Inside APT35: Leaked Files Reveal Structured IRGC Cyber-Espionage Machine
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Broken Authentication,Vulnerability Exploitation,Downloader,Dropper,Keylogger,RAT,Spyware,Phishing,Spear Phishing
- Attack Complexity: Medium
- Threat Risk: High Impact/High Probability
Threat Overview
Leaked internal documents reveal a highly structured APT35 (Charming Kitten) operation run as a quota-driven, bureaucratic intelligence unit within the IRGC IO. The materials detail coordinated, long-term cyber-espionage campaigns targeting Lebanon, Kuwait, Turkey, Saudi Arabia, South Korea, and domestic Iranian entities, with a strong focus on diplomatic, governmental, telecom, energy, and large commercial mail systems. Operators used ProxyShell, Ivanti exploits, credential replay, HERV phishing, and persistent mailbox monitoring to harvest GALs, credentials, and sensitive communications. The leak exposes end-to-end workflows: reconnaissance, exploitation, credential theft, HUMINT-focused collection, and centralized KPI reporting, confirming a mature, state-managed espionage apparatus.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Case | Fast Communication Company Ltd It is a Kuwait-based internet service provider that was established in 2001 and is now part of Ooredoo Kuwait. Fast Communication Company Ltd has been targeted by APT35 as the main target. | Verified |
| Case | IRT-KRNIC-KR KRNIC is the national registry in the Republic of Korea responsible for managing national internet resources, such as the allocation of IP addresses and the management of the .kr domain. IRT-KRNIC-KR has been targeted by APT35 as the main target. | Verified |
| Case | Nour Communication Co. Ltd Nour Communications Co. Ltd. is a leading Saudi business conglomerate that provides a wide range of services in telecommunications, energy, and engineering industries. Nour Communication Co. Ltd has been targeted by APT35 as the main target. | Verified |
| Case | Pishgaman Tejarat Sayar Pishgaman Tejarat Sayar DSL Network" is an internet service provider (ISP) located in Iran that uses DSL technology. Pishgaman Tejarat Sayar has been targeted by APT35 as the main target. | Verified |
| Case | Türk Telekom Türk Telekomünikasyon A.Ş. is a state-owned Turkish telecommunications company. Türk Telekom was separated from Turkish Post (PTT) in 1995. Türk Telekom has been targeted by APT35 as the main target. | Verified |
| Sector | Food and Agriculture | Verified |
| Sector | Government Agencies and Services | Verified |
| Sector | Manufacturing | Verified |
| Sector | Energy | Verified |
| Sector | Healthcare | Verified |
| Sector | Telecommunication | Verified |
| Region | Afghanistan | Verified |
| Region | Iran | Verified |
| Region | Israel | Verified |
| Region | Jordan | Verified |
| Region | Kuwait | Verified |
| Region | Lebanon | Verified |
| Region | Qatar | Verified |
| Region | Saudi Arabia | Verified |
| Region | South Korea | Verified |
| Region | Turkey | Verified |
| Region | United Arab Emirates | Verified |
FAQs
Understanding the APT35 Internal Leak
Leaked internal documents exposed the operations of APT35, a state-sponsored Iranian hacking group. The materials detailed cyber campaigns against regional governments and telecom firms, using exploits and phishing to collect intelligence.
APT35, also known as Charming Kitten or TA453, is a cyber unit within Iran's IRGC Intelligence Organization. The group conducts long-term espionage, focusing on email systems and diplomatic networks.
Their main goal was to gather strategic intelligence by compromising mail servers, stealing credentials, and monitoring email communications. They also aimed to build long-term access for surveillance and influence operations.
Targets included Turkey, Lebanon, Saudi Arabia, Kuwait, South Korea, Jordan, and Iran itself (for development and internal staging). Each region had tailored attack methods and objectives.
Government ministries, foreign affairs departments, customs authorities, telecom operators, and energy firms were primary targets. These sectors offer high intelligence value and leverage.
The attackers used Exchange server vulnerabilities (like ProxyShell), phishing emails, credential harvesting, and custom malware. They gained access, installed webshells, and maintained long-term surveillance via compromised email accounts.
These entities handle sensitive diplomatic, political, and economic data. Access to them enables Iran to influence regional dynamics and improve its geopolitical positioning.
Apply patches to all critical systems, especially Exchange and VPN appliances. Monitor for suspicious webshells or credential use, implement phishing-resistant MFA, and inspect logs for anomalous access patterns.
This was a targeted, strategic campaign with regional focus. The attackers carefully selected high-value targets and used tailored techniques rather than indiscriminate attacks.