CloudSEK, a cybersecurity intelligence company, today published a threat intelligence report showing how Iranian state-sponsored hacking group APT35 (also known as Charming Kitten) had already broken into the digital infrastructure of every country Iran attacked with ballistic missiles and drones starting February 28, 2026, during Operation Epic Fury.
The report, titled “The Kitten Had the Map All Along,” is based on the KittenBusters intelligence leak and documents a pattern of cyber infiltration that APT35 carried out across Jordan, the UAE, Saudi Arabia, Kuwait, Bahrain, Qatar, and Israel in the years before the strikes began.
According to CloudSEK’s analysis, every Gulf country subsequently struck by Iran had previously appeared in documented APT35 targeting, reconnaissance, or compromise activity.
CloudSEK assesses that the alignment between cyber reconnaissance and later kinetic targeting is too consistent to dismiss as a coincidence.
While the company stops short of claiming conclusive proof of a formal intelligence-to-strike handoff, the report argues that the most likely explanation is that cyber operations helped prepare the battlefield by mapping targets, collecting internal data, and maintaining pre-positioned access across multiple countries before the conflict escalated.
The report identifies APT35, also known as Charming Kitten, Phosphorus, Magic Hound, and Mint Sandstorm, as the central actor in this activity. CloudSEK links the group to the IRGC Intelligence Organisation, Unit 1500, Department 40, and says newly examined leaked material indicates the group maintained visibility into government, aviation, energy, legal, financial, and civilian infrastructure across the region in the years leading up to the current crisis.
Key Findings from the Report
CloudSEK’s research says that Jordan, the UAE, Saudi Arabia, Kuwait, Bahrain, Qatar, and Israel all appeared in prior APT35 cyber activity before becoming part of the regional strike pattern.
Among the report’s most significant findings:
- Jordan was one of the most extensively documented targets, with evidence pointing to prior compromise of the Ministry of Justice and targeting of civil aviation-related infrastructure
- UAE-linked infrastructure, including aviation-related systems and government assets, appears in the leaked data reviewed by CloudSEK
- Saudi government and energy-related entities were previously profiled, with the report pointing to compromised policy-related documents and access tied to sectors of strategic importance
- Kuwait, Bahrain, and Qatar were identified as targets of reconnaissance and operational interest before being drawn into the current conflict environment
- Israel remained a primary focus, with the report citing prior targeting of industrial systems, modems, civilian digital infrastructure, and influence operations.
The report also says the leaked material provides unusually rare insight into the malware, infrastructure, financial records, and operating patterns of APT35. According to CloudSEK, that includes exposed source code for malware families such as BellaCiao and Sagheb RAT, as well as blockchain-verifiable payment trails and infrastructure records that help unify multiple previously distinct personas under one broader operational umbrella.
CloudSEK further assesses that personas historically tracked separately, including Moses-Staff and Al-Qassam Cyber Fighters, may in fact be financially and operationally linked to the same broader APT35 ecosystem.
Cyber Operations Running in Parallel
Beyond historic targeting, CloudSEK warns that the cyber dimension of the conflict is already active.
The report highlights ongoing or likely cyber operations by multiple Iran-linked or Iran-aligned actors, including:
- Handala Hack, linked in the report to attacks and threats involving Israeli and Jordanian targets
- Cyber Islamic Resistance, associated with destructive and disruptive operations against military and logistics-related entities
- APT35 / Department 40, which CloudSEK says may already be positioned for follow-on disruptive or destructive activity
- APT33 / Elfin, historically associated with attacks on the Saudi energy sector
- CyberAv3ngers, known for prior targeting of internet-exposed industrial control systems
CloudSEK says the immediate risk is not limited to military assets. The company warns that aviation systems, airport operations, ports, financial networks, logistics platforms, telecom, government communications, and industrial control environments may all face heightened exposure as the conflict continues.
Why This Matters
CloudSEK’s central warning is that cyber activity in this conflict should not be viewed as reactive noise or opportunistic hacktivism alone. Instead, the report suggests that pre-conflict cyber collection may have played a strategic role in identifying, understanding, and preparing regional targets well before missiles were launched.
That has serious implications for defenders.
If the report’s assessment is correct, organizations across the Gulf and adjacent geographies may be facing adversaries that already understand their networks, their supply chains, their exposed infrastructure, and in some cases their internal communications or operational dependencies.
Immediate Recommendations
CloudSEK is urging organizations, especially those operating in the GCC, Israel, Jordan, and adjacent sectors supporting regional infrastructure, to take immediate defensive steps, including:
- Patching exposed internet-facing systems linked to known exploited vulnerabilities
- Auditing Exchange, VPN, and web-facing infrastructure for compromise
- Hunting for webshells, suspicious tunneling tools, and malware indicators tied to APT35 activity
- Rotating privileged credentials and auditing administrative access
- Reviewing aviation, energy, telecom, logistics, and industrial environments for abnormal activity
- Blocking known indicators of compromise and validating detection coverage against the malware families referenced in the report
Caveat and Analytical Position
CloudSEK notes that while several parts of the dataset reviewed in the report are assessed with high confidence, some elements remain only partially independently verified. The company has therefore framed its conclusions carefully: the evidence strongly supports a pattern of pre-positioning and reconnaissance aligned with later regional strikes, but not every operational detail can yet be confirmed with complete certainty.
Even with that caution, CloudSEK says the risk environment is already severe.
The report concludes that the current period should be treated as critical and active, with the likelihood of further Iranian cyber retaliation remaining elevated in the days and weeks ahead.
For More Details, Read The Full Report Here
Like this:
Like Loading...
Related
This entry was posted on April 9, 2026 at 8:22 am and is filed under Commentary with tags CloudSEK. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Iranian Cyber Group APT35 Had Already Mapped Every Country Bombed in Operation Epic Fury
CloudSEK, a cybersecurity intelligence company, today published a threat intelligence report showing how Iranian state-sponsored hacking group APT35 (also known as Charming Kitten) had already broken into the digital infrastructure of every country Iran attacked with ballistic missiles and drones starting February 28, 2026, during Operation Epic Fury.
The report, titled “The Kitten Had the Map All Along,” is based on the KittenBusters intelligence leak and documents a pattern of cyber infiltration that APT35 carried out across Jordan, the UAE, Saudi Arabia, Kuwait, Bahrain, Qatar, and Israel in the years before the strikes began.
According to CloudSEK’s analysis, every Gulf country subsequently struck by Iran had previously appeared in documented APT35 targeting, reconnaissance, or compromise activity.
CloudSEK assesses that the alignment between cyber reconnaissance and later kinetic targeting is too consistent to dismiss as a coincidence.
While the company stops short of claiming conclusive proof of a formal intelligence-to-strike handoff, the report argues that the most likely explanation is that cyber operations helped prepare the battlefield by mapping targets, collecting internal data, and maintaining pre-positioned access across multiple countries before the conflict escalated.
The report identifies APT35, also known as Charming Kitten, Phosphorus, Magic Hound, and Mint Sandstorm, as the central actor in this activity. CloudSEK links the group to the IRGC Intelligence Organisation, Unit 1500, Department 40, and says newly examined leaked material indicates the group maintained visibility into government, aviation, energy, legal, financial, and civilian infrastructure across the region in the years leading up to the current crisis.
Key Findings from the Report
CloudSEK’s research says that Jordan, the UAE, Saudi Arabia, Kuwait, Bahrain, Qatar, and Israel all appeared in prior APT35 cyber activity before becoming part of the regional strike pattern.
Among the report’s most significant findings:
The report also says the leaked material provides unusually rare insight into the malware, infrastructure, financial records, and operating patterns of APT35. According to CloudSEK, that includes exposed source code for malware families such as BellaCiao and Sagheb RAT, as well as blockchain-verifiable payment trails and infrastructure records that help unify multiple previously distinct personas under one broader operational umbrella.
CloudSEK further assesses that personas historically tracked separately, including Moses-Staff and Al-Qassam Cyber Fighters, may in fact be financially and operationally linked to the same broader APT35 ecosystem.
Cyber Operations Running in Parallel
Beyond historic targeting, CloudSEK warns that the cyber dimension of the conflict is already active.
The report highlights ongoing or likely cyber operations by multiple Iran-linked or Iran-aligned actors, including:
CloudSEK says the immediate risk is not limited to military assets. The company warns that aviation systems, airport operations, ports, financial networks, logistics platforms, telecom, government communications, and industrial control environments may all face heightened exposure as the conflict continues.
Why This Matters
CloudSEK’s central warning is that cyber activity in this conflict should not be viewed as reactive noise or opportunistic hacktivism alone. Instead, the report suggests that pre-conflict cyber collection may have played a strategic role in identifying, understanding, and preparing regional targets well before missiles were launched.
That has serious implications for defenders.
If the report’s assessment is correct, organizations across the Gulf and adjacent geographies may be facing adversaries that already understand their networks, their supply chains, their exposed infrastructure, and in some cases their internal communications or operational dependencies.
Immediate Recommendations
CloudSEK is urging organizations, especially those operating in the GCC, Israel, Jordan, and adjacent sectors supporting regional infrastructure, to take immediate defensive steps, including:
Caveat and Analytical Position
CloudSEK notes that while several parts of the dataset reviewed in the report are assessed with high confidence, some elements remain only partially independently verified. The company has therefore framed its conclusions carefully: the evidence strongly supports a pattern of pre-positioning and reconnaissance aligned with later regional strikes, but not every operational detail can yet be confirmed with complete certainty.
Even with that caution, CloudSEK says the risk environment is already severe.
The report concludes that the current period should be treated as critical and active, with the likelihood of further Iranian cyber retaliation remaining elevated in the days and weeks ahead.
For More Details, Read The Full Report Here
Share this:
Like this:
Related
This entry was posted on April 9, 2026 at 8:22 am and is filed under Commentary with tags CloudSEK. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.