CloudSEK’s TRIAD research team has analyzed what appears to be one of the most detailed leaks of operational materials from Iranian state-sponsored threat group APT35, also known as Charming Kitten, Magic Hound, and Phosphorus.
The dataset, obtained from a GitHub repository, contains over 100 Persian-language internal documents that reveal the group’s personnel rosters, tooling, campaign reports, and infrastructure details, shedding light on its ties to Iran’s Islamic Revolutionary Guard Corps (IRGC).
The leaked archives outline coordinated teams for penetration testing, malware development, social engineering, and infrastructure compromise, confirming operational tradecraft that includes rapid exploitation of CVE-2024-1709 for ConnectWise systems, mass router DNS manipulation, custom Remote Access Trojans with Active Directory integration, and extensive EDR evasion.
Victims span government, legal, academic, aviation, energy, and financial sectors in the Middle East, while targeting priorities also include the US, Singapore, and India.
Personnel and Technical Operations
The leak’s depth exposes individual operators, their time sheets, roles, and specializations. Penetration testers executed SQL injection campaigns against Israeli sites, mass-modem exploitation of GoAhead devices, and DNS server manipulation affecting over 580 devices.
Reports document the use of SQLMap, Burp Suite Intruder, Censys, Acunetix, and RouterSploit for automated exploitation.
Malware developers ran “RTM Project,” a custom RAT offering shell access, binary execution switches, AD share enumeration, and system harvesting, tested in a Windows Server 2012 R2 Active Directory lab.
Social engineering campaign managers built phishing infrastructure using Facebook Ads, Twitter, Instagram, Telegram, and Microsoft Ads, with hosting via Cloudflare and Namecheap, and payment facilitation through cryptocurrency and forged documents.
Infrastructure specialists targeted routers, modems, Cisco RV devices, and pfSense firewalls, and deployed data center resources for operations.
Rapid-response teams weaponized CVE-2024-1709 within 24 hours of disclosure, scanning and exploiting systems across Israel, Saudi Arabia, Turkey, Jordan, UAE, and Azerbaijan.
Espionage Impact and Tradecraft
Campaign reports reveal long-term persistence capabilities, including supply-chain pivots, infiltration of the legal sector, and full domain compromises with extended data exfiltration.
One case documented the theft of 74GB of data, encompassing judicial records, defense contracts, civil aviation files, and government communications.
Standard evasion methods included DLL obfuscation, hijacking, and bypassing solutions such as Sophos, Trend Micro, SentinelOne, and CrowdStrike in lab environments.
The targeting of legal portals, such as Qistas and IBLaw, provides Iranian intelligence with insights into regional judicial activity, US operations in the Middle East, and defense contractor relationships.
Backup systems, such as Acronis Cloud, were compromised, allowing for persistent surveillance through stolen CCTV footage, VoIP calls, and email archives.
CloudSEK assesses the leak as highly credible given its linguistic, calendrical, and operational alignment with known APT35 patterns.
The disclosure highlights Iran’s well-organized regional espionage capacity and the national security risk posed by IRGC-affiliated cyber units, which are capable of conducting simultaneous multi-country operations, exhibiting strategic patience, and precision targeting of critical sectors.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
