Cybersecurity researchers have uncovered a new cyber espionage campaign, dubbed RedKitten, that is believed to be linked to Iranian state aligned threat actors. The operation is targeting non governmental organizations, human rights defenders, and individuals documenting recent abuses linked to Iran’s internal unrest.
The campaign was identified by French cybersecurity firm HarfangLab in January 2026 and appears to coincide with widespread protests that erupted across Iran in late 2025. These protests were driven by sharp inflation, rising food prices, and the rapid devaluation of the national currency, followed by a violent crackdown that reportedly resulted in mass casualties and prolonged internet disruptions.
Malware Infrastructure Uses Popular Cloud Services
According to HarfangLab, the attackers rely heavily on widely used platforms such as GitHub, Google Drive, and Telegram to host configuration data, retrieve modular payloads, and manage command and control operations. This approach allows the threat actor to blend malicious activity into legitimate cloud traffic, complicating detection and attribution.
Infection Chain Exploits Emotional Lures
The attack begins with a 7-Zip archive carrying a Farsi language filename. Inside the archive are macro enabled Microsoft Excel (XLSM) documents that claim to contain records of protesters allegedly killed in Tehran between December 22, 2025, and January 20, 2026.
When victims enable macros, a malicious VBA script executes and deploys a C# based implant named AppVStreamingUX_Multi_User.dll using AppDomainManager injection, a technique previously observed in Iranian linked campaigns.
HarfangLab noted that the VBA macro shows strong indicators of being generated with the assistance of large language models (LLMs). These indicators include generic variable naming patterns, structured formatting, and descriptive comments such as “PART 5: Report the result and schedule if successful.”
Analysis of the spreadsheet data revealed inconsistencies such as mismatched ages and birthdates, suggesting the content was fabricated to exploit the emotional vulnerability of individuals searching for missing persons.
SloppyMIO Backdoor Enables Modular Control
The deployed backdoor, tracked as SloppyMIO, uses GitHub as a dead drop resolver to obtain Google Drive URLs. These URLs host image files that contain hidden configuration data extracted through steganography. This configuration includes Telegram bot tokens, chat IDs, and links to additional payload modules.
The malware supports multiple operational modules, including:
- cm, execute system commands using cmd.exe
- do, collect files and compress them into ZIP archives sized for Telegram transfer
- up, write files to local system directories using image based payload delivery
- pr, establish persistence via scheduled tasks executed every two hours
- ra, launch processes on the infected system
In addition, the malware communicates with a command and control server through the Telegram Bot API, allowing operators to issue commands, retrieve exfiltrated data, and monitor infection status.
HarfangLab stated that SloppyMIO is capable of running arbitrary commands, harvesting sensitive files, deploying additional malware, and maintaining long term persistence on compromised systems.
Attribution Points to Iranian State Interests
Researchers attribute RedKitten to Iranian aligned actors based on the use of Farsi language artifacts, human rights themed lures, and technical overlaps with previous Iranian operations. These similarities include tactics associated with Tortoiseshell, which also used malicious Excel documents and AppDomainManager injection.
The use of GitHub as a delivery mechanism mirrors techniques previously documented in Nemesis Kitten campaigns, where GitHub was leveraged to distribute malware such as Drokbk.
However, the increasing use of AI generated code further complicates attribution, as it reduces unique developer fingerprints traditionally used by defenders.
Parallel Phishing and Surveillance Campaigns Observed
The findings follow recent disclosures by U.K. based Iranian activist and cyber espionage investigator Nariman Gharib, who reported a WhatsApp based phishing operation using a fake meeting link hosted on whatsapp-meeting.duckdns[.]org.
The phishing page presents a fraudulent WhatsApp Web login interface that dynamically serves a live QR code from the attacker’s own session. When victims scan the code, they unknowingly grant full access to their WhatsApp accounts.
The page also requests permissions for camera, microphone, and location access, effectively turning the browser into a surveillance tool. Additional reporting indicates the same infrastructure was used to harvest Gmail credentials and two factor authentication codes, impacting at least 50 individuals across academic, governmental, and activist communities.
Broader Context of Iranian Cyber Operations
These revelations come shortly after a significant data leak affecting the Iranian hacking group Charming Kitten, exposing internal operations and a surveillance platform known as Kashef. The platform aggregates intelligence on Iranian citizens and foreign nationals and is believed to be linked to the Islamic Revolutionary Guard Corps (IRGC).
In October 2025, Gharib also released a database of individuals enrolled in training programs at Ravin Academy, an entity sanctioned by the U.S. Treasury for supporting Iran’s Ministry of Intelligence and Security. The academy reportedly functioned as a recruitment and vetting pipeline for cyber operations while maintaining plausible deniability for state agencies.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
