Home / Industry

A Brief OSINT Analysis of Charming Kitten IoCs

Charming Kitten is a cybercriminal group believed to be of Iranian origin, which was first seen in 2014, but had been active for years after the initial detection. The group use an intricate web of methods such as spear phishing and impersonation. They even create fake organizations and personas, complete with email and social media accounts.

The group’s targets are mostly individuals in the media, human rights, and academic research fields. Unlike other cyberespionage groups that aim to infiltrate victims’ networks, one of Charming Kitten’s primary objectives is to hack into social and email accounts and gather details about victims.

Clear Sky released a comprehensive report about the group, presenting 240 malicious domain names, 86 IP addresses, and 28 email addresses as indicators of compromise (IoCs). We studied these IoCs in light of recent sightings of the group.

Malicious Domains

Of the malicious domains cited as Charming Kitten IoCs, we gathered 45 domain’s records with our bulk WHOIS lookup tool. Facebook has acquired two domains based on their registrant email—com-video[.]net and login-account[.]net. The Digital Crimes Unit of Microsoft also claimed two other domains—yahoo-verification[.]net and yahoo-verify[.]net. Healthcare Management Solutions also now owns sadashboard[.]com.

Interestingly, other malicious domains still can’t be attributed to the spoofed companies, including the following:

  • fb-login[.]cf
  • drives-google[.]com
  • microsoft-upgrade[.]mobi
  • gmal[.]cf
  • hot-mail[.]ml

Charming Kitten and other groups could still use domains like these to imitate brands in phishing attacks.

IoCs Not Reported as Malicious

Some domains included in the list of IoCs were not reported as malicious or at least suspicious as of the time of writing despite their involvement in Charming Kitten attacks. The domain britishnews[.]org, for example, was found to redirect to britishnews[.]com[.]co, a made-up news website that hosted a penetration testing tool called “Browser Exploitation Framework (BeEF).” The domain is not tagged “malicious” even if it resolves to a malicious IP address.

The table below shows other domains that are not tagged as malicious and their associated IP addresses revealed by DNS Lookup. The IP addresses were then run on VirusTotal to check if they are malicious.

Domain NameAssociated IP Address (from DNS Lookup)Tagged “Malicious” on VirusTotal?

Since these domains and a couple of IP addresses are not cited as malicious, they could be used successfully in penetration attacks. Reverse IP Lookup also showed that all of them could be shared IP addresses since they have hundreds of connected domains. Implementing an IP-level blacklist for malicious IP addresses may be a good approach for organizations.

IP Addresses

To recall, 86 IP addresses were tagged as Charming Kitten IoCs. The IP addresses in the table above are not among the IoCs mentioned in the Clear Sky report. As such, continuous monitoring of malicious domains is needed to ensure that IP address blacklists stay up to date.

We used IP Geolocation to see the originating countries of the IoCs and found that a majority were from the U.S., followed by the Netherlands, France, the U.K., and Germany. Aside from Iran, these countries are also where certain of the group’s targets were located. In fact, the group was seen impersonating German journalists in July 2020.

Charming Kitten IoCs, like those of other cybercrime groups, may continue to evolve. Some domains and IP addresses would be dropped, while others may be claimed by the legitimate entities they imitate. Still, some IoCs are too effective to let go and so could still be weaponized by Charming Kitten or other groups.

The key takeaway for organizations is that constant monitoring of known IoCs is necessary for utmost protection.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byVerisign

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC


Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign