A significant leak of internal documents has exposed the operational tactics and targets of APT35, also known as Charming Kitten, a sophisticated cyber unit linked to Iran’s Islamic Revolutionary Guard Corps Intelligence Organization. The October 2025 breach revealed thousands of documents detailing the group’s systematic approach to cyber espionage, targeting governments and businesses predominantly across the Middle East and Asia. The leaked materials offer an unprecedented glimpse into the organized, almost militaristic structure of this state-sponsored hacking group, shedding light on their advanced attack methods and intelligence gathering priorities.
Security analysts at DomainTools, who reviewed the leaked data, characterized APT35’s organizational model as less akin to a typical hacker collective and more aligned with a traditional, hierarchical military unit. The documents indicate robust performance tracking systems where individual operators meticulously report working hours, completed tasks, and success rates. Supervisors then compile these reports into comprehensive summaries of ongoing campaigns. This bureaucratic oversight suggests operations are conducted from a centralized facility, complete with formal attendance tracking, fixed work schedules, and established chain-of-command structures, underscoring the group’s professionalized and disciplined operational methodology.
Within APT35, specialized teams focus on distinct aspects of cyber operations. These include dedicated units for exploit development, credential harvesting, orchestrating phishing campaigns, and real-time monitoring of email inboxes for human intelligence. The leaked files detail a methodical and highly organized suite of attack methods. DomainTools researchers observed that APT35 frequently targets Microsoft Exchange servers, leveraging ProxyShell exploitation chains in conjunction with Autodiscover and EWS services. This allows them to extract Global Address Lists, which contain crucial employee contact information, forming the basis for subsequent, highly targeted phishing operations aimed at stealing credentials.
Once initial access is secured, APT35 employs custom-developed tools to establish persistent footholds within breached networks. These tools are designed to steal additional credentials directly from computer memory, utilizing techniques similar to those employed by the well-known Mimikatz tool. The stolen information facilitates lateral movement across the network and enables the attackers to maintain long-term access for ongoing espionage activities. The carefully documented process emphasizes efficiency and stealth, blending the group’s activities with normal network traffic to evade detection.
The geographic scope of APT35’s operations is extensive, impacting critical regions and industries. Targeted entities include government ministries, telecommunications companies, customs agencies, and energy firms located in Turkey, Lebanon, Kuwait, Saudi Arabia, South Korea, and Iran itself. The leaked documents contain annotated target lists, providing insights into the success or failure of specific attacks and detailing the locations of webshells used to maintain access. This focus on specific, strategic intelligence collection priorities clearly aligns with the broader objectives of the Iranian government, suggesting that these are not random, opportunistic attacks but rather calculated efforts to gather intelligence vital for geopolitical negotiations and threat assessment.
Exchange Exploitation and Credential Harvesting Pipeline
The technical infrastructure and methodologies employed by APT35 demonstrate a sophisticated understanding of enterprise email systems, particularly Microsoft Exchange. The group effectively weaponizes vulnerabilities within these systems through a carefully coordinated sequence of actions. This process often begins with reconnaissance scanning to identify servers with exploitable weaknesses. Once suitable targets are identified, operators deploy webshells, often disguised as legitimate system files. These webshells enable remote command execution, acting as a covert backdoor into the compromised server.
These webshells, frequently named following patterns like `m0s.*`, provide operators with interactive command shells. Access is typically gained through specially crafted HTTP headers. The group utilizes Python-based client tools to encode commands within these headers, employing a static token for authentication. This approach allows for covert communication channels that can blend seamlessly with legitimate network traffic, making detection more challenging.
Following the successful establishment of initial access, APT35’s operations shift to data extraction. The group systematically extracts the Global Address List from compromised Exchange servers. This collected contact information, detailed in email addresses and names, is then converted into structured data. This structured data serves as the foundation for subsequent phishing operations, enabling the attackers to craft highly targeted and convincing lures designed to harvest user credentials. The leaked documents further reveal the automated validation of stolen credentials and their immediate reuse across other systems within the target network, maximizing the impact of each successful compromise.
The leaked materials describe automated scripts instrumental in validating compromised shells and extracting mailbox contents without direct human intervention. This showcases a high degree of maturity in the group’s capability development and operational efficiency. The entire targeting and exploitation process appears to follow standardized templates, meticulously documented in internal playbooks. Success metrics are consistently recorded in monthly performance reports, indicating a results-oriented operational culture. This systematic approach—from Exchange compromise and credential extraction to the integration of phishing campaigns—highlights how APT35 transforms technical vulnerabilities into sustained intelligence collection operations, measuring their effectiveness by quantifiable output rather than opportunistic gains.
The implications of this leak are significant for cybersecurity professionals and organizations worldwide. The detailed operational transparency provided by the APT35 documents allows for deeper understanding and potentially more robust defenses against state-sponsored espionage. It underscores the persistent threat posed by advanced persistent threats (APTs) and the importance of continuous vigilance, patching, and sophisticated threat detection mechanisms. As security researchers continue to analyze the vast trove of leaked information, further details about APT35’s evolving tactics, techniques, and procedures are expected to emerge, guiding future defensive strategies against similar sophisticated cyber adversaries.