In October 2025, a significant breach exposed the internal workings of APT35, also known as Charming Kitten, a cyber unit operating within Iran’s Islamic Revolutionary Guard Corps Intelligence Organization.
Thousands of leaked documents revealed the group’s systematic approach to targeting governments and businesses across the Middle East and Asia.
The exposure included performance reports, technical guides, and operational records that paint a clear picture of how this state-sponsored group conducts cyber espionage on a large scale.
The leaked materials show that APT35 operates like a traditional military organization rather than a casual hacker collective.
DomainTools security analysts identified that the group maintains detailed performance tracking systems, where operators report their work hours, completed tasks, and success rates to supervisors who then compile comprehensive campaign summaries.
This bureaucratic structure reveals operators working from a centralized facility with badge-in entry systems, fixed work schedules, and formal oversight mechanisms.
The organization includes specialized teams focused on exploit development, credential harvesting, phishing operations, and real-time mailbox monitoring to gather human intelligence. The attack methods documented in the leaked files are methodical and highly organized.
DomainTools security researchers noted that APT35 primarily targets Microsoft Exchange servers through ProxyShell exploitation chains combined with Autodiscover and EWS services to extract Global Address Lists containing employee contact information.
These contact lists become the foundation for targeted phishing campaigns that harvest credentials. Once initial access is gained, the group uses custom-developed tools to establish persistent access and steal additional credentials from computer memory using techniques similar to Mimikatz.
The stolen information enables the attackers to move laterally through networks and maintain long-term access.
The geographic scope of the campaign extends across multiple critical regions. Targeted entities include government ministries, telecommunications companies, customs agencies, and energy firms in Turkey, Lebanon, Kuwait, Saudi Arabia, South Korea, and Iran.
The leaked documents contain annotated target lists with notes indicating which attacks succeeded and which failed, along with webshell paths used to maintain access.
The operational focus reveals strategic intelligence collection priorities aligned with Iranian government objectives rather than random opportunistic attacks.
Access to diplomatic communications, telecom infrastructure, and critical energy sectors provides Tehran with valuable information for geopolitical negotiations and threat assessment.
Exchange Exploitation and Credential Harvesting Pipeline
The technical infrastructure supporting APT35’s operations demonstrates sophisticated understanding of enterprise email systems.
.webp "APT35 Hacker Groups Internal Documents Leak Exposes their Targets and Attack Methods 3")
The group weaponizes Exchange vulnerabilities through a coordinated exploitation sequence that begins with reconnaissance scanning to identify vulnerable servers. Once suitable targets are identified, operators deploy webshells disguised as legitimate system files to establish remote command execution capabilities.
These webshells, commonly named with the m0s.* pattern, provide interactive command shells that operators access through specially crafted HTTP headers.
The Python-based client tools used by operators encode commands within Accept-Language headers and use a static token for authentication, creating a covert communication channel that blends with legitimate network traffic.
Following initial access, the group extracts the Global Address List from Exchange servers, converting email contact information into structured data for subsequent phishing operations.
Harvested credentials are immediately validated and reused across other systems in the target network.
The leaked documents describe automated scripts that validate shells and extract mailbox contents without human intervention, demonstrating capability development maturity.
The entire process follows standardized templates documented in internal playbooks, with success metrics recorded in monthly performance reports.
This systematic approach to Exchange compromise, credential extraction, and phishing integration illustrates how APT35 transforms technical vulnerabilities into sustainable intelligence collection operations measured by quantifiable output rather than random opportunity.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
