Charming Kitten

Background

Charming Kitten is one of Iran's most active and well-documented cyber espionage groups, attributed to the Islamic Revolutionary Guard Corps (IRGC) Intelligence Organization. Active since at least 2014, the group is primarily tasked with intelligence collection against individuals and organizations perceived as threats to the Iranian regime, including foreign policy researchers, journalists covering Iranian affairs, human rights activists, Iranian diaspora figures, and government officials involved in Iran nuclear deal negotiations.

The IRGC attribution distinguishes Charming Kitten from MOIS-affiliated groups like MuddyWater and OilRig. The IRGC's intelligence mandate focuses on threats to the regime and the Islamic Revolution, which explains Charming Kitten's targeting of dissidents, journalists, and civil society figures alongside more traditional government and defense targets. The group has been linked to the IRGC's Basij Cyber Council and operates with what appears to be a dedicated unit focused on social engineering and long-term persona development.

Charming Kitten is renowned for its sophisticated and persistent social engineering operations. The group builds elaborate fake personas on social media, creates convincing fake news websites and conference portals, and engages targets in extended email conversations that may span weeks before attempting credential theft or malware delivery. Their operations have grown increasingly aggressive over time, expanding from pure espionage to include hack-and-leak operations, influence campaigns, and, in some cases, threats of physical harm against dissidents. Multiple IRGC-affiliated individuals linked to Charming Kitten operations have been indicted by the US Department of Justice.

Notable Campaigns

Operation Newscaster (2014-2017)

One of Charming Kitten's earliest documented campaigns involved creating an extensive network of fake journalist personas on LinkedIn, Facebook, and Twitter. These fake identities, ostensibly working for a fabricated news organization called "NewsOnAir," built relationships with US military officials, defense contractors, and government employees over months before attempting credential harvesting. The operation demonstrated unprecedented patience and social engineering sophistication for a state-sponsored group at that time.

HBO Breach and Extortion (2017)

An individual linked to Charming Kitten compromised HBO's network and stole approximately 1.5 terabytes of data, including unreleased episodes of Game of Thrones, employee data, and internal documents. The attacker attempted to extort HBO for $6 million in Bitcoin. While this operation was more brazenly criminal than typical Charming Kitten espionage, it demonstrated the group's network penetration capabilities. The perpetrator, Behzad Mesri, was indicted by the US DOJ.

Election Interference Targeting (2019-2024)

Google, Microsoft, and the FBI have documented multiple Charming Kitten campaigns targeting US presidential campaigns, congressional staffers, and political operatives. In 2020, the group targeted both the Trump and Biden campaigns with phishing attacks. In 2024, the group successfully compromised a Trump campaign staffer's account and attempted to distribute stolen campaign materials to journalists and the opposing campaign. Three IRGC operatives were indicted in September 2024 for these activities.

HYPERSCRAPE Email Theft Campaign (2021-2022)

Google's Threat Analysis Group revealed that Charming Kitten had developed HYPERSCRAPE, a custom tool designed to systematically download the entire contents of Gmail, Yahoo, and Microsoft Outlook inboxes of compromised accounts. The tool was used against fewer than two dozen high-profile accounts in Iran, demonstrating the group's focus on comprehensive intelligence collection from carefully selected targets rather than mass-scale operations.

BellaCiao Malware Operations (2023)

A new custom malware family called BellaCiao was attributed to Charming Kitten, notable for its unique C2 mechanism that resolved hardcoded domains and translated the returned IP address into a command string. BellaCiao was deployed against targets in Israel, Europe, and India following exploitation of internet-facing applications, particularly Microsoft Exchange servers. The name references an Italian partisan anthem, reflecting Charming Kitten's cultural references in their tooling.

Tactics, Techniques & Procedures

Initial Access: Charming Kitten is a master of social engineering-driven initial access. The group's signature technique involves extended multi-email conversations where operators build rapport with targets before delivering malicious content. These conversations impersonate trusted individuals—fellow researchers, conference organizers, journalists, or even personal acquaintances. Credential harvesting pages mimicking Google, Microsoft, and Yahoo login portals are the most common payload (T1598.003). The group also conducts watering hole attacks via fake conference registration sites and academic portals. In more recent operations, they have exploited internet-facing vulnerabilities in Exchange Server (ProxyShell), Fortinet appliances, and other enterprise products (T1190).

Execution and Persistence: When deploying malware, Charming Kitten favors PowerShell-based implants (T1059.001) and Python backdoors (T1059.006). The group uses multi-stage infection chains where an initial lightweight script downloads and executes more capable payloads. Persistence is achieved through scheduled tasks, registry modifications, and, in the case of BellaCiao, IIS backdoors installed on compromised web servers. The group has also deployed NokNok, a macOS-specific backdoor, demonstrating cross-platform capability.

Collection and Exfiltration: Charming Kitten's primary collection mechanism is email compromise. After obtaining credentials, operators access target mailboxes directly via webmail or deploy HYPERSCRAPE for systematic inbox download. The group also searches for and exfiltrates documents from compromised file shares, cloud storage accounts (T1530), and local filesystems (T1005). Exfiltrated data is staged on cloud infrastructure controlled by the group, including compromised cloud accounts and purpose-registered cloud tenants.

Influence Operations: Beyond intelligence collection, Charming Kitten has engaged in hack-and-leak operations designed to embarrass or intimidate targets. The group has leaked stolen emails from dissidents, attempted to distribute stolen political campaign materials, and used compromised accounts to send threatening messages. This hybrid espionage-and-influence approach is consistent with the IRGC's broader mandate to defend the regime through both intelligence collection and active measures.

Tools & Malware

• POWERSTAR (CharmPower/GhostEcho): A modular PowerShell backdoor that has evolved through multiple versions since 2021. Features include command execution, screenshot capture, keylogging, and file exfiltration. Recent versions use cloud storage (OneDrive, Google Drive) for C2 and store encryption keys in attacker-controlled cloud accounts to complicate analysis.
• BellaCiao: A custom .NET malware deployed as an IIS backdoor, using a novel C2 technique where DNS resolution results are interpreted as encoded commands. Named after the Italian partisan song, deployed against targets in Israel and Europe.
• HYPERSCRAPE: A .NET utility designed to systematically download entire email inboxes from Gmail, Yahoo, and Outlook webmail accounts. Automates the login process using stolen credentials and iterates through all messages, downloading each one.
• NokNok: A macOS backdoor delivered via Apple script files within ZIP archives, providing system reconnaissance, process listing, and command execution capabilities. Represents Charming Kitten's investment in cross-platform tooling.
• MediaPl: A backdoor masquerading as Windows Media Player, using AES-CBC encryption for C2 communications over HTTP. Capable of command execution and information collection.
• GorjolEcho: A PowerShell-based backdoor distributed through fake Google Meet and other platform invitation links, targeting individuals by luring them to download malicious files.
• Sponsor: A C++-based backdoor that reads its configuration from seemingly innocent files on disk, using this approach to evade automated analysis tools. Deployed against organizations in Israel, Brazil, and the UAE.
• PowerLess: A PowerShell backdoor with keylogging, screenshot, and browser credential theft capabilities, communicating over encrypted channels using hardcoded RSA keys.

Indicators & Detection

Social Engineering Awareness:

• Individuals working in Iran policy, nuclear nonproliferation, journalism covering Iran, or Iranian diaspora activism are prime targets. Any unsolicited contact from unknown researchers, journalists, or conference organizers should be treated with suspicion.
• Be wary of email conversations that gradually escalate from benign discussion to requests to open documents, click links, or enter credentials on external portals.
• Verify the identity of new contacts through independent channels (phone call to a known number, verification through a mutual colleague) before opening attachments or clicking links.

Credential Security:

• Enforce hardware security keys (FIDO2/WebAuthn) for high-risk users. Google's Advanced Protection Program and Microsoft's similar offerings significantly reduce the effectiveness of Charming Kitten's credential harvesting.
• Monitor for logins from unusual locations, particularly from Iranian IP ranges or VPN services commonly used by the group (NordVPN, ExpressVPN, ProtonVPN exits in specific regions).
• Watch for email forwarding rule creation and OAuth application grants to unknown third-party applications.

Network and Host Detection:

• Monitor for PowerShell processes making connections to cloud storage APIs (OneDrive, Google Drive) outside of normal business application usage.
• Watch for DNS queries to newly registered domains, particularly those mimicking academic institutions, news organizations, or conference portals.
• Detect BellaCiao by monitoring IIS worker processes for anomalous child process creation or network connections.
• Alert on NokNok by monitoring macOS systems for Apple script execution that spawns shell processes or makes network connections.

Organizational Measures:

• Think tanks, policy organizations, and academic institutions should implement phishing-resistant MFA and provide targeted training on Charming Kitten's social engineering techniques.
• Newsrooms covering Iran should use secure communication channels and compartmentalize access to sources and sensitive materials.
• Monitor for fake domains impersonating your organization, as Charming Kitten frequently creates convincing replicas of institutional websites.