Leak of Internal Operational Documents from Iran-Linked APT35 (Charming Kitten)
A significant leak of internal operational documents allegedly belonging to the Iranian state-sponsored threat group APT35, also known as Charming Kitten, has surfaced online. The dataset, which appeared on a public repository in late September 2025, contains over 100 files of Persian-language internal documentation, including personnel rosters, tooling details, campaign reports, and organizational charts. Analysis of the leak reveals a highly coordinated structure within APT35, with dedicated teams for penetration testing, malware development, social engineering, and infrastructure compromise. The documents detail the group’s rapid exploitation of vulnerabilities such as CVE-2024-1709 and their use of mass router DNS manipulation to compromise targets. Victims identified in the leak span government, legal, academic, aviation, energy, and financial sectors, primarily in the Middle East, but also include targets in the United States and Asia. The operational materials highlight the group’s use of custom remote access trojans (RATs), advanced endpoint detection and response (EDR) evasion techniques, and supply-chain attack vectors. The leak also exposes the group’s sophisticated phishing infrastructure and their ability to achieve long-term persistence and Active Directory dominance within compromised environments. The documents provide insight into the group’s vulnerability research activities, targeting platforms such as Confluence, WordPress, Ivanti, and Apache. Additionally, the leak includes open-source intelligence (OSINT) on targets and detailed attack reports, including domain information and mentions of remote access tools like Anydesk. The individual or group responsible for the leak, operating under the alias KittenBuster, has stated their intention to release further evidence and personal information about APT35 members in the coming days. Security researchers are working to verify the authenticity of the leak, but initial assessments indicate a high degree of credibility based on language, content, and context. The exposure of these materials represents a rare and valuable opportunity for the cybersecurity community to gain insight into the tradecraft, organizational structure, and operational priorities of a major Iranian cyber-espionage group. The leak underscores the acute supply-chain and national security risks posed by IRGC-affiliated actors and highlights the need for heightened vigilance among organizations in targeted sectors. The ongoing release of additional documents may further illuminate the group’s tactics, techniques, and procedures (TTPs), enabling defenders to better anticipate and mitigate future threats. This incident marks one of the most comprehensive public exposures of Iranian APT operations to date, with potential implications for both regional and global cybersecurity.
Sources
Related Stories
Recent Cyber Espionage Campaigns and Tactics of State-Backed APT Groups
State-backed advanced persistent threat (APT) groups have intensified their cyber espionage activities, employing increasingly sophisticated tactics, techniques, and procedures (TTPs) to infiltrate and persist within high-value targets. APT15, believed to operate out of China, has conducted a series of high-profile campaigns targeting government entities, defense contractors, and minority groups across Europe, North America, and Asia. Their operations leverage spear phishing, exploitation of public-facing applications, and advanced defense evasion methods such as steganography and masquerading malware as legitimate software. Similarly, the Iranian group Charming Kitten (APT35) has been exposed through recent leaks, revealing the identities of key personnel, financial structures, and thousands of compromised systems worldwide. These leaks detail how the group uses spear-phishing, fake login pages, and malicious attachments to gain initial access, followed by persistent surveillance and data exfiltration from government, academic, and civil society networks. Technical analysis of these groups' operations highlights the use of legitimate system tools for lateral movement and persistence, as well as complex command-and-control (C2) infrastructures designed to evade detection. The leaks concerning Charming Kitten provide unprecedented insight into the operational management and financial underpinnings of Iranian cyber espionage, including the use of front companies and detailed tasking sheets. Both APT15 and APT35 demonstrate the ongoing evolution of state-sponsored cyber threats, with a focus on stealth, persistence, and the targeting of sensitive information across multiple sectors and geographies.
3 months ago
Iranian Threat Activity: RedKitten NGO Targeting and APT42 TAMECAT Credential Theft
Reporting describes two separate **Iran-linked espionage** efforts. HarfangLab detailed a campaign dubbed **RedKitten** targeting human-rights NGOs and individuals documenting abuses, using a lure delivered as a Farsi-named `7z` archive containing macro-enabled Excel (`.xlsm`) files. When victims enable the malicious VBA, it drops a C# implant (`AppVStreamingUX_Multi_User.dll`) via **AppDomainManager injection**; the operation uses **GitHub** and **Google Drive** for configuration/payload retrieval and **Telegram** for command-and-control, and researchers noted code characteristics consistent with **LLM-assisted** development. Separately, Pulsedive research (as summarized) attributed a PowerShell backdoor called **TAMECAT** to **APT42**, describing social-engineering via impersonated WhatsApp contacts and links abusing the `search-ms` URI handler, followed by VBScript-based staging and delivery mechanisms including WebDAV-hosted LNKs disguised as PDFs. TAMECAT was reported to steal credentials from **Microsoft Edge** and **Chrome**, establish persistence (e.g., logon scripts and registry run keys), and use multiple C2 channels (including **Telegram**, Discord, Firebase, and Cloudflare Workers). Other items in the set cover unrelated events: a supply-chain compromise of *eScan* antivirus update infrastructure distributing a backdoor, and Fortinet’s reporting on **Interlock** ransomware activity affecting primarily UK/US organizations (not Iran-linked).
1 months agoIranian APT42 SpearSpecter Campaign Targets Defense Sector with TAMECAT Backdoor
Iranian state-backed threat group APT42, also known as Charming Kitten and Educated Manticore, has launched a sophisticated cyberespionage campaign dubbed SpearSpecter, targeting high-profile defense and government organizations as well as their officials and family members. The campaign leverages weeks-long social engineering lures via WhatsApp to gain initial access, followed by credential theft through redirection to fake meeting pages. For long-term persistence, the attackers deploy a fileless PowerShell-based backdoor named TAMECAT, which enables command execution, reconnaissance, file harvesting, and browser data exfiltration. The campaign demonstrates advanced operational security and agility, with infrastructure designed for prolonged espionage against high-value targets. Researchers note that TAMECAT's capabilities allow attackers to maintain stealth and flexibility, executing further PowerShell code and adapting their operations based on their objectives. The Israel National Digital Agency highlighted that these attacks are distinct from previous APT42 campaigns, reflecting a continuous evolution in tactics. The campaign's focus on defense and government entities underscores the persistent threat posed by Iranian cyber operations to critical infrastructure and sensitive sectors worldwide.
3 months ago