APT35 Internal Leak of Hacking Campaigns Against Lebanon, Kuwait, Turkey, Saudi Arabia, Korea, and Domestic Iranian Targets

Nov. 24, 2025, 9:46 a.m.

Description

An internal leak from APT35 (Charming Kitten) reveals a sophisticated, state-directed cyber-intelligence operation targeting diplomatic, government, and corporate networks in the Middle East and Asia. The documents expose a bureaucratic structure with defined workflows, performance metrics, and specialized teams for exploit development, credential theft, and phishing campaigns. The group's focus on Exchange servers, use of ProxyShell exploits, and persistent mailbox monitoring demonstrate a strategic emphasis on long-term intelligence collection. The leak provides unprecedented insight into Iran's cyber capabilities, showing a mature apparatus that blends technical prowess with military-style oversight.

External References

https://dti.domaintools.com/threat-intelligence-report-apt35-internal-leak-of-hacking-campaigns-against-lebanon-kuwait-turkey-saudi-arabia-korea-and-domestic-iranian-targets
https://otx.alienvault.com/pulse/6921bcca5b00a92c1be4ffcc
Tags
phishing
iran
cyberespionage
proxyshell
middle east
intelligence collection
exchange
2025-11-22
irgc
herv phishing kit
powershort
rat-2ac2

Date

  • Created: Nov. 22, 2025, 1:38 p.m.
  • Published: Nov. 22, 2025, 1:38 p.m.
  • Modified: Nov. 24, 2025, 9:46 a.m.

Indicators

  • e8da3504dda31fb46cd4b768cb3ca835db9bb9e7
Download all indicators here!

Attack Patterns

  • PowerShort
  • HERV Phishing Kit
  • RAT-2Ac2
  • Magic Hound

Additional Informations

  • Energy
  • Telecommunications
  • Government
  • Lebanon
  • Kuwait
  • Korea, Democratic People's Republic of
  • Iran, Islamic Republic of
  • Saudi Arabia
  • Korea, Republic of