A Farsi-speaking threat actor aligned with Iranian state interests is suspected to be behind a new campaign targeting non-governmental organizations and individuals involved in documenting recent human rights abuses.
The activity, observed by HarfangLab in January 2026, has been codenamed RedKitten. It's said to coincide with the nationwide unrest in Iran that began towards the end of 2025, protesting soaring inflation, rising food prices, and currency depreciation. The ensuing crackdown has resulted in mass casualties and an internet blackout.
"The malware relies on GitHub and Google Drive for configuration and modular payload retrieval, and uses Telegram for command-and-control," the French cybersecurity company said.
What makes the campaign noteworthy is the threat actor's likely reliance on large language models (LLMs) to build and orchestrate the necessary tooling. The starting point of the attack is a 7-Zip archive with a Farsi filename that contains macro-laced Microsoft Excel documents.
The XLSM spreadsheets claim to include details about protesters who died in Tehran between December 22, 2025, and January 20, 2026. But embedded within each of them is a malicious VBA macro, which, when enabled, functions as a dropper for a C#-based implant ("AppVStreamingUX_Multi_User.dll") by means of a technique called AppDomainManager injection.
The VBA macro, for its part, shows signs of being generated by an LLM due to the "overall style of the VBA code, the variable names and methods" used, as well as the presence of comments like "PART 5: Report the result and schedule if successful."
The attack is likely an effort to target individuals who are looking for information about missing persons, exploiting their emotional distress to provoke a false sense of urgency and trigger the infection chain. Analysis of the spreadsheet data, such as mismatched ages and birthdates, suggests it's fabricated.
The backdoor, dubbed SloppyMIO, uses GitHub as a dead drop resolver to retrieve Google Drive URLs that host images from which its configuration is steganographically obtained, including details of the Telegram bot token, Telegram chat ID, and links staging various modules. As many as five different modules are supported -
- cm, to execute commands using "cmd.exe"
- do, to collect files on the compromised host and create a ZIP archive for each file that fits in the Telegram API file size limits
- up, to write a file to "%LOCALAPPDATA%\Microsoft\CLR_v4.0_32\NativeImages\," with the file data encoded within an image fetched via the Telegram API
- pr, to create a scheduled task for persistence to run an executable every two hours
- ra, to start a process
In addition, the malware is capable of contacting a command-and-control (C2) server to beacon to the configured Telegram chat ID, receiving additional instructions and sending the results back to the operator:
- download, which runs the do module
- cmd, which runs the cm module
- runapp, to launch a process
"The malware can fetch and cache multiple modules from remote storage, run arbitrary commands, collect and exfiltrate files and deploy further malware with persistence via scheduled tasks," HarfangLab said. "SloppyMIO beacons status messages, polls for commands and sends exfiltrated files over to a specified operator leveraging the Telegram Bot API for command-and-control."
As for attribution, the links to Iranian actors are based on the presence of Farsi artifacts, the lure themes, and tactical similarities with prior campaigns, including that of Tortoiseshell, which has leveraged malicious Excel documents to deliver IMAPLoader using AppDomainManager injection.
The attackers' choice of GitHub as a dead drop resolver is also not without precedent. In late 2022, Secureworks (now part of Sophos) detailed a campaign undertaken by a sub-cluster of an Iranian nation-state group known as Nemesis Kitten that used GitHub as a conduit to deliver a backdoor referred to as Drokbk.
Complicating matters further is the growing adoption of artificial intelligence (AI) tools by adversaries, making it harder for defenders to distinguish one actor from the other.
"The threat actor's reliance on commoditized infrastructure (GitHub, Google Drive, and Telegram) hinders traditional infrastructure-based tracking but paradoxically exposes useful metadata and poses other operational security challenges to the threat actor," HarfangLab said.
The development comes a couple of weeks after U.K.-based Iranian activist and independent cyber espionage investigator Nariman Gharib revealed details of a phishing link ("whatsapp-meeting.duckdns[.]org") that's distributed via WhatsApp and captures victims' credentials by displaying a fake WhatsApp Web login page.
"The page polls the attacker's server every second via /api/p/{victim_id}/," Gharib explained. "This lets the attacker serve a live QR code from their own WhatsApp Web session directly to the victim. When the target scans it with their phone, thinking they're joining a 'meeting,' they're actually authenticating the attacker's browser session. Attacker gets full access to the victim's WhatsApp account."
The phishing page is also designed to request browser permissions to access the device camera, microphone, and geolocation, effectively turning it into a surveillance kit that can capture victims' photos, audio, and current whereabouts. It's currently not known who is behind the campaign, or what was the motivation was behind it.
TechCrunch's Zack Whittaker, who uncovered more specifics about the activity, said it's also aimed at stealing Gmail credentials by serving a bogus Gmail login page that gathers a victim's password and two-factor authentication (2FA) code. About 50 individuals have been found to be impacted. This includes ordinary people across the Kurdish community, academics, government officials, business leaders, and other senior figures.
The findings also come in the aftermath of a major leak suffered by the Iranian hacking group Charming Kitten that laid bare its inner workings, organizational structure, and the key personnel involved. The leaks also shed light on a surveillance platform named Kashef (aka Discoverer or Revealer) for tracking Iranian citizens and foreign nationals by aggregating data collected by different departments associated with the Islamic Revolutionary Guard Corps (IRGC).
In October 2025, Gharib also made available a database containing 1,051 individuals who enrolled in various training programs offered by Ravin Academy, a cybersecurity school founded by two operatives of Iran's Ministry of Intelligence and Security (MOIS), Seyed Mojtaba Mostafavi and Farzin Karimi. The entity was sanctioned by the U.S. Department of the Treasury in October 2022 for supporting and enabling MOIS's operations.
This includes assisting MOIS with information security training, threat hunting, cybersecurity, red teaming, digital forensics, malware analysis, security auditing, penetration testing, network defense, incident response, vulnerability analysis, mobile penetration testing, reverse engineering, and security research.
"The model allows MOIS to outsource initial recruitment and vetting while maintaining operational control through the founders' direct relationship with the intelligence service," Gharib said. "This dual-purpose structure enables MOIS to develop human capital for cyber operations while maintaining a layer of separation from direct government attribution."
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.