Deep Leak: APT35 Hackers’ Payroll, Kashef Surveillance System, and 2004 Nuclear Spy Document Exposed
In the autumn of 2025, files began circulating in the public domain that are attributed to the Iranian hacking group APT35, also known as Charming Kitten. That initial wave of disclosures shed light on the group’s internal structure, its preferred targets, the infrastructure through which it operates, and even the companies and individuals believed to support its activities.
The same dataset has now been supplemented with new materials that shift the discussion from indicators and domains to a far more tangible plane—money, internal databases, and highly sensitive documents. The analyst Nariman Gharib argues that this latest tranche of data reveals three key components.
The first consists of payroll records and financial spreadsheets covering two operator teams: the female unit Aqiq and the male unit Pelak1. The documents list names, bank account numbers, and payments for April–May 2025. The figures vary widely: some operators appear to receive roughly $150–220 per month, while others are paid far less, suggesting differences in rank or irregular involvement. Such leaks are valuable not only for attribution, but also for tracing payment chains and intermediaries through which funds may have flowed.
The second component is additional video footage of the “Kashef” system, previously described by Gharib as a surveillance platform. The interface shown appears to aggregate data from multiple branches of the IRGC’s intelligence apparatus into unified profiles, enabling searches across several departmental databases at once. Visible datasets include records of foreign travel, dual citizenship, overseas education, border crossings, and visits to diplomatic facilities in Tehran.
For these visits, the system logs entry and exit times, transportation details, license plate numbers, and internal annotations. It also maintains expanded personal profiles—passport information, contact details, profession, education, family ties, and religious affiliation, explicitly distinguishing between Shiites and Sunnis—pointing to the possibility of profiling along confessional lines.
The third revelation adds decades of historical depth. On the personal computer of Abbas Rakhrovi, head of “Department 40” and a figure mentioned in earlier disclosures, investigators reportedly found a classified document dating back to 2004: a letter from Iran’s Ministry of Intelligence addressed to the country’s top military leadership. The letter refers to the acquisition of confidential IAEA materials related to the heavy water program and the Arak facility, including an internal technical report and a list of inspection questions for May 2004. Among the report’s authors is Olli Heinonen, who later became a senior IAEA official for safeguards and a central figure in inspections of Iran’s nuclear program.
Gharib links this discovery to the fact that Heinonen’s name had previously appeared in Department 40 materials as a priority target of interest. Handwritten notes on the letter also reference Ahmad Vahidi and mention Mohsen Fakhrizadeh’s institute, adding further context to how information on nuclear oversight circulated within Iran.
Taken together, this new portion of the dataset illustrates how tightly cyber operations are interwoven with broader intelligence objectives: alongside tools and targets emerge financial trails, internal system interfaces, and documents that were never meant to leave closed, classified environments.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
