APT35 Leak Unveils Spreadsheets Containing Domain, Payment, and Server Information

A new data leak, dubbed Episode 4, has exposed the operational backbone of Iran-linked threat actor APT35 (Charming Kitten), revealing how Tehran’s cyber apparatus functions less like a hacker collective and more like a bureaucratic department.

The leaked files, comprising service logs, crypto payment records, and IP allocation records, document a meticulous system of procurement, funding, and administration behind the group’s global operations.

The files include three CSV spreadsheets named 0-SERVICE-Service.csv, 0-SERVICE-payment BTC.csv, and 1-NET-Sheet1.csv.

Together, they map the infrastructure lifecycle of APT35’s campaigns, linking domain registrations, Bitcoin payments, and live command-and-control servers via internal ticketing codes.

Analysts describe the material as “the paperwork of espionage,” a detailed look at how state-sponsored intrusions are managed, financed, and tracked.

Spreadsheets Expose Operations Network

The 0-SERVICE-Service.csv file contains more than 170 rows linking domains, registrars, and account credentials. It lists over 50 ProtonMail aliases and 80 email-password pairs, revealing domain providers such as EDIS Global (Cyprus), NameSilo, and ImprezaHost as frequent vendors.

Each row includes pricing details and renewal intervals, indicating that intrusion infrastructure was procured and renewed like corporate IT services.

The second file, 0-SERVICE-payment BTC.csv, details 55 Bitcoin transactions made between October 2023 and December 2024. Average payments were approximately $56 (0.0019 BTC) and were processed via the Cryptomus platform.

Each payment corresponds to a service log entry, tying financial transactions to infrastructure activation. Bitcoin addresses and wallet fragments exhibit small, recurring transfers, a design intended to stay below regulatory thresholds.

Finally, 1-NET-Sheet1.csv lists network ranges and IP allocations across European hosting providers, annotated in Persian.

Several IP addresses, including blocks under AS203391 and AS21340, were traced to active VPS rentals that remain active weeks after the leak. This technical overlap confirms a direct connection between the spreadsheets and APT35’s operational servers.

Link to Moses Staff Operations

The duplicate records tie APT35’s procurement network to the ransomless hacktivist group Moses Staff, previously known for targeting Israeli defense and energy organizations.

The domain moses appears in the leaked service ledger, alongside ProtonMail accounts reused across APT35 infrastructure.

This crossover indicates that Moses Staff’s destructive campaigns were administratively supported by Charming Kitten’s backend systems, blurring the line between espionage and propaganda.

Security researchers say the leak exposes the “economic engine” behind Iranian cyber operations, a system where spreadsheet-managed budgets and micro-crypto payments sustain long-term intrusion campaigns.

The revelation underscores how Tehran’s cyber strategy relies on bureaucracy, not chaos: each phishing kit, domain, and command server begins not with code, but with an invoice.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post APT35 Leak Unveils Spreadsheets Containing Domain, Payment, and Server Information appeared first on Cyber Security News.