Threat Research

An Insider Look At The IRGC-linked APT35 Operations | CloudSEK

CloudSek
An Insider Look At The IRGC-linked APT35 Operations | CloudSEK

CloudSEK analyzed a leaked dataset of Charming Kitten (APT35) operational materials showing Persian-language internal documents, personnel rosters, tooling details, and campaign reports that document coordinated teams for penetration, malware development, social engineering, infrastructure compromise, and rapid exploitation of CVE-2024-1709. The disclosure details long-term persistence, Active Directory domination, extensive exfiltration across government, legal, academic, aviation, energy, and financial sectors in the Middle East and beyond, highlighting IRGC-affiliated organized espionage and supply-chain risk. #CVE-2024-1709 #CharmingKitten

Keypoints

  • CloudSEK’s TRIAD found a GitHub repository allegedly containing 100+ Persian-language internal documents from Charming Kitten (APT35), including timesheets, reports, and operational plans.
  • The leak describes an organized structure with roles for penetration testing, malware development (custom RATs/RTM), social engineering, infrastructure, and management supporting coordinated campaigns.
  • Operators rapidly weaponized CVE-2024-1709 (ConnectWise) within 24 hours and conducted mass modem/router DNS manipulation campaigns (580+ devices) and multi-country scanning.
  • Reported tradecraft includes Active Directory domination, credential harvesting, EDR evasion (bypass of Sophos, Trend Micro, SentinelOne, CrowdStrike testing), supply-chain pivots, and long-term persistence with large-scale exfiltration (74GB+ documented).
  • Targets span government, legal firms (Qistas, IBLaw), education (WISE University), aviation, energy, and financial sectors across Jordan, UAE, Saudi Arabia, Israel, and secondary regions including the USA and Asia.
  • Social engineering infrastructure and ad-driven phishing campaigns were highly developed, with domain purchases, ads (Facebook, Google, X), SMS panels, forged documents, and SIM procurement to support large-scale phishing and smishing.
  • High-confidence indicators in the dataset include Iranian calendar dates, Tehran-aligned operational hours, Persian naming conventions, infrastructure consistent with APT35, and documented personnel and project artifacts.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Used to gain initial access via multiple vulnerabilities including “CVE-2024-1709 (ConnectWise), CVE-2019-18935 (Telerik), CVE-2017-11317 (Telerik), CVE-2012-1823 (PHP CGI RCE), CVE-2017-3506 (Oracle WebLogic)”.
  • [T1078] Valid Accounts – Creation and use of domain admin accounts and harvested credentials for persistence and lateral movement (“Domain admin account creation”, “Database credentials (MySQL, Oracle)”).
  • [T1059] Command and Scripting Interpreter – Use of automated exploit tools and custom scripts (Nuclei templates, RouterScan/RouterSploit auto-exploiters, WPScan, custom exploit automation development).
  • [T1531] Account Discovery – Active Directory enumeration and share folder enumeration to map and escalate access (“Active Directory enumeration”, “Share folder enumerator for AD environments”).
  • [T1210] Exploitation of Remote Services – Targeting of network equipment and remote services including routers, modems, Cisco RV devices, and Starlink equipment (“Mass modem attack campaign”, “Cisco RV (Small Business) exploitation”).
  • [T1027] Obfuscated Files or Information – Use of obfuscated DLL payloads, DLL hijacking, and binary rewrite/obfuscation to evade detection (“Obfuscated DLL payloads”, “DLL hijacking strategies”, “Binary rewrite capabilities”).
  • [T1486] Data Encrypted for Impact / Data Exfiltration (technique family) – Organized data staging and exfiltration of large datasets including database dumps, CCTV footage, and email archives (“Massive data exfiltration (74GB+ documented)”, “Database dumps via Adminer”, “CCTV footage downloads”).
  • [T1071] Application Layer Protocol – Use of cloud backup portals and online services for exfiltration and persistence (Acronis Cloud backup compromise, NextCloud for file sharing).
  • [T1110] Brute Force – Credential harvesting and use of compromised credentials and browser credential theft for lateral movement and access to services (“Credential harvesting”, “Browser credential theft”).
  • [T1566] Phishing – Extensive phishing and social engineering infrastructure using ad platforms, fake e-commerce sites, Telegram channels, SMS panels, and forged documents (“Social media campaign management”, “Phishing infrastructure development”, “SMS panel research and acquisition”).

Indicators of Compromise

  • [Document Artifacts] Persian-language internal docs and timesheets – example: “HSN2 daily reports (RTM Project folder)”, “MJD daily reports (Majid folder)”.
  • [File Hashes] Report evidence hashes – example: “02120dcf3b263702028a0441881d339ee4ff8e15”, “4037e9382a99fdd96fe93eb0fd4380eea695bd3a”.
  • [Domains] Phishing/operational domains – example: “aecars.store”, “sunrapid.com (and lydston.com variants)”.
  • [Vulnerabilities] Exploited CVEs – example: “CVE-2024-1709 (ConnectWise)”, “CVE-2019-18935 (Telerik)”.
  • [Tooling/Names] Tool and project names – example: “RTM Project (custom RAT)”, “RouterSploit / RouterScan auto-exploiters”.
  • [Targets/Organizations] Targeted entities and operations – example: “Qistas legal services (complete domain compromise, 74GB+ exfiltrated)”, “WISE University initial access (11,164+ student records)”.

Read more: https://www.cloudsek.com/blog/an-insider-look-at-the-irgc-linked-apt35-operations