In October 2025, the cybersecurity community witnessed an unprecedented breach that exposed the inner workings of one of the world’s most sophisticated state-sponsored cyber espionage operations. Thousands of internal documents from APT35—also known as Charming Kitten—revealed systematic targeting of governments and businesses across critical regions, providing rare insights into how Iranian threat actors conduct large-scale intelligence gathering campaigns against strategic targets.
The leaked materials, analyzed by DomainTools security researchers, exposed not just the technical methods employed by this cyber intelligence organization but also the bureaucratic structures, performance metrics, and operational procedures that characterize modern state-sponsored hacking operations. This unprecedented disclosure offers organizations worldwide critical intelligence about threats they face from advanced persistent threat groups backed by nation-state resources.
Understanding APT35: Iran’s Sophisticated Cyber Intelligence Unit
APT35, also known as Charming Kitten, operates as a cyber unit within Iran’s Islamic Revolutionary Guard Corps Intelligence Organization. Unlike independent hackers, this state-sponsored cyber espionage group functions as a formal military intelligence organization with hierarchical command structures, standardized procedures, and quantifiable performance expectations.
The leaked documents reveal APT35 maintains operational characteristics similar to traditional intelligence agencies. Operators work from centralized facilities with badge-in systems, adhere to fixed schedules, and submit detailed reports to supervisors tracking success rates and completed tasks.
This bureaucratic infrastructure supports specialized teams focused on exploit development, credential harvesting, phishing campaigns, and real-time mailbox monitoring. The organizational sophistication indicates significant resource investment, demonstrating that Iranian threat actors view cyber intelligence operations as critical national security components rather than experimental projects.
Geographic Scope: Strategic Targeting Across Critical Regions
Analysis of the leaked APT35 documents reveals systematic targeting spanning multiple strategically important regions. The cyber intelligence operations focused particularly on government ministries, telecommunications companies, customs agencies, and energy sector organizations across Turkey, Lebanon, Kuwait, Saudi Arabia, South Korea, and interestingly, domestic Iranian targets.
This geographic distribution reflects Iran’s regional security priorities and intelligence collection requirements. Turkey represents a key regional rival and NATO member hosting critical infrastructure. Lebanon’s complex political environment and Iranian influence through Hezbollah creates intelligence requirements for monitoring potential opposition. Kuwait and Saudi Arabia’s energy sectors and regional leadership roles make them high-value targets for strategic intelligence gathering.
South Korea’s inclusion among targeted nations demonstrates APT35’s global reach extending beyond the immediate Middle Eastern theater. The targeting of domestic Iranian entities suggests internal security monitoring functions—a common practice among authoritarian regimes seeking to identify dissent, monitor opposition groups, and maintain political control through comprehensive surveillance capabilities.
The leaked documents contained annotated target lists with detailed notes indicating which Microsoft Exchange exploitation attempts succeeded, which failed, and the webshell paths used to maintain persistent access to compromised systems. This meticulous record-keeping demonstrates operational discipline and facilitates knowledge transfer between operators while providing management with quantifiable metrics for assessing campaign effectiveness.
The strategic nature of target selection—focusing on government communications, telecommunications infrastructure providing surveillance capabilities, and energy sectors critical to economic leverage—reveals intelligence priorities aligned with Iranian foreign policy objectives rather than opportunistic attacks against whatever targets present themselves.
Microsoft Exchange Exploitation: The Primary Attack Vector
At the technical core of APT35’s cyber intelligence operations lies systematic exploitation of Microsoft Exchange servers through ProxyShell vulnerability chains combined with abuse of Autodiscover and Exchange Web Services (EWS) for extracting valuable intelligence and establishing persistent access to target networks.
Understanding ProxyShell Exploitation Methodology
ProxyShell represents a chain of three vulnerabilities in Microsoft Exchange that, when exploited in sequence, enables unauthenticated remote code execution on vulnerable servers. APT35 weaponized this vulnerability chain through a coordinated exploitation sequence beginning with reconnaissance scanning to identify vulnerable Exchange servers exposed to internet access.
Once suitable targets are identified, Iranian threat actors deploy webshells disguised as legitimate system files to establish remote command execution capabilities. These webshells, commonly following the naming pattern “m0s.*”, provide interactive command shells that operators access through specially crafted HTTP headers designed to blend with legitimate network traffic and evade detection by security monitoring systems.
The Python-based client tools used by APT35 operators encode commands within Accept-Language HTTP headers and employ static authentication tokens, creating covert communication channels that appear as ordinary browser requests to superficial inspection. This technique demonstrates sophisticated understanding of how security tools analyze network traffic and deliberate efforts to remain undetected during operational activities.
Credential Harvesting and Lateral Movement
Following initial Microsoft Exchange exploitation and webshell deployment, APT35 executes systematic credential harvesting operations designed to expand access throughout target networks. The group extracts Global Address Lists from compromised Exchange servers, converting employee contact information into structured datasets that serve as foundations for subsequent phishing campaigns.
The leaked documents describe custom-developed tools that establish persistent access and steal additional credentials directly from computer memory using techniques similar to the well-known Mimikatz tool. These memory-resident credential theft capabilities enable attackers to capture authentication materials without triggering file-based security scans or requiring users to actively enter passwords.
Harvested credentials undergo immediate validation and reuse across other systems within target networks, facilitating lateral movement that expands the scope of compromise from initial Exchange server footholds to broader organizational infrastructure. Automated scripts documented in the leaked materials validate webshells and extract mailbox contents without human intervention, demonstrating operational capability maturity and scalability.
The entire process follows standardized templates documented in internal playbooks, with quantifiable success metrics recorded in monthly performance reports. This systematic approach to Microsoft Exchange exploitation, credential extraction, and phishing integration illustrates how state-sponsored cyber espionage transforms technical vulnerabilities into sustainable intelligence collection operations measured by concrete outputs rather than opportunistic results.
The Phishing Pipeline: From Stolen Contacts to Compromised Credentials
Once APT35 establishes initial Microsoft Exchange access and extracts employee contact information, operations transition to targeted phishing campaigns designed to harvest additional credentials. The leaked documents reveal sophisticated social engineering tactics optimized for specific target populations.
Unlike mass-market campaigns, APT35’s credential harvesting employs highly targeted approaches informed by stolen contact lists and organizational intelligence. Messages appear to originate from legitimate colleagues, leveraging stolen accounts and authentic context to build trust and encourage credential disclosure.
The phishing infrastructure demonstrates technical sophistication with landing pages replicating authentic login portals and backend systems capturing credentials in real-time. This integration between Microsoft Exchange exploitation, contact extraction, phishing execution, and credential validation represents a mature operational pipeline enabling Iranian threat actors to scale intelligence collection across multiple simultaneous campaigns.
Operational Security Implications for Organizations
The APT35 document leak provides unprecedented visibility into state-sponsored cyber espionage methodologies, offering organizations critical intelligence for strengthening defensive postures against sophisticated threat actors employing similar tactics, techniques, and procedures.
Microsoft Exchange Hardening Requirements
Organizations operating Microsoft Exchange infrastructure face elevated risks from APT35 and similar threat actors systematically exploiting ProxyShell vulnerabilities and abusing legitimate Exchange functionality for intelligence gathering. Immediate defensive priorities include:
Comprehensive vulnerability management ensuring all Exchange servers receive critical security updates addressing ProxyShell and related vulnerability chains. Organizations must maintain rigorous patch management procedures treating Exchange as critical infrastructure requiring prioritized security attention.
Network segmentation limiting Exchange server exposure to internet-facing networks. Where remote access is required, organizations should implement VPN gateways or zero-trust network access solutions that authenticate users before granting connectivity to email infrastructure rather than directly exposing Exchange to public networks.
Enhanced monitoring for webshell indicators including unusual file creation in Exchange directories, suspicious HTTP headers in web logs, and anomalous authentication patterns suggesting credential theft and reuse. Security operations centers should implement specific detection rules targeting the techniques documented in APT35’s leaked operational guides.
Credential Protection Strategies
Given APT35’s systematic credential harvesting capabilities targeting both Exchange servers and endpoint memory, organizations must implement comprehensive credential protection strategies addressing multiple attack vectors:
Multi-factor authentication across all systems, with particular emphasis on Exchange access, VPN connections, and administrative accounts. While MFA cannot prevent all compromise scenarios, it significantly raises operational costs for attackers attempting to leverage stolen credentials.
Privileged access management solutions limiting credential exposure by implementing just-in-time administration, session recording, and automated credential rotation that reduces the window of opportunity for credential theft and reuse.
Endpoint protection platforms with memory protection capabilities designed to detect and prevent tools like Mimikatz from extracting credentials from process memory. Advanced endpoint detection and response (EDR) solutions can identify suspicious memory access patterns and credential dumping attempts in real-time.
Phishing Resistance Development
The sophisticated phishing capabilities documented in APT35’s leaked materials underscore the importance of comprehensive security awareness training that goes beyond generic warnings about suspicious emails to address specific tactics employed by state-sponsored cyber espionage operations:
Contextual awareness training helping employees recognize targeted phishing attempts that leverage stolen organizational information and appear to originate from legitimate colleagues. Training should emphasize verification procedures for unusual requests involving credentials or sensitive data.
Technical controls including DMARC, SPF, and DKIM email authentication mechanisms that prevent email spoofing and make it more difficult for attackers to impersonate legitimate senders. While sophisticated adversaries can circumvent these controls, they raise operational costs and reduce campaign effectiveness.
Reporting mechanisms enabling employees to quickly flag suspicious communications to security teams for analysis. Organizations should foster cultures where reporting potential phishing attempts is encouraged and rewarded rather than creating embarrassment or inconvenience for cautious employees.
Threat Intelligence Value of Internal APT Leaks
The APT35 document leak represents an exceptionally rare occurrence where internal operational materials from a state-sponsored cyber espionage group become publicly available. Such disclosures provide immense value to the global cybersecurity community by revealing methodologies, tools, and infrastructure that might otherwise remain obscured behind sophisticated operational security practices.
Security teams can leverage this intelligence to develop specific detection rules targeting APT35 techniques, understand the operational lifecycle from initial reconnaissance through sustained intelligence collection, and recognize indicators of compromise associated with this threat actor. The leaked materials enable proactive hunting for potential compromise indicators that might have gone undetected using generic security monitoring approaches.
However, organizations should recognize that while this disclosure damages APT35’s current operations by exposing tools and infrastructure, sophisticated state-sponsored groups quickly adapt to such setbacks. The resources available to Iranian threat actors enable rapid capability replacement, and the disclosed techniques likely represent only a subset of available methodologies. Defensive strategies must address the underlying vulnerability patterns and attack vectors rather than focusing narrowly on specific tools or infrastructure identified in the leak.
Conclusion: Adapting Defenses to State-Sponsored Threats
The unprecedented APT35 internal document leak illuminates the sophisticated organizational structures, systematic operational procedures, and advanced technical capabilities characterizing modern state-sponsored cyber espionage operations. Organizations across government, telecommunications, energy, and other strategic sectors must recognize that they face determined adversaries backed by nation-state resources employing methodical approaches to intelligence collection rather than opportunistic attacks.
Effective defense requires moving beyond reactive security postures to proactive strategies addressing the complete attack lifecycle from initial reconnaissance through sustained intelligence extraction. Particular attention to Microsoft Exchange security, comprehensive credential protection, sophisticated phishing resistance, and behavioral detection capabilities that identify anomalous activity patterns will prove critical to defending against Iranian threat actors and similar advanced persistent threat groups.
The systematic nature of APT35’s operations—documented performance metrics, standardized playbooks, specialized teams, and bureaucratic oversight—demonstrates that cyber espionage has matured from experimental capabilities into institutionalized programs integrated within national security strategies. Organizations must respond with proportional investments in security capabilities, threat intelligence, and operational discipline that match the sophistication of adversaries they face in an increasingly contested digital environment.
