A massive leak of APT35, also known as Charming Kitten, has exposed the inner workings of one of Iran’s most notorious cyber-espionage units. Thousands of internal documents, campaign playbooks, and organizational records provide an unprecedented look into a quota-driven, military-style intelligence operation acting as an arm of Iran’s Islamic Revolutionary Guard Corps (IRGC).
Inside APT35’s Bureaucratic Structure
The leaked files reveal that APT35 operates like a regimented military unit, complete with:
- Hierarchical reporting under the IRGC Intelligence Organization.
- A Campaign Coordination Unit issuing quotas and mission objectives.
- Specialist teams for exploit development, credential theft, phishing (HERV-style), mailbox monitoring, and human intelligence (HUMINT) collection.
Operators submit monthly performance reports tracking tasks, hours, and success metrics, which supervisors compile into dashboards. Physical logs confirm that these hackers work from secure government facilities, not remotely, reinforcing the image of a state-sponsored cyber army.
Targets and Attack Lifecycle
APT35 campaigns focus on high-value targets across Turkey, Lebanon, Kuwait, Saudi Arabia, South Korea, and Iran, primarily in:
- Diplomatic missions
- Telecom providers
- Government agencies
- Strategic industrial sectors
Operations follow a structured lifecycle:
- Mass reconnaissance of vulnerable assets.
- Exploitation using ProxyShell and Autodiscover chains on Exchange servers.
- Deployment of web shells (e.g.,
m0s.php) and credential stealers. - Continuous mailbox monitoring for intelligence and lateral movement.
Extracted Global Address Lists (GALs) fuel phishing campaigns, while compromised mailboxes remain under surveillance for fresh intelligence.
Technical Arsenal
Leaked technical data includes:
- LSASS memory dumps
- Exploitation logs and harvested credentials
- RATs and stagers for persistence
- Operational playbooks for phishing and Ivanti exploitation
- Indicators like HTTP headers (Accept-Language) for C2 traffic and common web shell paths
APT35 combines automation (custom scanning, credential scraping) with manual exploitation and human intelligence loops, making it a hybrid threat.
Ideology Meets Cyber Operations
Documents link operators to IRGC conferences on psychological warfare and anti-Israel propaganda, highlighting the ideological indoctrination behind APT35’s mission. The group targets foreign entities for espionage while surveilling domestic dissidents, reflecting a dual-purpose agenda.
Why This Leak Matters
The APT35 leak exposes a mature, industrialized cyber-espionage unit whose technical sophistication and bureaucratic discipline rival those of national intelligence agencies. This insight underscores the growing state-sponsored cyber threat landscape.
Defensive Recommendations
- Monitor for Exchange exploitation chains and phishing markers.
- Deploy credential abuse detection and deception techniques to disrupt KPI-driven workflows.
- Implement network segmentation and behavioral analytics to detect lateral movement.
