APT35 Leak Reveals Spreadsheets Containing Domains, Payments, and…

Charming Kitten, the Iranian cyber unit widely referred to as APT35, has long lived under the shadow of being a noisy but relatively unsophisticated actor. Critics chalked them up as a politically motivated crew that leaned on recycled phishing templates and credential-harvesting pages. The fourth intelligence dump in Episode 4, however, forces a reconsideration of that narrative. What emerges from the data is not merely a loose collective of hackers but a disciplined operation that resembles a government department with clearly defined roles, budgets, and workflows. This is the kind of revelation that reshapes defensive strategy and changes how the cybersecurity community assesses threat actors tied to the Iranian state. The leaked spreadsheets—containing domains, payments, and server information—offer a rare, granular look at what an advanced, state-backed entity can orchestrate when it aligns with national priorities. In this LegacyWire investigation, we will dissect what Episode 4 shows, how the data shifts attribution, and what defenders can learn from a dataset that looks more like internal invoices and infrastructure maps than a random set of attack fragments.

The post APT35 Leak Reveals Spreadsheets Containing Domains, Payments, and Server Information appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

What is APT35 and Charming Kitten?

Charming Kitten, the group behind the APT35 designation, has long been characterized in threat reports as a state-aligned operator with a penchant for tailored spear-phishing and credential theft. Their campaigns have commonly targeted academia, political organizations, non-governmental organizations, media outlets, and individuals with access to sensitive information. The reputation rested on countless lower-skill phishing pages and credential harvesting sites that harvested user credentials for later use. Yet Episode 4’s revelations move the discussion away from a generic “hacktivist” or “hacktivist-adjacent” misperception toward recognizing a structured, state-sponsored workflow with a measurable operational cadence.

The leaked material hints at a domestic funding stream, formal project management, and a tiered internal structure that mirrors government procurement and program-management practices. Analysts are now cross-referencing these spreadsheets with known campaigns, uncovering overlaps in infrastructure, payment cycles, and asset reuse that point to a mature, recurring operation rather than a one-off collection of opportunistic intrusions. In practical terms, the data signals that APT35 is less “loose-knit gang” and more “state-backed program,” with a governance overlay that elevates its persistence and reach.

Inside Episode 4: The Spreadsheets You Need to See

Episode 4 introduces a dataset that reads like a cross between an enterprise IT asset inventory and a covert operations ledger. The documents detail a spectrum of domains, associated payments, and server information that together outline an ecosystem of tools, routes, and financial arrangements. For defenders, this is a goldmine of indicators of compromise (IOCs) and behavioral patterns. For policymakers and researchers, the dataset provides a rare lens into how a state-backed actor configures its digital infrastructure, allocates resources, and manages relationships with external vendors or front organizations.

Domains and Infrastructure

One of the most consequential parts of the leak is the compiled list of domains linked to phishing pages, command-and-control (C2) endpoints, and hosting services. These domains are not random; they reflect staging areas, credential portals, and distribution points that an operator would reuse across campaigns. Several entries reveal a consistent choice of hosting providers and registrar patterns that suggest centralized procurement decisions, possibly under a security budget that requires accountability and traceability. For defenders, the takeaway is clear: map these domains against historical campaigns, integrate them into threat intel platforms, and use them to tune email filters, URL checks, and sandboxing policies. The presence of collateral domains used for lookalike sites also underscores the importance of brand-based research and takedown coordination to disrupt credential harvesting pipelines early in the attack chain.

Beyond active infrastructure, the dataset shows metadata such as domain registration dates, SSL cert lifespans, and apparent proxying arrangements. These details hint at operational hygiene practices: long-lived certificates on some pages, short-lived ones on others, and a mix of direct hosting with third-party content delivery networks (CDNs). Interpreting these patterns helps security teams anticipate outages, understand redundancy plans, and forecast potential fallback routes if primary domains are taken offline by defenders or law enforcement.

Payments and the Operational Economy

The second pillar of the Episode 4 dump is the ledger-like presentation of payments tied to specific campaigns, operatives, or purchasing channels. The presence of payment records—whether annotated with campaign names, asset types, or delivery timelines—offers a rare glimpse into the economic side of a state-backed operation. It is a stark reminder that cyber operations, even those focusing on information gathering or disruption, rely on a measured financial flow. Budgets are allocated to exploit development, infrastructure maintenance, credential access, translation for tailored lures, and even the recruitment or outsourcing of auxiliary roles.

From a defensive standpoint, the financial trail can be as revealing as the technical one. Large or irregular payments may indicate contracting with external vendors, third-party services, or even front companies designed to obfuscate the true ownership of assets. Security teams should therefore cross-check payment metadata with procurement records, vendor registries, and public tenders when possible. Audits and governance measures, especially in organizations that operate within sensitive sectors, benefit from understanding not just the “how” of an intrusion but the “who funds the activity” behind it. The data suggests a level of financial discipline that is unusual for opportunistic criminals and more aligned with structured program management.

In practice, that means threat intel teams should add “payment flow anomalies” to their dashboards, watch for unusual vendor names in supplier registries, and look for clusters of activity around specific campaigns that correlate with payment bursts. The presence of payment traces across the Episode 4 data implies a governance mechanism—perhaps a project management office for cybersecurity operations—that we rarely see from purely criminal enterprises. This is the kind of insight that reframes the risk picture for enterprise security teams and for national cyber defense authorities alike.

Server Information and Tooling

Another key slice of the Episode 4 leak delves into server information and the toolkit used by the actors. The compilation includes server hostnames, IP ranges, hosting locations, and, in some cases, the software stacks deployed on those servers. Observers can detect patterns such as preferred operating systems, remote management interfaces, and commonly exploited software versions. The data also reveals choices around tooling—whether the operator leaned on phishing-as-a-service platforms, credential-stuffing workflows, or bespoke malware implants—and how those tools evolve between campaigns.

This aspect offers direct benefits for defenders: it helps identify the likely attack surface, reveals which security controls are most tested by attackers, and suggests where to harden defenses. If a particular server or tooling family appears across multiple campaigns, incident responders can implement targeted monitoring, apply version-specific patches, and simulate attacker techniques in tabletop exercises to improve detection coverage. The Episode 4 data also underscores the importance of alias management and hosting continuity planning: if a core infrastructure is compromised, the operators’ ability to pivot quickly to alternative servers can determine the difference between a breach that’s contained and one that expands into a broader intrusion.

From Hackers to State Actors: Reframing Attribution

The conventional wisdom around APT35 has often leaned toward “a capable hacking group with political motives.” Episode 4 challenges that simplification by presenting a curated data set that aligns with governance patterns more typical of a state-controlled program. In other words, the leak invites the cybersecurity community to reconsider attribution in a nuanced, evidence-based way. The dataset doesn’t just show a set of techniques and tools; it hints at organizational structure, budgetary oversight, and a degree of strategic planning that resonates with what we know about state-sponsored cyber operations globally.

Why the Data Suggests a Government Department

Several indicators in the Episode 4 leak point toward a more centralized, official-operational model. First, the breadth of campaigns and the reuse of collateral across campaigns are more consistent with a managed program than a loosely connected set of freelance actors. Second, the presence of a documented payment chain implies a formal budgeting process and accountability that is rarely visible in purely criminal enterprises. Third, the existence of a well-executed infrastructure map—domains, servers, and control points that demonstrate continuity across campaigns—mirrors the governance and project-tracking practices we associate with state projects or contracted defense programs.

It is not unusual for credible threat intelligence to reclassify certain actors as state-aligned after deeper data disclosures. In the case of APT35, Episode 4’s granular artifacts—such as the clustering of infrastructure use, the formalized procurement traces, and the internal naming conventions—bolster the argument that Charming Kitten operates with a level of persistence and strategic alignment that goes beyond opportunistic exploitation. This does not erase the human elements—the ingenuity of operators, the social-engineering savvy—but it adds a crucial layer: the structural discipline that strong state-backed campaigns typically exhibit.

What It Means for the Threat Landscape

For security teams, the implications are concrete. Attribution matters; when analysts recognize a state-backed pattern, defensive postures can shift from reactive containment to proactive fortification. Organizations that previously relied on generic phishing defenses may need to elevate to intelligence-informed controls: domain allowlists and blocklists tuned to the attacker’s infrastructure, sandboxing tuned to expected payloads, and user training that emphasizes the social engineering patterns revealed in Episode 4. National cybersecurity authorities may also reassess threat advisories and resource allocations, prioritizing the sectors that appear most frequently in Charming Kitten’s campaigns—education, think tanks, NGOs, and media organizations—alongside critical infrastructure providers.

In the broader regional context, this development feeds into a more robust understanding of the Iranian cyber program’s ambitions. The leak’s data suggests a capability for sustained, cross-campaign activity, with a willingness to engage in seemingly mundane operational tasks (like domain registration and payment processing) to support more technical intrusions. For policymakers and defense planners, Episode 4 adds urgency to strengthening international norms, promoting information-sharing alliances, and investing in incident response collaborations that can disrupt or degrade a state-backed threat actor’s ability to sustain campaigns over time.

Defensive Takeaways for Businesses and Individuals

• Strengthen email defenses and credential protection: The phishing templates associated with APT35-like actors remain a primary attack vector. Layered defenses—advanced phishing detection, phishing-resistant MFA, and rapid credential breach alerts—can dramatically reduce success rates. Regular phishing simulations help employees recognize the telltale signs of lookalike domains and credential harvesting pages uncovered in the Episode 4 data.
• Expand domain risk intelligence: Build a dynamic watchlist from the leaked domains and related infrastructure, then feed it into security information and event management (SIEM) systems and extended detection and response (XDR) platforms. Proactive monitoring can catch early-stage activity tied to the same infrastructure family visible in the dataset.
• Audit and harden external-facing assets: Servers exposed to the internet, misconfigured remote access tools, and unpatched software are common accelerants. The Episode 4 server information highlights the importance of prompt patching, strict access controls, and routine configuration reviews for web servers and VPN endpoints.
• Enforce robust access controls and segmentation: Network segmentation and least-privilege access limit the blast radius if an initial foothold occurs. For organizations with sensitive data, isolating critical assets behind stronger controls and monitoring lateral movement becomes even more essential in the wake of such disclosures.
• Institute financial governance for cyber operations: The payments data suggests there is a financial dimension to operations. Organizations should maintain clear procurement records for security services, verify vendor legitimacy, and watch for unusual payout patterns that could indicate sponsored activity or misappropriated funds.
• Adopt threat-informed defense: Use the granular data ideas from Episode 4 to tailor detection rules to specific attacker behaviors: timing patterns, payload lifecycles, and the reuse of particular domain-hosting ecosystems. This approach raises the bar against persistent intrusions.
• Plan for resilience and response: Run tabletop exercises that simulate a Charming Kitten-like intrusion scenario, emphasizing domain takedowns, rapid containment, and cross-team communication. Practice coordination with CERTs or national cyber centers to accelerate incident response in the unlikely event of a real-world incident.

Temporal Context: Why Now and What Comes Next

The timing of Episode 4’s release matters. In an era of rapid geopolitical shifts and evolving threat landscapes, data-driven insights into state-backed cyber operations carry more weight than ever. The leak arrives amid heightened attention to Iranian cyber activity across multiple sectors and international borders. It also aligns with a broader pattern: threat actors tied to nation-states increasingly reveal the internal mechanics of their operations through leaks, indictments, or joint disclosures. Such disclosures give defenders a clearer map of the attack surface and a better sense of where to invest defensive resources.

From a trends perspective, experts note that the past few years have seen a gradual but meaningful intensification of targeted campaigns against sectors that handle policy, research, and public discourse. The Episode 4 data, with its emphasis on domains, payments, and server details, helps validate that direction: the attackers are not merely looking for quick wins but are building and maintaining a durable framework that supports ongoing intelligence collection and influence operations. For organizations, that translates into a need for sustained vigilance, regular updates to threat models, and a willingness to adapt defenses as the threat actor’s infrastructure evolves.

Technical Outlook: Attack Surfaces, Tactics, and Defenses

What Episode 4 contributes beyond the narrative is a more precise sketch of the attack surface and the tactics employed by a state-associated actor. The data points to several enduring patterns that defenders can operationalize today:

• Phishing-centric initial access: The datasets underscore repeated use of phishing portals and credential harvesters, coupled with lookalike domains. Continuous enhancement of user education and email-filtering policies remains critical to thwart these efforts.
• Credential-focused playbooks: Because credential harvesting remains central to extraction of value, multifactor authentication and phishing-resistant MFA implementations should be prioritized across all user roles, especially those with access to sensitive information.
• Infrastructure persistence: The recurrent use of certain domains and server stacks signals a preference for stable, long-lived platforms. Defenders should monitor for the re-emergence of familiar infrastructure families and ensure rapid remediation when a domain or server is identified as compromised.
• Financial and operational governance: The economic layer hints at a formalized approach to resource management. Organizations should consider security budgeting and procurement controls as integral elements of risk management, not as afterthought governance.
• Web and network hardening: Given the server information component, hardening web services, enforcing strict TLS configurations, and auditing peripheral services (such as CDNs) can cut down on exposure to ongoing campaigns.

For practitioners, the pragmatic path forward is to translate these insights into concrete controls and alerts. It means updating playbooks to incorporate the latest indicators, refining detection pipelines to recognize attacker-stage patterns, and conducting regular validation exercises to ensure teams respond promptly to indicators associated with the Episode 4 dataset.

Conclusion

The Episode 4 leak reframes APT35’s reputation from a noisy, unsophisticated actor to a more sophisticated, state-affiliated operation with a governance-like structure. The spreadsheets—detailing domains, payments, and server information—do more than catalog artifacts; they illuminate the organization’s workflows, resource allocation, and strategic priorities. For defenders, the implication is clear: treat this as a legitimate model of a state-backed cyber program and adjust defenses accordingly. For policymakers and researchers, the data provides a blueprint for collaboration, accountability, and intelligence sharing that can help mitiGate risk on a broader scale. The title of this chapter is not merely a curiosity; it is a cautionary signal about the evolving nature of cyber threats. As the threat landscape continues to unfold, Episode 4 reminds us that the line between hacker and state operator is increasingly blurred, and the most effective defense will be one built on thorough, evidence-based understanding rather than assumption.

FAQ

1. What does APT35 stand for, and who is Charming Kitten? APT35 is the designation used by security researchers for the Iranian cyber unit known as Charming Kitten. The group has been associated with targeted campaigns across academia, politics, and media, and it is widely considered to be state-aligned. The Episode 4 leak adds nuance by highlighting a governance-like structure behind the actor’s activities.
2. What is the significance of the spreadsheets in Episode 4? The spreadsheets provide granular data about domains, payments, and server information, offering a rare, inside look at the operational backbone of a state-backed cyber program. This information helps analysts map infrastructure, track campaign lifecycles, and understand the actor’s financial and logistical workflows.
3. How should organizations respond to these revelations? Organizations should bolster phishing defenses, deploy stronger MFA, monitor related domains, audit external-facing infrastructure, and adopt threat-informed defense strategies. Collaboration with national CERTs and threat intel networks can amplify protective actions and accelerate incident response.
4. Does this mean APT35 is more dangerous now? The data suggests a transition from a perception of “noisy but unsophisticated” to recognizing a more disciplined, state-supported operation. This raises the threat level for targeted sectors and underscores the need for robust, proactive defensive measures.
5. What should researchers watch for next? Researchers should watch for continued data dumps that reveal governance structures, payment workflows, or new infrastructure clusters. Cross-referencing these patterns with historical campaigns can improve attribution accuracy and enhance predictive defense capabilities.
6. How does this change attribution practices in cybersecurity? It reinforces the importance of evidence-based attribution that weighs infrastructure, procurement traces, and organizational patterns alongside techniques and toolsets. A holistic view reduces reliance on surface-level indicators and strengthens threat modeling.