In my previous analysis of the Charming Kitten leak, I examined the unprecedented breach that exposed the inner workings of an Iranian state-sponsored hacking operation. The leak revealed organizational structures, personnel identities, and operational logs spanning multiple years. Now, after examining the target lists and operational files in detail, a more complete picture emerges of how this IRGC-affiliated unit systematically compromised organizations across dozens of countries through exploitation of Microsoft Exchange vulnerabilities.


The exposure extends beyond technical operations to reveal the sophisticated influence campaigns, the complete source code of custom malware, and evidence of front companies used to conceal the unit's activities. Most significantly, the leak includes photographs and identification badges of female operatives working within the organization, personnel details of both male and female teams, and indications that the disclosure may have originated from insider discontent with the regime's activities.


The target files included in the leak documented thousands of attempted and successful compromises, organized by country and marked with operational notes indicating which servers were successfully breached and which attempts failed. These lists represent not abstract cyber threats but real organizations whose email systems were penetrated, their communications monitored, and their networks used as launching points for further attacks.


The Scale of ProxyShell Exploitation

The leaked files reveal that Charming Kitten conducted widespread scanning and exploitation campaigns targeting Microsoft Exchange servers vulnerable to the ProxyShell vulnerability chain. ProxyShell refers to a series of vulnerabilities in Microsoft Exchange Server that, when chained together, allow unauthenticated attackers to execute arbitrary code on vulnerable servers. The group appears to have begun exploiting these vulnerabilities shortly after public disclosure, moving quickly to compromise systems before organizations could patch.


The target lists are organized geographically, with separate files for countries across the Middle East, Europe, Asia, and North America. Within each country folder, the files contain IP addresses, domain names, and operational notes indicating the status of each target. Entries marked with "shell" indicate successful compromise and webshell deployment. Those marked "failed" or "error" suggest unsuccessful exploitation attempts. Some entries include additional context such as "legacyDN" errors indicating Exchange server configuration issues that prevented exploitation.


Beyond Hacking: Influence Operations Exposed

Among the most significant revelations in the leak are documents connecting Charming Kitten to public influence platforms operating in Israel and the broader Middle East. The files expose the group's role in running "Sahyoun24" and connections to "Moses Staff," operations that blur the lines between cyber espionage and information warfare.


Embedded image


Sahyoun24 represents a particularly sophisticated influence operation, with exposed documents revealing the organizational structure and personnel behind what appeared to be an independent news outlet. The leak includes employee identification badges issued to women working within this secret organization, complete with photographs and names. These badges provide undeniable evidence that what presented itself as grassroots media was actually an IRGC counterintelligence operation.


Embedded image


The exposure of female operatives within these influence campaigns is especially significant. Authoritarian intelligence services typically maintain strict operational security around personnel identities, particularly for women working in sensitive roles. That the leak includes detailed personnel information about both male and female teams, along with the IRGC-IO officers managing them, suggests either a catastrophic security failure or deliberate disclosure by someone with extensive internal access.


These influence operations served purposes beyond traditional intelligence gathering. By establishing seemingly legitimate media outlets and social media presence, Charming Kitten could shape narratives, amplify disinformation, and influence public opinion while maintaining plausible deniability about Iranian state involvement. The revelation that these platforms were directly operated by IRGC counterintelligence exposes how deeply integrated cyber operations and information warfare have become in Iranian state strategy.


Regional Targeting Patterns

The geographic distribution of targets reveals strategic priorities aligned with Iranian intelligence interests. The Middle East receives the most intensive focus, with comprehensive target lists for Iran, Turkey, Saudi Arabia, Kuwait, and Egypt. However, the scope extends far beyond the immediate region, including high-profile targets that demonstrate the operation's strategic ambitions.


Among the most significant targets exposed in the leak are FlyDubai, Dubai Police, the Turkish Ministry of Foreign Affairs, and numerous entities across Saudi Arabia, Europe, and Israel. The inclusion of the World Islamic Sciences and Education University in Jordan reveals that even Islamic academic institutions are not exempt from Iranian surveillance when deemed relevant to regime interests. This targeting of an Islamic university underscores how the operation prioritizes intelligence value over religious or ideological solidarity.


Iran: Internal Surveillance

The Iranian target files contain over one hundred Exchange servers, many belonging to government ministries, universities, and industrial companies. Notable targets include:


  • mail[.]doe[.]ir - Iran's Department of Environment
  • mail[.]iaushiraz[.]ac[.]ir, stu[.]yazd[.]ac[.]ir - University email systems
  • mail[.]atu[.]ac[.]ir - Allameh Tabataba'i University
  • exchange[.]ariantel[.]ir - Telecommunications company
  • hqex1[.]tobacco[.]ir - National Tobacco Company
  • idco-ex-01[.]irandelco[.]com, idco-ex-02[.]irandelco[.]com - Iran Electricity Distribution Company
  • exchange[.]sazehsazan[.]com - Construction and development company


Many entries include notes indicating successful webshell deployment with specific file paths such as "aspnet_client/qrrto.aspx" or "owa/auth/mgifc.aspx." The targeting of Iranian organizations underscores how the IRGC uses cyber capabilities for domestic counterintelligence and control. Exchange servers provide access to internal communications, employee contacts, and organizational structures. For a regime concerned with internal dissent, compromising the email infrastructure of universities, media organizations, and civil society groups enables comprehensive surveillance of potential opposition.


Turkey: Government and Industrial Focus

The Turkish target list reveals particular interest in government entities and industrial companies. Key targets include:


  • eposta[.]mfa[.]gov[.]ct[.]tr - Turkish Ministry of Foreign Affairs
  • mail[.]bahcelievler[.]bel[.]tr - Bahçelievler Municipal Government
  • mail[.]mersin[.]bel[.]tr - Mersin Municipal Government
  • smtp[.]aydinaski[.]gov[.]tr - Aydın Provincial Government
  • mail[.]akartextile[.]com - Textile manufacturing
  • mail[.]dcaokullari[.]com - Educational institutions


Industrial targets span textile manufacturing, food services, construction, and technology companies. Turkey's complex relationship with Iran, involving both cooperation and competition across regional issues, makes Turkish government communications valuable intelligence targets. The inclusion of industrial companies suggests interest in economic intelligence and potentially supply chain access to Turkish defense contractors or Western companies operating in Turkey.


Saudi Arabia and the GCC States continue to be targeted

The Saudi Arabian and Kuwaiti target lists focus heavily on business entities, particularly in construction, healthcare, and financial services. Notable Saudi targets include:


  • mail[.]almanahospital[.]com[.]sa - Al Mana General Hospital
  • mail1[.]solbsteel[.]com - Steel manufacturing
  • mail[.]tanhatmining[.]com - Mining operations
  • mail[.]albarakatgroup[.]com - Multi-sector conglomerate
  • mail[.]sosgroup[.]com - Construction and services
  • smtp[.]baroid-sa[.]com - Oil and gas services


Kuwait targets include:

  • mail[.]kfmb[.]com[.]kw - Kuwait Finance and Investment Company
  • webmail[.]kccec[.]com[.]kw - Kuwait Consulting and Computer Services
  • mail[.]azzadgroup[.]com[.]kw - Business conglomerate
  • exch1[.]kyfco[.]com - Financial services


The Gulf states represent both adversaries and intelligence priorities for Iran. Saudi Arabia and Iran have long competed for regional influence, and their rivalry has manifested through proxy conflicts across the Middle East. Access to Saudi business communications could provide intelligence on economic activities, government contracts, and relationships with Western companies.


Greece: European Entry Point

The Greek target list stands out for its comprehensiveness, containing over five hundred Exchange server entries. These targets span diverse sectors with particular emphasis on maritime and government entities:


Government and Public Sector:

  • webmail[.]parliament[.]gr - Greek Parliament
  • webmail[.]ypa[.]gr - Ministry of Maritime Affairs and Insular Policy
  • mail[.]gga[.]gov[.]gr - General Accounting Office
  • mail[.]sofron[.]gov[.]gr - Hellenic Prison Service
  • autodiscover[.]civilprotection[.]gr - Civil Protection Agency

Shipping and Maritime:

  • mail[.]dianashippinginc[.]com - Ship management
  • owa[.]globusmaritime[.]gr - Maritime services
  • mail1[.]starbulk[.]com, mail2[.]starbulk[.]com, star-mail[.]starbulk[.]com - Major dry bulk shipping company (multiple servers)
  • mail[.]chandrisgroup[.]com - Shipping conglomerate
  • mail[.]atlasmaritime[.]eu - Maritime operations

Private Sector:

  • mail[.]kotsovolos[.]gr - Major electronics retailer
  • webmail[.]opap[.]gr - National lottery and gaming
  • mbox-staff16[.]aegean[.]gr - University of the Aegean
  • hybrid[.]singularlogic[.]eu - IT and technology services
  • mx1[.]goldair[.]gr - Aviation services


Greece's position as a NATO member and European Union state makes it a valuable target for intelligence collection on Western decision-making. The extensive focus on Greek shipping companies aligns with Iran's need to understand maritime activities given international sanctions affecting Iranian oil exports. Greek shipping companies involved in Middle Eastern trade routes could provide intelligence on sanctions enforcement and commercial activities in the region.


North America: Widespread Scanning

The Canadian target list differs markedly from the Middle Eastern and European lists. Rather than containing primarily named domains, the Canadian file consists overwhelmingly of IP addresses, with over seven hundred entries representing Exchange servers across Canada. This pattern suggests automated scanning and opportunistic exploitation rather than targeted operations against specific organizations.

The presence of Canadian targets highlights how state-sponsored actors conduct both strategic intelligence operations and opportunistic compromises. Even without specific intelligence value, compromised servers in Western countries provide valuable resources. They can serve as proxy infrastructure for launching attacks against other targets, host command and control infrastructure while appearing to originate from legitimate organizations, or provide access to business communications that might reference or connect to higher-value targets.


Sector Analysis: Following the Intelligence Priorities

Examining targets across all countries by sector rather than geography reveals consistent intelligence priorities. Legal services firms appear frequently, including Greek law offices, Belgian legal practices, and Middle Eastern law firms. Legal communications can provide advance knowledge of litigation, regulatory matters, business transactions, and government policy discussions.

Healthcare organizations feature prominently, including hospitals in Saudi Arabia and Greece, medical equipment companies, and pharmaceutical firms. Healthcare sector targeting could serve multiple purposes including intelligence on public health matters, access to personal information about prominent individuals, or economic intelligence on pharmaceutical development and pricing.

Energy and industrial companies appear across multiple countries, including oil and gas services firms, steel manufacturers, and chemical companies. Given Iran's economy centers on energy production and the country faces extensive international sanctions, intelligence on energy markets, competing oil producers, and industrial supply chains serves both economic and strategic purposes.

Educational institutions including universities and research centers appear throughout the target lists. Academic institutions conduct research with defense and technology applications, host discussions of political and social issues, and connect to networks of scholars, activists, and opposition figures that authoritarian regimes seek to monitor.


The BellaCiao Source Code: A Gift to Global Defense

The exposure of the complete BellaCiao malware source code represents one of the leak's most consequential revelations for cybersecurity defenders worldwide. While security researchers at Bitdefender previously documented BellaCiao's behavior through reverse engineering compiled samples, the source code disclosure enables far deeper analysis and understanding of the malware's capabilities, design decisions, and potential variants.


Embedded image


According to exclusive information obtained by me, the BellaCiao malware was developed by a team operating from the Shuhada base in Tehran. This detail provides geographic attribution for where Iranian cyber weapons development occurs, complementing the technical attribution of the malware itself. The Shuhada base connection suggests a degree of organizational structure and permanence to Iran's offensive cyber capabilities, with dedicated facilities for malware development separate from the operational teams deploying it.


Embedded image


With the source code now publicly available, security companies globally are conducting detailed analysis to identify past attacks that may have gone undetected and to develop comprehensive detection and prevention capabilities. Organizations that were compromised but never detected the intrusion now have the opportunity to search their systems for indicators derived from source code analysis rather than relying solely on behavioral detection or compiled binary signatures.



The leaked files confirm what security researchers at Bitdefender had previously documented about BellaCiao's operational deployment. Multiple entries in the target lists include notes indicating successful webshell deployment using the naming patterns that Bitdefender identified. The malware appears in variants, with some targets receiving C# webshells supporting file upload, download, and command execution, while others received PowerShell-based backdoors establishing reverse proxy connections.

The operational notes reveal how operators tracked their deployment success. Entries marked "shell" followed by a domain name and file path show where webshells were successfully planted. For example, Iranian targets include annotations like "Shell check mail.doe.ir/aspnet_client/lscaqk.aspx" indicating both successful compromise and the specific location where the webshell was deployed for later access.


The customization that Bitdefender documented is evident in how operators organized their infrastructure. The leaked files show that each compromised server received a uniquely compiled version of BellaCiao with hardcoded information specific to that target including the victim's public IP address and hostname. This level of customization complicates detection because standard signature-based defenses looking for known malware hashes will not recognize individualized variants.


The Human Element: Operational Notes and Tracking

The target files provide insight into how Charming Kitten operators managed their campaigns. Beyond simple lists of IP addresses, the files contain operational annotations in both English and Persian indicating the status of each target. These notes reveal a systematic approach to tracking exploitation attempts, documenting failures, and marking successful compromises for follow-up operations.


Some entries include descriptive labels identifying the organization behind an IP address or mail server. For instance, Saudi entries include notes like "setad mobareze ba qachaq v arz" (anti-smuggling and currency headquarters) next to IP addresses, indicating operators researched their targets to understand which organizations they were compromising. This suggests a blend of automated scanning with human analysis to prioritize and contextualize compromises.


Supply Chain Implications

The targeting of legal services, consulting firms, and business service providers carries implications beyond the direct compromise of these organizations. Law firms handling sensitive client matters, consulting companies advising on government contracts or corporate transactions, and technology service providers managing infrastructure for multiple clients all represent access points into wider networks.

Security researchers at CloudSek highlighted how Charming Kitten compromised entities like Qistas, which provides legal services, and IBLaw, gaining unprecedented visibility into regional judicial proceedings, government decision-making processes, and critical infrastructure planning. A compromised law firm handling regulatory matters for energy companies provides intelligence not just on that law firm but on all its clients. A compromised IT services company managing email systems for multiple businesses provides potential access to numerous organizations through a single breach.

This supply chain dimension multiplies the impact of each compromise. Organizations that believe they maintain strong security may nevertheless be exposed through their vendors, legal counsel, or service providers. The leaked target lists include numerous small technology companies, IT consultancies, and service providers whose compromise likely served as stepping stones to accessing their clients rather than as endpoints in themselves.


The Financial Infrastructure: Front Companies Exposed

Beyond the technical operations and target lists, the leak exposes the financial infrastructure used to sustain Charming Kitten's activities. Documents reveal several front companies operating in Iran through which the IRGC channels funds to pay employee salaries and maintain operational expenses. These companies provide a veneer of legitimate business activity while actually serving as financial conduits for intelligence operations.

The exposure of these front companies raises questions about who appears as the registered owners and directors of these entities. Typically, intelligence services use individuals with no obvious connection to security agencies to register and operate such companies, creating layers of separation between the intelligence operation and its financial infrastructure. The leaked documents identifying these companies enable financial investigators and sanctions authorities to trace money flows and potentially identify the broader network of individuals facilitating Iranian intelligence operations.

For the employees working within Charming Kitten, these front companies serve a dual purpose. They provide legitimate-appearing employment that can be referenced in official documents and tax filings, while also enabling the IRGC to maintain operational security by keeping intelligence operatives off official government payrolls. The exposure of this arrangement complicates Iran's ability to recruit and retain cyber personnel, as potential employees now face the risk of public identification and potential sanctions designation.


Attribution and Confirmation

The leaked files provide unusual confirmation of attribution for specific compromises. While cybersecurity firms routinely attribute attacks to Charming Kitten based on technical indicators, tactics, and infrastructure analysis, the leaked operational files directly confirm which organizations this group targeted and which servers they successfully compromised.

For organizations appearing in these target lists, particularly those with entries marked as successful compromises, the leak provides definitive confirmation that Iranian intelligence gained access to their systems. This is no longer a matter of assessing likelihood based on observed suspicious activity but direct evidence from the attacker's own records.

Security teams at affected organizations can use these files to investigate potential compromises even if they previously detected no suspicious activity. The specific webshell paths documented in the operational notes provide starting points for forensic analysis. Organizations can examine their historical logs for access to these specific file paths, review accounts that may have been created or modified during the relevant time periods, and analyze what data may have been accessed or exfiltrated.


The Aftermath and Defense Implications

This leak arrives at a moment when organizations globally face persistent threats from state-sponsored actors exploiting vulnerabilities in widely deployed software. The ProxyShell vulnerabilities that Charming Kitten exploited were disclosed and patched by Microsoft in 2021, yet the targeting campaigns documented in these files continued into 2022 and potentially beyond, indicating that many organizations failed to apply critical security updates.


The scope of scanning and exploitation revealed in these files underscores that state-sponsored actors cast wide nets. Organizations in Canada, Belgium, or Greece might assume they hold little intelligence value for Iranian actors and therefore face limited risk. These target lists demonstrate otherwise. Even absent specific intelligence value, any vulnerable Exchange server represents an asset for use as proxy infrastructure, a foothold for lateral movement into partner networks, or simply an opportunistic compromise that might later prove useful.

For defenders, the leak provides concrete data about an adversary's capabilities, targeting priorities, and operational practices. The failure notes in the target files reveal that security controls do work. Patched systems, properly configured firewalls, and endpoint protection can prevent even sophisticated state-sponsored actors from compromising infrastructure. The challenge lies in achieving consistent application of these basic security hygiene practices across all systems.


This appears to be just the beginning. KittenBusters has promised additional releases in the coming days, suggesting that more revelations about Charming Kitten's operations, personnel, and capabilities may yet emerge. Each new disclosure will provide further opportunities for defenders to understand adversary tactics and for compromised organizations to identify breaches they never detected.