Ddos 
Image: Nariman Gharib
A leak of internal documents has shattered the anonymity of one of Iran’s most feared cyber units, revealing a direct and chilling operational link between state-sponsored hacking and physical assassination plots.
For years, the cybersecurity community has tracked this group under various monikers: APT35, Charming Kitten, or Mint Sandstorm. They were known for sophisticated phishing campaigns targeting journalists, dissidents, and researchers. But a massive new leak, analyzed by researcher Nariman Gharib, has blown their cover entirely.
We now know they are Department 40 of the IRGC Intelligence Organization’s Division 1500. We have their names, their faces, their addresses, and—most critically—the proof that their cyber operations are building the intelligence infrastructure for kinetic terrorism.
The leak identifies the commander of Department 40 as Abbas Rahrovi (National ID: 4270844116). Inside the IRGC, he is known as “ACS,” but he operates under aliases like Mekhaeel Hosseini for corporate contracts and Abbas Hosseini for weapons procurement.
Rahrovi doesn’t work alone. He commands over 60 operatives across five facilities in Iran. The leak even exposes his wife, Niloofar Bagheri, as the head of the unit’s “Sister’s Team” and CEO of one of their front companies, Amn Pardaz Ofogh Iranian.
The most alarming revelation is that Department 40 is not just stealing data for espionage; they are curating “target packages” for physical attacks. The leak confirms the unit’s involvement in the failed 2022 plot to assassinate Israeli tourists and diplomats in Istanbul.
Their methodology is methodical:
- Breach: Hackers compromise airline and hotel databases (e.g., FlyDubai, EgyptAir, Dubai Police).
- Track: Data is fed into “Kashef” (The Discoverer), a proprietary surveillance platform that tracks targets’ movements, flight manifests, and hotel check-ins in real-time.
- Strike: This intelligence is handed to kinetic teams equipped with explosive drones like the Safir (a portable explosive glider) and Ofogh (a suicide drone).
The leak reveals a highly structured, military-style hierarchy:
- The Hacking Teams: Dedicated offensive units like Team Karaj (led by Mahdi Sharifi) and Team Marzdaran focusing on deep-strike operations and breaching foreign infrastructure.
- The Sister’s Team (Aqiq): An all-female unit led by Rahrovi’s wife, tasked with translation, social engineering, and compiling OSINT dossiers on targets. They were directly involved in the Istanbul plot intelligence gathering.
- The Brother’s Team (Pelak1): Responsible for infrastructure, maintaining the servers and networks that keep the operation running.
The scope of Department 40’s targeting is global. The leak includes detailed “compromise reports” on high-value individuals, including Olli Heinonen (former IAEA Deputy Director-General). Access to his communications could reveal critical Western assessments of Iran’s nuclear program.
Other confirmed targets include:
- Saudi Arabia: A planned operation targeting Prince Turki Al-Faisal, former intelligence chief.
- UAE: Penetration of Dubai Police and Abu Dhabi Police databases.
- Jordan: Compromise of the Ministry of Justice and JEDCO.
- Maritime: Hacking of Greek maritime companies to track shipping vessels.
This is an intelligence catastrophe for the IRGC. Every front company is burned, every facility is compromised, and dozens of operatives have been exposed. The leak strips away the veneer of “hacktivism” or “anonymous cybercrime,” revealing the stark reality of a state-run terror apparatus operating behind a keyboard.
Donate