--[ Brighten up the Ideal Sky: An Inside View of CharmingKitten's Holistic Support to IRGC Operations

$ getent passwd jmiller
├─── name: Joshua M. Miller
├──── org: 75th Innovation Command (USAR)
└─ social:
   └─ twitter: @chicagocyber

Joshua Miller is a Senior Threat Researcher in Proofpoint’s Threat Research team, where he tracks and investigates state-aligned threats across the globe, with a focus in actors originating from the Middle East & North Africa.

Previously, Joshua has held threat intelligence positions across both private industry and the intelligence community, including time as an cyber analyst with the Federal Bureau of Investigation.

He’s also a Military Intelligence officer in the Army Reserve, an international conference speaker and currently holds a M.S. in Information Security (Lewis University), BA in Political Science (Wheaton College), CISSP, and GCTI. He can be found on Twitter at @chicagocyber.


In 2022, the Islamic Revolutionary Guard Corps (IRGC) has reportedly increased planned kinetic operations against US & Israeli officials along with Iranian dissidents. In this increasingly hostile operating environment, what support has TA453/CharmingKitten/PHOSPHORUS provided? We’ll use sensitive collection from adversary infrastructure along with Proofpoint telemetry to better understand TA453 and delve into this question.

We will first examine some of the different techniques TA453 utilizes to engage their targets with spear phishing. Having established the baseline of typical TA453 activity, we can then look at outliers, both in targeting and techniques used. These anomalies, where TA453 deviate from their typical tactics to increase their odds of success, give us insight into how they approach particularly high value targets.

Once we understand how TA453 is collecting information, we’ll combine Proofpoint telemetry with data from TA453’s own collection to categorize and analyze TA453’s targeting. This will allow us to identify their priorities and strengthen our attribution with how they align with the IRGC IO’s intelligence requirements.

We’ll conclude by looking at evidence suggesting TA453 provides holistic support to IRGC operations including physical surveillance, intimidation operations and possible assassination plots.