Leak of APT35 Internal Documents Reveals Their Targets and Attack Methods

A significant leak of APT35, also known as Charming Kitten, has surfaced, exposing its internal workings, targets, and methodologies.

Analysis of thousands of internal documents, campaign playbooks, and organizational records provides an unprecedented view into a regimented, quota-driven cyber-intelligence operation acting as an arm of Iran’s military and intelligence apparatus.​

Bureaucratic Chain of Command and Attack Lifecycle

The leaked files reveal that APT35 operates with a bureaucratic structure akin to that of a military unit.

The group is managed under the Islamic Revolutionary Guard Corps (IRGC) Intelligence Organization, with tasking, oversight, and hierarchical reporting.

Campaign directives flow from a central “Campaign Coordination Unit” that issues quotas and mission objectives to subordinates.

Below, specialist teams handle different technical and operational lanes ranging from exploit development for VPN and Exchange appliances to credential theft, phishing (HERV-style), mailbox monitoring, and human-intelligence collection (HUMINT).

Each operator files monthly reviews tracking tasks, hours, campaign success, and efficiency metrics, which supervisors compile into performance dashboards.​

Physical logs confirm operators work from secure, centralized facilities, not as remote hackers but as government-paid technical staff.

Supervision, quotas, and efficiency targets reinforce a culture of output, accountability, and centralized control.

The documents also tie specific personnel and aliases such as “Engineer Kian,” “Operator 04,” and “A. Mousavi” to defined roles in scanning, exploit integration, phishing, and reporting.​

Targets and Technical Toolbox

APT35’s campaigns focus on high-value targets across Turkey, Lebanon, Kuwait, Saudi Arabia, South Korea, and Iran, primarily targeting the diplomatic, telecom, government, and strategic industrial sectors.

Operations proceed in distinct phases: mass reconnaissance, prioritization of vulnerable assets, exploitation using ProxyShell and Autodiscover chains on Exchange servers, and rapid deployment of web shells and credential stealers.

Extracted address books (GALs) seed subsequent phishing cycles, while compromised mailboxes remain under continuous watch for fresh intelligence and lateral movement.

The attackers also weaponize new CVEs at speed, integrating them into repetitive, KPI-measured campaigns.​

Leaked technical data includes LSASS memory dumps, detailed logs of exploitation activity, credentials harvested, web shells like “m0s.php,” RATs and stagers for persistent access, and operational playbooks on phishing and Ivanti exploitation.

Detection signatures reveal the use of specific HTTP headers (e.g., Accept-Language) for command-and-control channels, the use of regular web shell paths, and credential reuse across campaigns.

The approach combines broad automation (custom scanning, credential scraping) with bespoke exploitation and intensive human collection loops.​

From Ideology to Operations

Documents also link operators to official IRGC conferences, showing that staff attended events on psychological warfare and anti-Israel propaganda, reflecting the ideological indoctrination behind APT35 operations.

The group not only engages in espionage abroad but also surveils domestic targets deemed regime opponents, underlining a dual-purpose mission set.​

Overall, the APT35 leaks expose a mature, industrialized cyber-espionage unit whose technical sophistication, organizational discipline, and bureaucratic procedures mirror those of a national intelligence agency.

Defensive recommendations include monitoring for Exchange exploitation, phishing markers, credential abuse, and deploying deception techniques to disrupt the group’s metric-driven workflow.​

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Leak of APT35 Internal Documents Reveals Their Targets and Attack Methods appeared first on Cyber Security News.