A Farsi-speaking menace actor aligned with Iranian state pursuits is suspected to be behind a brand new marketing campaign focusing on non-governmental organizations and people concerned in documenting current human rights abuses.
The exercise, noticed by HarfangLab in January 2026, has been codenamed RedKitten. It is mentioned to coincide with the nationwide unrest in Iran that started in the direction of the tip of 2025, protesting hovering inflation, rising meals costs, and foreign money depreciation. The following crackdown has resulted in mass casualties and an web blackout.
“The malware depends on GitHub and Google Drive for configuration and modular payload retrieval, and makes use of Telegram for command-and-control,” the French cybersecurity firm mentioned.
What makes the marketing campaign noteworthy is the menace actor’s seemingly reliance on giant language fashions (LLMs) to construct and orchestrate the mandatory tooling. The start line of the assault is a 7-Zip archive with a Farsi filename that incorporates macro-laced Microsoft Excel paperwork.
The XLSM spreadsheets declare to incorporate particulars about protesters who died in Tehran between December 22, 2025, and January 20, 2026. However embedded inside every of them is a malicious VBA macro, which, when enabled, capabilities as a dropper for a C#-based implant (“AppVStreamingUX_Multi_User.dll”) via a method known as AppDomainManager injection.
The VBA macro, for its half, reveals indicators of being generated by an LLM because of the “total fashion of the VBA code, the variable names and strategies” used, in addition to the presence of feedback like “PART 5: Report the consequence and schedule if profitable.”
The assault is probably going an effort to focus on people who’re on the lookout for details about lacking individuals, exploiting their emotional misery to impress a false sense of urgency and set off the an infection chain. Evaluation of the spreadsheet knowledge, resembling mismatched ages and birthdates, suggests it is fabricated.
The backdoor, dubbed SloppyMIO, makes use of GitHub as a lifeless drop resolver to retrieve Google Drive URLs that host photos from which its configuration is steganographically obtained, together with particulars of the Telegram bot token, Telegram chat ID, and hyperlinks staging numerous modules. As many as 5 totally different modules are supported –
- cm, to execute instructions utilizing “cmd.exe”
- do, to gather information on the compromised host and create a ZIP archive for every file that matches within the Telegram API file dimension limits
- up, to jot down a file to “%LOCALAPPDATApercentMicrosoftCLR_v4.0_32NativeImages,” with the file knowledge encoded inside a picture fetched by way of the Telegram API
- pr, to create a scheduled process for persistence to run an executable each two hours
- ra, to start out a course of
As well as, the malware is able to contacting a command-and-control (C2) server to beacon to the configured Telegram chat ID, receiving extra directions and sending the outcomes again to the operator:
- obtain, which runs the do module
- cmd, which runs the cm module
- runapp, to launch a course of
“The malware can fetch and cache a number of modules from distant storage, run arbitrary instructions, gather and exfiltrate information and deploy additional malware with persistence by way of scheduled duties,” HarfangLab mentioned. “SloppyMIO beacons standing messages, polls for instructions and sends exfiltrated information over to a specified operator leveraging the Telegram Bot API for command-and-control.”
As for attribution, the hyperlinks to Iranian actors are primarily based on the presence of Farsi artifacts, the lure themes, and tactical similarities with prior campaigns, together with that of Tortoiseshell, which has leveraged malicious Excel paperwork to ship IMAPLoader utilizing AppDomainManager injection.
The attackers’ selection of GitHub as a lifeless drop resolver can also be not with out precedent. In late 2022, Secureworks (now a part of Sophos) detailed a marketing campaign undertaken by a sub-cluster of an Iranian nation-state group often called Nemesis Kitten that used GitHub as a conduit to ship a backdoor known as Drokbk.
Complicating issues additional is the rising adoption of synthetic intelligence (AI) instruments by adversaries, making it more durable for defenders to differentiate one actor from the opposite.
“The menace actor’s reliance on commoditized infrastructure (GitHub, Google Drive, and Telegram) hinders conventional infrastructure-based monitoring however paradoxically exposes helpful metadata and poses different operational safety challenges to the menace actor,” HarfangLab mentioned.
The event comes a few weeks after U.Okay.-based Iranian activist and impartial cyber espionage investigator Nariman Gharib revealed particulars of a phishing hyperlink (“whatsapp-meeting.duckdns[.]org”) that is distributed by way of WhatsApp and captures victims’ credentials by displaying a pretend WhatsApp Internet login web page.
“The web page polls the attacker’s server each second by way of /api/p/{victim_id}/,” Gharib defined. “This lets the attacker serve a reside QR code from their very own WhatsApp Internet session on to the sufferer. When the goal scans it with their cellphone, considering they’re becoming a member of a ‘assembly,’ they’re really authenticating the attacker’s browser session. Attacker will get full entry to the sufferer’s WhatsApp account.”
The phishing web page can also be designed to request browser permissions to entry the gadget digital camera, microphone, and geolocation, successfully turning it right into a surveillance equipment that may seize victims’ images, audio, and present whereabouts. It is presently not recognized who’s behind the marketing campaign, or what was the motivation was behind it.
TechCrunch’s Zack Whittaker, who uncovered extra specifics concerning the exercise, mentioned it is also geared toward stealing Gmail credentials by serving a bogus Gmail login web page that gathers a sufferer’s password and two-factor authentication (2FA) code. About 50 people have been discovered to be impacted. This consists of peculiar individuals throughout the Kurdish neighborhood, teachers, authorities officers, enterprise leaders, and different senior figures.
The findings additionally come within the aftermath of a serious leak suffered by the Iranian hacking group Charming Kitten that laid naked its interior workings, organizational construction, and the important thing personnel concerned. The leaks additionally make clear a surveillance platform named Kashef (aka Discoverer or Revealer) for monitoring Iranian residents and overseas nationals by aggregating knowledge collected by totally different departments related to the Islamic Revolutionary Guard Corps (IRGC).
In October 2025, Gharib additionally made accessible a database containing 1,051 people who enrolled in numerous coaching applications supplied by Ravin Academy, a cybersecurity college based in 2019 by two operatives of Iran’s Ministry of Intelligence and Safety (MOIS), Seyed Mojtaba Mostafavi and Farzin Karimi. The entity was sanctioned by the U.S. Division of the Treasury in October 2022 for supporting and enabling MOIS’s operations.
This consists of aiding MOIS with info safety coaching, menace looking, cybersecurity, purple teaming, digital forensics, malware evaluation, safety auditing, penetration testing, community protection, incident response, vulnerability evaluation, cellular penetration testing, reverse engineering, and safety analysis.
In a submit shared on its Telegram channel on October 22, 2025, Ravin Academy confirmed the breach, stating considered one of its on-line programs, which was hosted outdoors its community, was the goal of a cyber assault that led to the leak of usernames and cellphone numbers of a number of the coaching members. It additionally claimed the assault was carried out with an goal to undermine its fame, and that a good portion of the leaked info is invalid.
“The mannequin permits MOIS to outsource preliminary recruitment and vetting whereas sustaining operational management via the founders’ direct relationship with the intelligence service,” Gharib mentioned. “This dual-purpose construction allows MOIS to develop human capital for cyber operations whereas sustaining a layer of separation from direct authorities attribution.”
