Hamid Hamid-K

Comprehensive Threat Intelligence Report: Charming Kitten

DFIR and CTI Analysis Date: 2025-10-03

1. Executive Summary

This report provides a comprehensive analysis of the Tactics, Techniques, and Procedures (TTPs), operational tradecraft, and targeting patterns of the threat actor group known as "Charming Kitten." The analysis is based on a leaked dataset of the group's internal documents, logs, and operational reports. The findings indicate a sophisticated and well-organized actor with a clear focus on espionage and disruptive attacks, primarily targeting entities in Israel and Jordan.

2. Threat Actor Profile: Charming Kitten

Iran: Cyber Dimension of the ISC Report (HC 1116, July 2025)

*(All material drawn exclusively from the public text of the report; all redactions **/ are reproduced exactly as printed.)

Original report:

https://isc.independent.gov.uk/wp-content/uploads/2025/07/Intelligence-and-Security-Committee-of-Parliament-Iran.pdf

	#!/usr/bin/env python3
	"""
	iOS Backup Reconstructor
	Version: 0.1

	iOS encrypted backups by default are not meant to be human-readable. The folder structure needs to be reconstructed, before it is consumable by most other tools.
	This script provides a way to reconstruct the folder structure of an iOS backup, making it easier to analyze and work with.
	Actual file names are extracted from the backup's manifest.db database.
	Note that it is expected for the script to produce a lot of "source file not found" errors.

	#!/usr/bin/env python3
	"""
	Look-up the approximate position of a cell tower with Google’s Geolocation API
	and print a Google-Maps link for easy visualisation.

	[email protected]

	pip install requests
	"""

	rule Paragon_Spyware_IOCs
	{
	meta:
	description = "Indicators of compromise (IOCs) for Paragon Solutions Graphite spyware from the Citizen Lab report 'Virtue or Vice? A First Look at Paragon’s Proliferating Spyware Operations'"
	author = "ChatGPT"
	date = "2025-03-29"
	reference = "https://citizenlab.ca/2025/03/a-first-look-at-paragons-proliferating-spyware-operations/"

	strings:
	// Suspected customer domains (Table 4)

	Draziw.Button.Mines
	ag.video_solutions.wedotv
	ahf.dummynation
	ai.socialapps.speakmaster
	air.com.beachbumgammon
	air.com.freshplanet.games.SongPop2
	air.com.gamesys.mobile.slots.jpj
	air.com.goodgamestudios.empirefourkingdoms
	air.com.kitchenscramble.goo
	air.com.lalaplay.rummy45

	#!/usr/bin/env python3
	"""
	Tor Identity Manager - A tool to manage Tor identities and exit nodes.

	This script allows you to renew your Tor identity and optionally set the exit node
	country. It provides enhanced error handling, configuration options, and feedback.

	[email protected]

	"""

	# Sample script to use OpenAI Whisper API
	# This script demonstrates how to convert input audio files to text, fur further processing.
	# The code can be still improved and optimized in many ways. Feel free to modify and use it
	# for your own needs.
	#
	import openai
	from openai import OpenAI

	client = OpenAI(api_key="sk-proj-....")


	#!/usr/bin/env python
	# This script will go through a given directory recursively, extracting all attachments from .eml files.
	# .eml files are often how full mailbox dumps are leaked online.
	# If an attachment with the same filename already exists, MD5 sum of the files are calculated and if not
	# a match, the new file will be saved with _# suffix.
	#
	# Hamid Kashfi (@hkashfi)

	import os

	local previewers = require('telescope.previewers')
	local Job = require('plenary.job')

	local new_maker = function(filepath, bufnr, opts)
	filepath = vim.fn.expand(filepath)
	Job:new({
	command = 'cat',
	args = { filepath },
	on_exit = function(j)
	local result = j:result()