Data breach:
the operations of “Charming Kitten” revealed

Over the years, the group “Charming Kitten” (also APT35, “Phosphorus,” and “Mint Sandstorm”) has established itself as a central pillar of Iran’s offensive cyber apparatus. Affiliated with the Islamic Revolutionary Guard Corps (IRGC), it has long been viewed primarily as a digital intelligence unit focused on espionage and influence operations rather than destructive attacks.

In its early years, the group combined sophisticated phishing, social engineering, and software vulnerability exploitation in long-term operations to infiltrate governmental, academic, media, diplomatic, and civilian targets. Over time, its methods became more refined, with the systematic use of fake identities (journalists, academics, NGOs), the creation of mirror websites, and the deployment of custom-made tools (malware, RATs, bespoke utilities) becoming an integral part of its arsenal.

Until recently, the group’s precise internal structure (team delineation, org chart, mission cycles, and bureaucratic constraints) remained opaque. September 30, 2025 marked a turning point: a large cache of internal documents surfaced on a public platform, revealing for the first time information from the core of Charming Kitten’s operations. These materials indicate the group is no longer confined to purely covert activity; it now operates within a defined framework, with a clear organizational model and formalized processes.

Beyond organizational insights, the leak exposes targeted cyber-attack campaigns across the Middle East. Countries cited among the victim list include Afghanistan, Israel, Jordan, Saudi Arabia, Turkey, and the United Arab Emirates.

Analysis of these internal documents offers a rare window into the group’s decision-making, priorities, internal constraints, and chains of commandbshedding light on the real structure of Iranian cyber operations in the region and marking a significant milestone for anticipating emerging threats.

Obtained information: key components

Attack playbooks and tutorials

• A detailed manual on phishing and credential harvesting.

• A guide to exploiting CVE, with a focus on PHP-CGI, ConnectWise, and Ivanti vulnerabilities.

• Documentation covering post-exploitation and persistence within Information Systems.

Campaign management and internal documents

• Details on employees’ operations, their targets, and their timesheets.

• One-page briefs on active campaigns, roadmaps, and other internal documents related to the progression of “projects.”

Technical data

• The full set of technical artifacts needed to conduct operations: network diagrams, target lists, and vulnerability-scan reports in short, the planning components and essentials required to execute large-scale malicious actions.

Exfiltrated data

• A number of compromised databases and credentials.

• Documents such as a compilation of emails from Afghanistan’s Ministry of Tribal and Border Affairs.

• Information related to Saudi judges and attorneys.

Target lists

• A substantial portion of the documents consists of enumerations of targeted infrastructures and the information collected on them.

All of this data provides a detailed understanding of the group. Four main divisions stand out within this organization:

• Operations Command: Its role is to define high-level objectives, assign campaigns and targets to team leaders, pre-process reports, and manage budgets.
• Project Managers / Team Leaders: There are two of them, primarily responsible for reporting. One oversees offensive operations against Jordan and large-scale exploitation of ConnectWise. The other supervises OSINT campaigns used to obtain preliminary access to systems, as well as the campaign targeting Israel.
• Specialized Operators: Each operator has a relatively specific role.

1. > The first focuses on attacks against Israel, primarily conducting mass scans.
2. > The second, a vulnerability research expert, focuses on identifying CVE in exposed services such as GitLab, WordPress, or Confluence.
3. > The third specializes in creating and maintaining the tools required to conduct operations.
4. > The fourth and final operator focuses on influence campaigns across social media and manages the logistics essential to the success of ongoing missions.

• Generic Operators: They perform all tasks requiring limited technical expertise and handle the routine, lower-level duties assigned by managers and specialists.

Based on this information, a potential workflow can be reconstructed:

• The command assigns an attack campaign project.

• The project manager designates the operators.

• The operators identify exploitable infrastructures, persistence mechanisms within systems, and develop evasion capabilities against existing detection tools.

• Another operator executes the intrusion, and the team leader reports the outcome and next steps to upper management.

The breadth of the group’s attacks documented in the leak makes target profiling complex. Nevertheless, Gatewatcher’s Purple Team identified two major categories of activity:

Campaigns targeting countries and their institutions

This type of operation reflects a long-term intelligence-collection posture against targets strategic to Iran. Most of these offensives combine cyber operations with influence activities.

• Operation shattered mirror (target: Israel, 2023–2024): This offensive resembles the groundwork for an information-influence operation. By gaining access to critical nodes, such as widely used modems or routers, the attackers can observe public network use to conduct mass surveillance. In parallel, commercial websites were also impacted; they represent a key avenue for data collection, notably large volumes of credentials, in support of the same objective. Finally, political opponents of the Israeli government were identified in order to mount phishing campaigns. This last action specifically targeted participants in a conference titled “Israel, a shattered mirror.” It is possible this event was fabricated by Iranian services to assemble political opponents, as no other indicators confirm it occurred. The spear-phishing phase sought to issue fake “entry cards” for attendees. The likely aim was to turn these opponents into unwitting informants.
• Operation desert breach (target: Jordan, 2024–present): This campaign is marked by the compromise of the Ministry of Justice, academic institutions, and legal professionals such as law firms. Most of the activity relies on exploiting a 2012 CVE identifier, CVE-2012-1823. This vulnerability enables remote code execution on applications using PHP-CGI. In addition, persistence is established via web shells. The operation has been successful for APT35, with more than 74 GB of data exfiltrated and a complete mapping of law-firm systems achieved.
• Operation afghan infiltration (target: Afghanistan, 2021)
  This operation specifically targeted Afghan telecommunications systems and government bodies, including the Ministry of Tribal and Border Affairs and the Ministry of Refugees and Repatriation. These ministries are critical intelligence pivots because they enable the identification of citizens’ entries and exits. Combined with the compromise of Afghan telecom services, the operation enabled the exfiltration of emails and internal accounts, ensuring long-term surveillance and persistence inside government systems.

Opportunistic campaigns: operation Swiftstrike

In addition to targeted campaigns, the cell also conducted purely opportunistic operations in 2024. Upon identifying vulnerabilities in ConnectWise and Ivanti products, it launched a campaign against Turkey, Saudi Arabia, Jordan, and the United Arab Emirates. During this offensive, apparently of high interest to Charming Kitten, reconnaissance relied on open-source mass-scanning tools and internet-wide search platforms, such as Shodan and Censys.

In the previous summary table, it is clear that all these attacks rely on network activity and are therefore detectable through the deployment of NDR (Network Detection and Response) probes. The combined use of multiple detection engines enables a true defense-in-depth strategy, capable of stopping attackers as early as the reconnaissance phase.

Attackers who primarily rely on large-scale scanning during their reconnaissance phases are easily detectable by NDR systems, as these activities generate distinct network signals. This early detection enables rapid response and the proactive blocking of potential threats. Even if such scans are carried out through third-party infrastructures, the subsequent exploitation attempts against vulnerable services would still be identified. As a result, the attacker can be stopped at the very beginning of the intrusion chain whereas an EDR (Endpoint Detection and Response) system would only detect the compromise once the endpoint is affected.

Specifically, Gatewatcher’s detection capabilities, through the combined use of its multiple engines, provide comprehensive coverage of the threats described in this analysis.

By continuously monitoring both internal and external network traffic, the NDR identifies abnormal behaviors, enabling the detection and containment of attackers before they can achieve their objectives.

This data leak provides valuable insight into the methods employed by APT35. Beyond the relatively unsophisticated nature of some attacks, these documents offer a clearer understanding of the attackers’ objectives while exposing their operational playbooks. By analyzing their TTPs (Tactics, Techniques, and Procedures), it becomes possible to build an effective, defense-in-depth strategy tailored to this specific threat. Such leaks, with such a high level of operational detail, are rare and invaluable; they must therefore be studied and understood thoroughly to ensure the long-term prevention of cyberattacks.

Annex 1: MITRE ATT&CK® mapping of Charming Kitten based on leaked documents

MITRE ATT&CK® matrix for Charming Kitten’s operational unit

This table outlines the adversary behaviors observed in the leaked intelligence, mapped to the corresponding ATT&CK tactics and techniques.

Annex 2: glossary

• APT (Advanced Persistent Threat): Refers to a group of attackers (often state-sponsored) conducting complex, stealthy, and long-term cyberattacks against a specific target to steal information, sabotage operations, or conduct espionage. APT35 is the name given to the group “Charming Kitten.”
• C2 (Command and Control): Refers to the infrastructure (servers, networks) used by attackers to communicate with compromised systems, send them commands, and exfiltrate data.
• CVE (Common Vulnerabilities and Exposures): A public dictionary listing known cybersecurity vulnerabilities. Each vulnerability receives a unique identifier (e.g., CVE-2012-1823) to facilitate tracking and reference.
• EDR (Endpoint Detection and Response): A security solution that continuously monitors endpoints (computers, servers) to detect threats and respond to them rapidly.
• Phishing: A fraud technique used to obtain sensitive information (usernames, passwords, credit card details) by impersonating a trusted entity via email or other electronic communication channels. Spear phishing is a targeted form of phishing directed at a specific individual or organization.
• SQL Injection: A type of attack that involves inserting malicious SQL code into a query to manipulate a database and gain access to confidential information.
• MITRE ATT&CK®: A publicly accessible knowledge base that catalogs the tactics and techniques of cyber adversaries, based on real-world observations. It is used to model threats and strengthen defensive measures.
• NDR (Network Detection and Response): A security approach that analyzes network traffic to detect malicious or abnormal behavior and respond accordingly.
• OSINT (Open-Source Intelligence): Intelligence gathered from publicly available sources (websites, social networks, publications) to collect information about a target.
• Persistence: A technique used by attackers to maintain access to a compromised system, even after a reboot or update.
• RCE (Remote Code Execution): A vulnerability that allows an attacker to execute arbitrary commands on a remote machine over a network.
• Reverse Shell: A technique where the compromised machine initiates an outbound connection to the attacker, allowing the latter to control the system remotely, often bypassing firewalls that block inbound connections.
• TTPs (Tactics, Techniques, and Procedures): Describes the behavior of a threat actor. Tactics represent the attacker’s objectives, techniques describe how those objectives are achieved, and procedures detail the specific implementations of these techniques.
• Webshell: A malicious script uploaded to a web server by an attacker, enabling remote command execution and persistent access to the compromised server.