OPSEC mistake exposed APT35 hacking operations

OPSEC mistake exposed APT35 hacking operations

Iranian-backed hackers accidentally exposed 40 GB of data including video footage of themselves conducting hacking operations due to a misconfiguration of security settings on a virtual private cloud server.

Because of this mistake, the researchers from IBM X-Force Incident Response Intelligence Services (IRIS) team have been able to sneak a peak into the hacking methods of the ITG18 hacker group (aka APT35 or Charming Kitten).

APT35, which has been active since at least 2013, primarily targets individuals and entities of strategic interest to the Iranian government using phishing attacks and email compromise operations.

In May IRIS discovered the 40 GBs of data files being uploaded to a server monitored by the researchers that hosted numerous APT35 domains previously observed in other campaigns of the group. The data, which was apparently stolen from victim accounts, including US and Greek military personnel, contained nearly five hours of videos showing a hacker “searching through and exfiltrating data from various compromised accounts of a member of U.S. Navy and a personnel officer with nearly two decades of service in Hellenic Navy.” Other clues in the data suggest that APT35 also targeted an Iranian-American philanthropist and officials of the U.S. State Department.

The uncovered videos appear to be training demonstrations on how to handle hacked accounts. They show the hackers accessing compromised Gmail and Yahoo Mail accounts to download their contents, as well as exfiltrating other Google-hosted data from victims.

“In five of the video files, named “AOL.avi”, “Aol Contact.avi”, “Gmail.avi”, “Yahoo.avi”, “Hotmail.avi”, the operator uses a Notepad file containing one credential for each platform, and video-by-video copied and pasted them into the associated website. The operator moved on to demonstrate how to exfiltrate various datasets associated with these platforms including contacts, photos, and associated cloud storage,” the report said.

The attacker then added the hacked accounts to Zimbra, a collaborative platform that includes an email server and a web client, by modifying settings within the security section of each account, which allowed the hacker to monitor and manage various compromised email accounts simultaneously.

Three of the discovered clips revealed that the group had managed to breach a number of accounts associated with an enlisted member of the United States Navy as well as an officer in the Hellenic Navy. Upon gaining access to accounts, the hacker deleted notifications sent to the compromised accounts alerting of suspicious logins so as to not alarm victims.

“Regardless of motivation, mistakes by the ITG18 operator allowed IBM X-Force IRIS to gain valuable insights into how this group might accomplish action on its objectives and otherwise train its operators. IBM X-Force IRIS considers ITG18 a determined threat group with a significant investment in its operations,” the researchers noted.

“The group has shown persistence in its operations and consistent creation of new infrastructure despite multiple public disclosures and broad reporting on its activity.”

Back to the list

Latest Posts

Researchers caught embedding hidden AI prompts to sway research reviewers

Researchers caught embedding hidden AI prompts to sway research reviewers

The investigation analyzed English-language preprints published on the research platform arXiv and found concealed AI instructions in 17 papers.
7 July 2025
Brazilian programmer arrested for role in $185 million bank hack

Brazilian programmer arrested for role in $185 million bank hack

João Nazareno Roque, a junior back-end developer at C&M, was allegedly recruited by hackers in a bar in São Paulo.
7 July 2025
APT36 cyber-espionage campaign targeting Indian defense sector via BOSS Linux

APT36 cyber-espionage campaign targeting Indian defense sector via BOSS Linux

More recently, APT36 has shifted its focus to Linux-based environments.
7 July 2025