Unveiling APT35: Leaked Documents Reveal Iranian Cyber Espionage Tactics
In October 2025, a significant data breach exposed the internal operations of APT35, also known as Charming Kitten, a cyber unit within Iran’s Islamic Revolutionary Guard Corps Intelligence Organization. Thousands of leaked documents have provided unprecedented insight into the group’s systematic approach to cyber espionage, targeting governments and businesses across the Middle East and Asia.
Organizational Structure and Operations
The leaked materials reveal that APT35 operates with a level of organization akin to a traditional military unit rather than a loose hacker collective. The group maintains detailed performance tracking systems where operators log work hours, completed tasks, and success rates. Supervisors compile comprehensive campaign summaries, indicating a bureaucratic structure with centralized facilities, badge-in entry systems, fixed work schedules, and formal oversight mechanisms.
Specialized teams within APT35 focus on various aspects of cyber operations, including exploit development, credential harvesting, phishing campaigns, and real-time mailbox monitoring for human intelligence gathering.
Attack Methodologies
APT35 employs methodical and highly organized attack strategies. The group primarily targets Microsoft Exchange servers using ProxyShell exploitation chains combined with Autodiscover and Exchange Web Services (EWS) to extract Global Address Lists containing employee contact information. These lists serve as the foundation for targeted phishing campaigns aimed at credential harvesting.
Once initial access is achieved, APT35 utilizes custom-developed tools to establish persistent access and extract additional credentials from computer memory, employing techniques similar to Mimikatz. This stolen information enables lateral movement within networks and long-term access maintenance.
Geographic Scope and Targeted Entities
The group’s operations span multiple critical regions, targeting government ministries, telecommunications companies, customs agencies, and energy firms in countries such as Turkey, Lebanon, Kuwait, Saudi Arabia, South Korea, and Iran. Leaked documents include annotated target lists indicating successful and failed attacks, along with webshell paths used to maintain access.
This strategic focus aligns with Iranian government objectives, aiming to access diplomatic communications, telecom infrastructure, and critical energy sectors to gather valuable geopolitical intelligence.
Technical Infrastructure and Exploitation Techniques
APT35’s technical infrastructure demonstrates a sophisticated understanding of enterprise email systems. The group conducts reconnaissance scanning to identify vulnerable Exchange servers, deploying webshells disguised as legitimate system files to establish remote command execution capabilities. These webshells, commonly named with the m0s. pattern, provide interactive command shells accessed through specially crafted HTTP headers.
Operators use Python-based client tools that encode commands within Accept-Language headers and employ static tokens for authentication, creating covert communication channels that blend with legitimate network traffic.
Implications and Recommendations
The exposure of APT35’s internal documents underscores the evolving threat landscape posed by state-sponsored cyber espionage groups. Organizations, particularly those in targeted sectors and regions, should enhance their cybersecurity measures by:
– Regularly updating and patching systems to mitigate known vulnerabilities.
– Implementing robust email filtering and phishing detection mechanisms.
– Conducting comprehensive security audits and penetration testing.
– Providing ongoing cybersecurity training for employees to recognize and report phishing attempts.
By adopting these proactive measures, organizations can strengthen their defenses against sophisticated cyber threats like those posed by APT35.
