In a groundbreaking disclosure, CloudSEK’s TRIAD unit has unearthed internal operational materials that shed light on Charming Kitten (APT35), revealing an intricate espionage apparatus linked to Iran’s Islamic Revolutionary Guard Corps (IRGC).
The leak comprises over 100 Persian-language files marked with Jalali calendar dates and aligned with Tehran time, underscoring its authenticity.
At the apex, a “Management” cell orchestrates strategy and budget approvals, supported by a “Sarrafi” contractor handling cryptocurrency transactions and document forgery.
Beneath them, technical and operational teams are delineated by specialized roles. Administrative staff led by Mehdi Sharifi coordinate contracts and personnel logistics, while core operators such as Esmaeil Heydari and Vahid Molavi execute daily workloads exceeding 160 hours monthly.
A dedicated penetration team features Ali, a SQL injection specialist conducting mass modem DNS manipulation campaigns, and Mohammad, who automates web-exploitation tools to target Israeli sites.
Malware developers, notably “HSN,” cultivate custom RATs under the RTM Project for Active Directory domination.
Infrastructure experts like Amir Hossein master large-scale router exploitation, deploying RouterScan and RouterSploit auto-exploiters to compromise GoAhead, TP-LINK, and Cisco devices en masse.
Rapid Exploitation and Resilient Persistence
APT35’s hallmark is day-one response to public disclosures. The unnamed rapid-response unit weaponized CVE-2024-1709 within 24 hours, scanning vulnerabilities across Israel, Saudi Arabia, Turkey, Jordan, UAE, and Azerbaijan.
A proof-of-concept snippet for the ConnectWise exploitation reveals a streamlined HTTP request crafted in Python:
pythonimport requests
url = "https://<target>/v4_6_release/AuthenticateUser"
payload = {"UserName":"admin","Password":"password"}
r = requests.post(url, json=payload, timeout=5)
if "Set-Cookie" in r.headers:
print("Exploit succeeded, session cookie:", r.headers["Set-Cookie"])
This rapid weaponization underpins their broader shock-and-awe approach, enabling real-time vulnerability pivoting.
Persistence is achieved through web shells and obfuscated DLL payloads that bypass EDR solutions such as SentinelOne and Trend Micro.
Custom loaders maintain footholds in compromised networks, while encrypted VeraCrypt containers and VM snapshots preserve operational security.
Exfiltration Mechanics
Victimology spans legal, academic, aviation, energy, financial, and governmental sectors across the Middle East, extending to U.S. agencies in the region and key Asian entities.
Qistas, a Jordanian legal services firm, fell prey to tailored supply-chain attacks leading to 74 GB of exfiltrated judgment archives and lawyer dossiers.
IBLaw operations compromised Exchange servers to steal contracts linking defense contractors with Gulf states.
Academic targets like WISE University endured database dumps of over 11,000 student records. A streamlined IoC table highlights critical indicators of compromise:
Social engineering forms the campaign backbone. Majid’s team orchestrates multi-platform phishing using Facebook Ads and Telegram channels, overcoming payment restrictions via sanctioned card workarounds. SMS-based smishing leverages 50+ evaluated panels, while forged Binance KYC documents facilitate account creation.
This unprecedented leak maps APT35’s entire value chain—from strategic planning and administrative management to cutting-edge exploit development and large-scale data theft.
The IRGC-linked actor demonstrates strategic patience through sustained, multi-year access; technical prowess via custom RATs and EDR evasion; and operational breadth spanning simultaneous campaigns in six countries.
The compromise of legal and government entities not only illuminates Iran’s regional intelligence ambitions but also underscores the acute supply-chain and national security risks posed by state-aligned cyber-espionage groups.
Continuous monitoring and rapid patching of disclosed vulnerabilities remain imperative to mitigate this evolving threat landscape.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.