Farsi-speaking attackers aligned with Iran’s national interests are suspected of being behind a new campaign targeting non-governmental organizations and individuals involved in a recent record of human rights abuses.
This activity, observed by HarfangLab in January 2026, is codenamed RedKitten. This is said to coincide with unrest that began across Iran towards the end of 2025 in protest against soaring inflation, rising food prices and a weak currency. The ensuing crackdown resulted in numerous casualties and an internet blackout.
“The malware relies on GitHub and Google Drive for configuration and modular payload retrieval, and uses Telegram for command and control,” the French cybersecurity firm said.
What is notable about this campaign is that the attackers are likely relying on large-scale language models (LLMs) to build and fine-tune the necessary tools. The starting point of the attack is a 7-Zip archive with a Persian filename that contains a Microsoft Excel document with macros.
The XLSM spreadsheet is claimed to contain details about protesters who died in Tehran between December 22, 2025 and January 20, 2026. However, each spreadsheet is embedded with a malicious VBA macro that, when enabled, acts as a dropper for a C#-based implant (‘AppVStreamingUX_Multi_User.dll’) through a technique known as AppDomainManager injection.
Regarding VBA macros, there are signs that they were generated by LLM due to the “overall style of the VBA code, variable names, and methods” used, and the presence of comments like “Part 5: Reporting results and schedule if successful.”
This attack is likely an attempt to target individuals looking for information about missing persons and exploit their psychological distress to create a false sense of urgency and trigger a chain of infection. Analysis of the data in the spreadsheet, including discrepancies in age and date of birth, suggested it was fabricated.
The backdoor, called SloppyMIO, uses GitHub as a dead drop resolver to obtain Google Drive URLs that host images whose configurations are steganographically obtained, including Telegram bot tokens, Telegram chat IDs, and link details for staging various modules. Up to 5 different modules are supported –
cm, run a command using “cmd.exe” Run, collect files on the compromised host and create a ZIP archive of each file that fits within the file size limits of the Telegram API, write the file to “%LOCALAPPDATA%\Microsoft\CLR_v4.0_32\NativeImages\” with the file data encoded within the image retrieved via the Telegram API pr, write the executable to 2 Create a scheduled task for persistence to run every hour ra, start the process
Additionally, the malware can connect to a command and control (C2) server to send beacons to configured Telegram chat IDs, receive additional instructions, and send the results back to the operator.
download – run the do module cmd – run the cm module runapp to start the process
“The malware may fetch and cache multiple modules from remote storage, execute arbitrary commands, collect and extract files, and persistently deploy further malware through scheduled tasks,” HarfangLab said. “SloppyMIO beacons for status messages, polls for commands, and leverages the Telegram Bot API for command and control to send extracted files to designated operators.”
Regarding attribution, the link to the Iranian actor is based on the presence of Persian language artifacts, the lure theme, and tactical similarities to previous campaigns, including Tortoiseshell’s campaign that leveraged a malicious Excel document to deliver IMAPLoader using AppDomainManager injection.
Attackers’ choice of GitHub as a dead drop resolver is also not unprecedented. In late 2022, Secureworks (now part of Sophos) detailed a campaign conducted by a subcluster of the Iranian nation-state group known as Nemesis Kitten. The campaign used GitHub as a conduit to distribute a backdoor called Drokbk.
Further complicating the problem, adversaries are increasingly deploying artificial intelligence (AI) tools, making it difficult for defenders to distinguish between attackers.
“Threat actors’ dependence on commoditized infrastructure (GitHub, Google Drive, Telegram) precludes traditional infrastructure-based tracking, but paradoxically exposes useful metadata and creates other operational security challenges for threat actors,” HarfangLab said.
The development comes weeks after UK-based Iranian activist and independent cyber espionage investigator Nariman Gharib revealed details of a phishing link (‘whatsapp-meeting.duckdns’)[.]org”) is distributed via WhatsApp and captures the victim’s credentials by displaying a fake WhatsApp Web login page.
“This page polls the attacker’s server every second via /api/p/{victim_id}/,” Gharib explained. “This allows an attacker to provide a live QR code to a victim directly from their WhatsApp web session. When a target scans a QR code with their mobile phone and does so thinking they are joining a ‘meeting’, they are actually authenticating the attacker’s browser session. The attacker now has full access to the victim’s WhatsApp account.”
The phishing page is designed to request browser permission to access the device’s camera, microphone, and geolocation, effectively turning it into a surveillance kit that can capture the victim’s photos, audio, and current location. At this time, it is unclear who is behind this campaign and what the motives were behind it.
TechCrunch’s Zack Whittaker, who detailed the campaign, said it also aims to steal Gmail credentials by providing a fake Gmail login page that collects victims’ passwords and two-factor authentication (2FA) codes. Approximately 50 people were found to be affected. This includes ordinary people, academics, government officials, business leaders, and other dignitaries from across the Kurdish community.
The findings come after a major breach by Iranian hacker group Charming Kitten, which revealed its inner workings, organizational structure, and key players involved. The leak also shed light on a surveillance platform named Kashef (also known as Discoverer or Revealer) for tracking Iranian nationals and foreigners by aggregating data collected by various departments associated with the Islamic Revolutionary Guards Corps (IRGC).
In October 2025, Ghalib also released a database containing 1,051 people enrolled in various training programs offered by Rabin Academy, a cybersecurity school founded by two Iranian Ministry of Intelligence and Security (MOIS) operatives, Seyed Mojtaba Mostafavi and Farzin Karimi. This entity was sanctioned by the U.S. Treasury Department in October 2022 for supporting and enabling the operation of MOIS.
This includes assisting MOIS with information security training, threat hunting, cybersecurity, red teaming, digital forensics, malware analysis, security audits, penetration testing, network defense, incident response, vulnerability analysis, mobile penetration testing, reverse engineering, security investigations, and more.
“This model allows MOIS to outsource initial recruitment and vetting while maintaining operational control through direct relationships between founders and intelligence agencies,” Ghalib said. “This dual-purpose structure allows MOIS to develop human capital for cyber operations while maintaining a layer of separation from direct government attribution.”
Source link
