4): Named in the Episode 4 proposal for "Recon."
Mohammad (محمد) Threat Actor/Operator (Episode 4): Named in the Episode 4 proposal for "Recon."
Parham (پرهام) Threat Actor/Operator (Episode 4): Named in the Episode 4 proposal for "Phishing Infrastructure."
Mohsen Foroughi Potential Threat Actor/Operator (Episode 3): Name listed as the "buyer" on an invoice for the rental of multiple IP addresses.
JinS Potential Operator/Tester (Episode 3): Username seen in a screenshot for the RAT-2Ac2 C2 panel.
Salman Potential Victim (Episode 1): Name found in the Employees directory.
Hananeh Azizi Potential Victim (Episode 1): Name found in the Employees directory.
Ameneh Dehghan Potential Victim (Episode 1): Name found in the Employees directory.
Zahra Ansari Potential Victim (Episode 1): Name found in the Employees directory.
Sedigheh Bagher Potential Victim (Episode 1): Name found in the Employees directory.
Tayebeh Khodaverdi Potential Victim (Episode 1): Name found in the Employees directory.
Atiyeh Naddafi Potential Victim (Episode 1): Name found in the Employees directory.
Leila Sharifi Potential Victim (Episode 1): Name found in the Employees directory.
Narges Naddafi Potential Victim (Episode 1): Name found in the Employees directory.
Manouchehr Vosoughi Niri Potential Victim (Episode 3): Name identified on a compromised Bank Mellat card.
Admin1@MFA Compromised Account (Episode 3): Credential found in operator notes, used for lateral movement.
pfsenselondra@MFA Compromised Account (Episode 3): Credential found in operator notes, used for lateral movement.

Majid (MJD) - Operator Activities

The "Episode 2" leak contained a folder of daily reports from an operator identified as "Majid" or "MJD." Analysis of these reports provides a granular view of the day-to-day tasks involved in the group's campaigns. His activities include:

  • Campaign Preparation and Management:

    • He is heavily involved in setting up and managing phishing and advertising campaigns on platforms like Google, Facebook, and Microsoft.
    • This includes creating and configuring landing pages, setting up domains with Cloudflare, and troubleshooting issues with SSL certificates and hosting.
    • He uses tools like aecars.store for templates and is involved in creating ad content, including images and videos.

  • Infrastructure and Account Management:

    • He is responsible for procuring and managing various operational resources, including:
      • Skype numbers and credit.
      • Hosting services and domains from providers like Namecheap.
      • Virtual Private Servers (VPS).
      • SMS panels for bulk messaging.
    • He deals with account suspensions and recovery, frequently interacting with Microsoft and Skype support.
    • He is involved in setting up and managing payment methods for these services, including researching options for virtual credit cards and cryptocurrencies.

  • Social Media and Content Management:

    • He is responsible for creating and scheduling content for social media platforms like Telegram, Facebook, and Twitter.
    • He also engages in "interactive activities" on these platforms, likely to build a credible online presence for their campaigns.

  • OSINT and Vulnerability Research:

    • He conducts Open Source Intelligence (OSINT) on targets, including the iasa.co.il organization.
    • He researches vulnerabilities and their exploits, and is involved in testing them.

  • Financial and Administrative Tasks:

    • He is responsible for managing the financial aspects of the campaigns, including purchasing credit and handling payments.
    • He also performs administrative tasks, such as documenting his work and preparing monthly reports.

Hossein (HSN) - Operator Activities

Hossein's reports indicate a focus on the technical aspects of phishing operations and malware development.

  • Phishing Infrastructure:

    • He is responsible for setting up and configuring the mailwizz email marketing application for phishing campaigns.
    • He integrates mailwizz with Amazon Simple Notification Service (SNS) to handle bounce and complaint notifications.
    • He is involved in troubleshooting issues with mailwizz, including routing problems, cron jobs, and AWS SDK integration.

  • Malware Development and Evasion:

    • He is working on techniques to embed and execute payloads in a stealthy manner.
    • He is exploring methods like "Process Hollowing" and reflective loading to evade detection by security products.
    • He is developing multi-threaded tools using psexec and wmic for remote execution.
    • He is working on session enumeration and creating hidden sessions to remain undetected on compromised systems.

Majid (MJD) - Operator Activities

The "Episode 2" leak contained a folder of daily reports from an operator identified as "Majid" or "MJD." Analysis of these reports provides a granular view of the day-to-day tasks involved in the group's campaigns. His activities include:

  • Campaign Preparation and Management:

    • He is heavily involved in setting up and managing phishing and advertising campaigns on platforms like Google, Facebook, and Microsoft.
    • This includes creating and configuring landing pages, setting up domains with Cloudflare, and troubleshooting issues with SSL certificates and hosting.
    • He uses tools like aecars.store for templates and is involved in creating ad content, including images and videos.

  • Infrastructure and Account Management:

    • He is responsible for procuring and managing various operational resources, including:
      • Skype numbers and credit.
      • Hosting services and domains from providers like Namecheap.
      • Virtual Private Servers (VPS).
      • SMS panels for bulk messaging.
    • He deals with account suspensions and recovery, frequently interacting with Microsoft and Skype support.
    • He is involved in setting up and managing payment methods for these services, including researching options for virtual credit cards and cryptocurrencies.

  • Social Media and Content Management:

    • He is responsible for creating and scheduling content for social media platforms like Telegram, Facebook, and Twitter.
    • He also engages in "interactive activities" on these platforms, likely to build a credible online presence for their campaigns.

  • OSINT and Vulnerability Research:

    • He conducts Open Source Intelligence (OSINT) on targets, including the iasa.co.il organization.
    • He researches vulnerabilities and their exploits, and is involved in testing them.

  • Financial and Administrative Tasks:

    • He is responsible for managing the financial aspects of the campaigns, including purchasing credit and handling payments.
    • He also performs administrative tasks, such as documenting his work and preparing monthly reports.

7. Analysis of Episode-2 Data Leak

This section details the findings from the "Episode 2" data leak, which appears to be a continuation of the activities detailed in the initial data set.

7.1. Overview of New Files

The new data includes additional attack reports and logs, mirroring the structure of the original leak. The reports indicate a continued focus on exploiting newly disclosed vulnerabilities and targeting high-value organizations.

7.2. Metadata Analysis

A detailed review of the metadata from the "Episode 2" files confirms the continued use of anti-forensics techniques, though with some variations from the first dataset.

  • Timestamp Manipulation: The practice of altering file timestamps is still prevalent. A majority of the new files share a single modification timestamp (2025:10:03 18:50:33+02:00), strongly indicating a scripted process to obscure the true timeline of their creation and modification.
  • Absence of Previous Anomalies: Unlike the initial file set, the new PDF reports do not contain the anomalous imagemagick.org creator string. The metadata in this regard is less remarkable.
  • New File Artifacts: This dataset includes numerous .csv files within the All_Proxy_Shell_Targets directories. These files appear to be structured lists of IP addresses and other target-related data, suggesting a more organized approach to managing reconnaissance output compared to the simple .txt files seen previously.

7.3. New TTPs and Exploits

The most significant finding in the new data is the group's rapid adoption and exploitation of CVE-2024-1709, a critical authentication bypass vulnerability in ConnectWise ScreenConnect. The reports show that the group began actively scanning for and exploiting this vulnerability on a global scale almost immediately after it was publicly disclosed.

7.4. Advanced Operations and Tradecraft

The "Winter 1403" performance report highlights a significant evolution in the group's capabilities and ambitions, moving beyond simple web application exploitation to more complex and potentially disruptive operations.

  • Focus on Deeper Penetration: The group is now focused on achieving "deep and precise" access, specifically targeting Active Directory environments for complete network takeovers.
  • Evasion of Advanced Security: The report explicitly mentions successful efforts to bypass advanced EDR and security solutions, including SentinelOne, Sophos, and TrendMicro. This indicates a dedicated effort to test and refine their tools against modern security products.
  • Supply Chain Attacks: The mention of "Supply Chain attacks" as a TTP is a significant development, suggesting a higher level of sophistication and a broader strategic objective.
  • Targeting of OT/SCADA Systems: A screenshot within the report shows the operator accessing what appears to be an Industrial Control System (ICS) or SCADA system via VNC. The interface is in Hebrew, suggesting the target is in Israel. This is a critical finding, indicating a potential intent to target and disrupt operational technology.
  • Infrastructure Development: The group is actively improving its own operational infrastructure, including building a dedicated lab for testing and refining exploits against various security products.

7.5. New Targets Identified in Episode-2

The "Episode 2" data revealed a significant number of new targets, primarily through the exploitation of the ConnectWise ScreenConnect vulnerability.

Target Country Inferred Industry
147.235.149.44 Israel Technology
213.151.38.229 Israel Technology
035565656.com Israel Unknown
benni.co.il Israel Corporate
compuall.co.il Israel IT Services
158.101.230.195 Saudi Arabia Conglomerate (Axelerated Soloutions, Deutsche Gulf Finance, Hail Cement Company, Lean Business Solutions, National Water Company)

8. Analysis of Episode-3 Data Leak

This section details the findings from the "Episode 3" data leak.

8.1. Overview of New Files

The new data includes a new malware family named "BellaCiao," a collection of webshells and Python clients, and several documents.

8.2. Malware Analysis: Sagheb RAT

A user manual for a Windows malware implant named "Sagheb" was discovered. This is a full-featured Remote Administration Tool (RAT) designed for espionage with a strong focus on stealth.

  • Key Features:
    • Stealth: Designed to be "Fully Un-Detectable" (FUD) and framework-independent (written in a native language like C++ or Delphi) to avoid common detection signatures.
    • C2 Communication: It uses XOR encryption for its command and control traffic and routes it through custom relay servers and the TOR network to hide the C2 server's location.
    • Functionality: The implant provides extensive capabilities managed via a web panel, including remote command execution, file system management (upload, download, encrypt), keylogging, screen capture, and data theft from Telegram and Firefox.
    • Anti-Analysis: Incorporates anti-debugging techniques.

8.3. Malware Analysis: RAT-2Ac2

Another user manual detailed a second custom RAT named "RAT-2Ac2".

  • Key Features:
    • Architecture: It uses a client-server model. The client is written in C# and .NET 4, while the server is built with Python and Flask.
    • C2 Communication: Communication occurs over HTTP/S. It uses a pre-shared secret in the HTTP header for authentication, returning a "Forbidden" error if the secret is missing, which helps protect the C2 server from analysis.
    • Functionality: It provides a comprehensive set of RAT capabilities, including a keylogger, VNC remote desktop (using bore and noVNC), file transfer, screenshots, and command execution.

8.4. Webshells and Python Clients

The dataset also includes a set of ASP webshells and Python clients.

  • ASP Webshells: The webshells (m0s.asp, file.asp, webshell.asp) are simple backdoors that execute commands received in the HTTP_ACCEPT_LANGUAGE header. One of the webshells (m0s.asp) includes a custom decoding function to deobfuscate the commands.
  • Python Clients: The Python scripts (connect.py, RCE4.py, rce5.py) are clients for the webshells. They provide a command-line interface for interacting with the webshells and include hardcoded target information. The identified targets include uniforms.flydubai.com, 193.188.88.156, and jordandesert.org.jo.

8.5. Operator Notes Analysis

The file eposta.txt contains detailed notes from a threat actor who was targeting the Ministry of Foreign Affairs (MFA) of the Turkish Republic of Northern Cyprus. The notes include:

  • Target Information: The target is identified as eposta.mfa.gov.ct.tr.
  • Webshell URL: The attacker was using a webshell located at https://eposta.mfa.gov.ct.tr/aspnet_client/system_web/aspnet_client.aspx.
  • Compromised Credentials: The notes contain credentials for two accounts: Admin1@MFA and pfsenselondra@MFA.
  • Lateral Movement: The attacker used wmic and net use to move laterally within the MFA network.
  • Reverse Shell: The attacker used a tool named vmware-tools.exe to create a reverse shell.
  • Postman: The attacker used Postman to send commands to the webshell.

8.6. New Targets and Personnel Identified in Episode-3

The "Episode 3" data revealed several new targets and potential operator/compromised account names.

New Targets

Target Country Inferred Industry
eposta.mfa.gov.ct.tr Turkish Republic of Northern Cyprus Government
dubaipolice (subdomain) United Arab Emirates Government
uniforms.flydubai.com United Arab Emirates Airlines
jordandesert.org.jo Jordan NGO
193.188.88.156 Unknown Unknown

New Personnel / Accounts

Name Likely Role/Skillset
Mohsen Foroughi Potential Threat Actor/Operator: Name listed as the "buyer" on an invoice for the rental of multiple IP addresses.
JinS Potential Operator/Tester: Username seen in a screenshot for the RAT-2Ac2 C2 panel.
Manouchehr Vosoughi Niri Potential Victim: Name identified on a compromised Bank Mellat card.
Admin1@MFA Compromised Account: Credential found in operator notes, used for lateral movement.
pfsenselondra@MFA Compromised Account: Credential found in operator notes, used for lateral movement.

9. Analysis of Episode-4 Data Leak

This section details the findings from the "Episode 4" data leak, which provides an unprecedented view into the group's logistical and financial operations.

9.1. Overview of New Files

The new data consists primarily of CSV files acting as operational ledgers and PDF documents containing internal guides, credentials, and targeting information.

9.2. Operational Infrastructure and Financial Records

The CSV files represent a significant operational security failure, exposing the backbone of the group's activities.

  • 0-SERVICE-Service.csv: This file is a master list of the group's infrastructure, detailing domains, hosting providers (Namecheap, NameSilo, PRQ.se, TheOnionHost), associated email accounts (primarily ProtonMail and Skiff), IP addresses, and plaintext credentials. It also tracks specific campaigns like "moses-staff" and "Abrahams Ax."
  • 0-SERVICE-payment BTC.csv: This file logs Bitcoin transactions used to fund their infrastructure. It includes dates, amounts, and numerous Bitcoin wallet addresses, providing valuable financial indicators.
  • 1-NET-Sheet1.csv: This file provides details of the group's physical network infrastructure within Iran, listing IP addresses for locations in Karaj, Marzdaran, and Qom, and identifying their ISPs.

9.3. Internal Documentation and Phishing Tradecraft

The PDF files reveal internal training materials and targeting plans.

  • A2_AsImages.pdf: This is a detailed, step-by-step guide in Persian on how to set up a phishing campaign. It documents the use of SSH tunneling for obfuscation and a Django-based framework for generating and managing phishing links, demonstrating a standardized process for their phishing operations.
  • Esxi 6.pdf & A1_AsImages.pdf: These documents contain extensive lists of plaintext credentials for internal servers (ESXi, Kerio Control, pfSense) and compromised services, likely related to targets in Dubai.
  • طرح پیشنهادی - شرکت های فعال پزشکی مهندسی_AsImages.pdf: Titled "Proposal - Active Companies in Medical Engineering," this file is a clear targeting list, indicating a strategic focus on the medical engineering sector.

9.4. New Potential Operator Aliases from Episode 4

The infrastructure logs from Episode 4 contained a large number of email accounts used to register and manage services. These are likely aliases used by the operators.

Alias / Email Service(s) Used
Meriyalee @ protonmail.com Hosting
cybersonix @ protonmail.com Hosting, Domains
May.Arnold @ protonmail.com Domains
John.Porter857 @ protonmail.com Hosting
Carlos.Patel @ protonmail.com DNS Services
lolita259 @ proton.me SSL Certificates
johnshopkinster @ protonmail.com Domains
rona_yanga @ proton.me Hosting
ronald.iverson @ protonmail.com Domains
timothyefimov @ protonmail.com Hosting
GDavies007 @ proton.me Hosting, Domains, SSL
nansi.morad @ protonmail.com Hosting
FannieFrankel @ proton.me Domains, Hosting
juliusyermolayev @ protonmail.com Hosting
Orval_Bernhard @ proton.me Domains
Clark.Norman @ protonmail.com Hosting
bashiriansul @ proton.me Hosting
mlw.services.313 @ protonmail.com Hosting
Rowling10 @ proton.me Domains, Hosting
bakir.hamada @ proton.me VPS Hosting
odette.margand568 @ protonmail.com Hosting

10. Indicators of Compromise (IoCs)

10.1. Bitcoin Wallets

The following Bitcoin wallet addresses were identified in the 0-SERVICE-payment BTC.csv file from Episode 4. They were used to pay for domains, hosting, and other operational infrastructure.

Wallet Address Associated Activity / Campaign
3F2KWMSkjFdskQ2gV6pm4NA7JH2dx3jfCA General Infrastructure Payment
16JMV9srqVDrK9u6z5cgKQjxnbJJp6gSxi Domain Purchase
32HF3h685344uJe7RMhhp5s5oBjaQq6BQh SSL Certificate for "moses" campaign
bc1q567mrap7x4mwva2wlea3x9nc78pgp7dxspe6su Hosting for "wazayef" campaign
bc1qw0fqr597dqh3j8pe3c9gnl7vvkpgumxsak646g Domain Purchase ("ecomonist")
3Ck5dxmGXG3u1i3H7CM4vBpTeohDweJuYL General Infrastructure Payment
3DN4UZ8gTmoCDaWP7ejmDYj4ByTQmKkmwU General Infrastructure Payment
383j9rbvXyf4ZVaTPLPB1QfpkDJZfMEziG General Infrastructure Payment
3MCyrpDmEUAWjx5rg5L3uqcZDux6e9Ns78 General Infrastructure Payment
bc1qmasss9tj2wcyr8vyjajhn8qu9xr3g9hl0r0ne7 General Infrastructure Payment ("haji")
34bvn64Hn9rgwahJJVveh8xTgseLtY8KpJ General Infrastructure Payment
bc1q2peh44qqjx9xg32xqfwzmrcrj42lean57vg6j4 General Infrastructure Payment
3BMbdmfc9sKKEtX9EFKbxbS75xTuKEzRjF General Infrastructure Payment
35eL5XLnKWbpJPdQGULvqhQpNQEkBSPisN General Infrastructure Payment
bc1qxjmw2lknnne5hr0c4va2fjx0kzc9la4vhuaqex General Infrastructure Payment ("haji")
13Ue2i4Pombmd1NUGKgT8P1SCm8jw5F2Kj General Infrastructure Payment
1K93styPFkDGsTYnjgqaDN6xWy5NmUDLhh Domain Purchase ("gassam.su")
19cChyRjku4zMKPr7PtkNSAdp9JE6AmiL2 Domain Purchase ("gassam.se")
1HcPgNVrb7RvYkaGSu286qz2WF5UVBPP1R General Infrastructure Payment
38Ai21L6mt7Qe2jnpxAZvjTLqKCYfjx9Am General Infrastructure Payment
bc1qtf2a865s7ncxcsdcwee8yyyqjhhkk9nn7ww98q General Infrastructure Payment
32LvatxLwVfxpteiJc14HCyDDv2t2BRfj5 General Infrastructure Payment
31we2wugu5z7Mc3irnmZu9H7rXPrEqsuTf General Infrastructure Payment
3Fv1X3we164eiBkme9wzHDU1iHpXuWcx8h General Infrastructure Payment
bc1qfzke9vknxdvtm6yrkru3ddzfl74ducx7s6rke2 SMS Service Payment
33PMgvq7HN8gdpd82WFCxKpVtsnSUWbLFx General Infrastructure Payment
bc1q9a8k39xpxeflsetdw92mzd98kg7gpcwsm2malh General Infrastructure Payment
bc1qpq0pk3xskqs70wg9werg3ypl8e255euzd5g4nq General Infrastructure Payment
391baZHDES5TvotnYSnWwqnyYDXf2taWWb General Infrastructure Payment
38SvFcEVRsfADhuxk7FS1p3TJfXYHewzGe General Infrastructure Payment
bc1q7xk8vk2cttvz92xjh2r4tfry0964rvvedeqpls General Infrastructure Payment
17cHK7neWyAq1imHgjc6wKqoX3gqPcUx4N General Infrastructure Payment

11. Conclusion

The analysis of this dataset provides a rare and valuable glimpse into the inner workings of a sophisticated threat actor. The findings confirm that Charming Kitten is a well-resourced and highly motivated group with a clear mandate to conduct espionage and disruptive attacks against its perceived adversaries. The direct attribution of the "Moses-Staff" and "Qassam" personas to Charming Kitten, based on evidence from Episode 4, is a major development for the threat intelligence community. The latest data, while exposing their TTPs in greater detail, also highlights significant operational security failures, offering a unique opportunity for defenders to understand and counter their methods. The TTPs and targeting patterns identified in this report can be used to enhance defensive measures and to inform future threat intelligence efforts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment