A new cyber campaign, codenamed RedKitten, has emerged, targeting non-governmental organizations (NGOs) and individuals involved in documenting human rights abuses in Iran. This operation is linked to a Farsi-speaking threat actor aligned with Iranian state interests, as reported by HarfangLab in January 2026.
Context of the Campaign
The RedKitten campaign coincides with ongoing unrest in Iran, which began in late 2025 due to protests over inflation, food prices, and currency issues. The Iranian government’s crackdown on dissent has led to significant casualties and an internet blackout.
Malware Delivery and Mechanism
The malware utilized in this campaign is delivered through a 7-Zip archive with a Farsi filename, containing macro-laden Microsoft Excel documents. These spreadsheets purport to provide information about protesters who died in Tehran between December 22, 2025, and January 20, 2026. However, they contain a malicious VBA macro that acts as a dropper for a C#-based implant named AppVStreamingUX_Multi_User.dll using a technique known as AppDomainManager injection.
Notably, the VBA code exhibits characteristics suggesting it may have been generated by a large language model (LLM), indicated by its coding style and comments within the code.
Capabilities of the Malware
The backdoor, referred to as SloppyMIO, employs GitHub as a dead drop resolver to retrieve configuration details from Google Drive, including a Telegram bot token and chat ID. The malware supports multiple modules for various tasks, such as executing commands, collecting files, and maintaining persistence through scheduled tasks.
It can also communicate with a command-and-control (C2) server via Telegram, allowing the operator to send commands and receive exfiltrated data. HarfangLab noted that the malware’s ability to fetch and cache multiple modules complicates detection and response efforts.
Attribution and Previous Incidents
Attribution to Iranian actors is based on the presence of Farsi artifacts and similarities to previous campaigns, including those by the group Tortoiseshell. The use of GitHub for malware distribution has been observed in earlier incidents involving Iranian threat actors.
In related developments, a phishing campaign targeting Iranian activists has also been identified, which captures credentials through a fake WhatsApp Web login page. The full scope of these campaigns and their motivations remains unclear, but they have reportedly impacted around 50 individuals, including members of the Kurdish community and various professionals.
This situation highlights the evolving landscape of cyber threats, particularly as adversaries increasingly leverage AI tools to enhance their operations.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
