The Accounting of Intrusion: How the “Episode 4” Leak Exposed APT35’s Bureaucratic Machine
The leak of a fourth episode linked to the APT35 hacking group—also known as Charming Kitten—dramatically reshapes perceptions of the organization. In the previous three installments, meticulously analyzed by researcher Nariman Gharib, attention centered on the group’s internal structure, including separate male and female hacking teams and even approximate compensation levels for operators. The latest tranche of disclosures continues this trajectory, shifting focus to accounting records, infrastructure management, and the logistics underpinning cyber operations.
The released files reveal how a state-backed entity disguises itself as an informal hacker collective. Instead of exploit code, the archives contain Excel spreadsheets listing servers, credentials, cryptocurrency payments, and VPS rental orders. At the heart of this system lies not creativity, but bookkeeping. Every action is validated by a ticket, a price, a date, and an order number. The entire apparatus is built around internal auditability—indistinguishable from a conventional government agency, except that the “goods and services” consist of cyber-espionage infrastructure.
APT35’s self-exposure stemmed from its own negligence. After the breach, operators failed to revoke access to servers, passwords, and accounts, leaving portions of the infrastructure live for weeks. This carelessness highlights a striking duality within Charming Kitten: rigorous discipline at the process level, paired with a blatant disregard for basic security hygiene.
Among the most revealing discoveries is a spreadsheet detailing payment activity via the Cryptomus platform. It documents dozens of transactions ranging from €12 to €18, executed under fictitious names through pseudo-European accounts. Each payment corresponds to an internal request, and the entire scheme is designed to evade financial oversight. The absence of large transfers and the uniformity of transactions create the appearance of routine purchases by ordinary users.
The most consequential insight emerges from the link between Charming Kitten and another Iranian cyber entity—Moses Staff. Long regarded as an independent hacktivist collective operating under ideological banners, Moses Staff is now revealed, through data from the fourth episode, to be driven by the same administrative machinery as APT35. Domain and account lists repeatedly surface moses-staff.io, while identical ProtonMail accounts appear across both Charming Kitten records and Moses Staff infrastructure.
It becomes clear that data leaks from Israeli companies, destructive attacks, and propagandistic manifestos were not the product of spontaneous radical activism, but of carefully planned operations managed as routine projects. Individuals, domains, payments, and servers are tracked within a unified registry, with every step recorded using standardized templates. Even details such as consistent pricing ranges and recurring European hosting providers point to a finely tuned supply chain.
These files do more than lift the curtain on APT35’s internal workings; they illustrate how cyber conflict is structured around a subscription-like model. Every breach, phishing page, or command-and-control server is the outcome of a payment, an order, a service renewal. It is this meticulous “accounting of intrusion” that stands as the central revelation of the fourth episode.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
