A Farsi-speaking threat actor aligned with Iranian state interests is suspected of orchestrating a new campaign targeting non-governmental organizations and individuals who document recent human rights abuses.
HarfangLab observed the activity in January 2026 and codenamed it RedKitten. Notably, the campaign coincides with nationwide unrest in Iran that erupted toward the end of 2025, driven by soaring inflation, rising food prices, and currency depreciation. In response, authorities launched a sweeping crackdown that resulted in mass casualties and an extended internet blackout.
As a result, the attackers appear to have timed the operation to exploit heightened fear, confusion, and information scarcity.
“The malware relies on GitHub and Google Drive for configuration and modular payload retrieval, and uses Telegram for command-and-control,” the French cybersecurity company said.
Use of LLMs and Initial Infection Vector
What sets this campaign apart, however, is the threat actor’s apparent reliance on large language models (LLMs) to develop and coordinate its tooling. The attack begins with a 7-Zip archive bearing a Farsi filename, which contains macro-enabled Microsoft Excel documents.
At first glance, the XLSM spreadsheets purport to list details about protesters who died in Tehran between December 22, 2025, and January 20, 2026. In reality, each file embeds a malicious VBA macro that, once enabled, drops a C#-based implant (“AppVStreamingUX_Multi_User.dll”) using a technique known as AppDomainManager injection.
Moreover, the VBA macro itself exhibits hallmarks of LLM-assisted generation. These indicators include the “overall style of the VBA code, the variable names and methods” used, as well as oddly structured comments such as “PART 5: Report the result and schedule if successful.”
Taken together, the evidence suggests the attackers deliberately targeted individuals searching for information about missing persons. By exploiting emotional distress, the campaign seeks to manufacture urgency and push victims to enable malicious content, thereby triggering the infection chain.
Further analysis reinforces this assessment. For example, inconsistencies in the spreadsheet data — including mismatched ages and birthdates — indicate the information was fabricated rather than sourced from legitimate records.
SloppyMIO Backdoor Capabilities and Modules
At the core of the operation lies a backdoor dubbed SloppyMIO, which uses GitHub as a dead drop resolver to obtain Google Drive URLs. These URLs host images that conceal configuration data through steganography, including the Telegram bot token, Telegram chat ID, and links used to stage additional modules.
In total, the malware supports as many as five distinct modules:
- cm, to execute commands using “cmd.exe”
- do, to collect files from the compromised host and create ZIP archives that comply with Telegram API file size limits
- up, to write a file to “%LOCALAPPDATA%\Microsoft\CLR_v4.0_32\NativeImages,” with file data encoded inside an image fetched via the Telegram API
- pr, to create a scheduled task that ensures persistence by running an executable every two hours
- ra, to start a process
Beyond these capabilities, the malware can also contact a command-and-control (C2) server to beacon status messages to the configured Telegram chat ID, receive further instructions, and return execution results to the operator:
- download, which triggers the do module
- cmd, which runs the cm module
- runapp, to launch a process
“The malware can fetch and cache multiple modules from remote storage, run arbitrary commands, collect and exfiltrate files and deploy further malware with persistence via scheduled tasks,” HarfangLab said. “SloppyMIO beacons status messages, polls for commands and sends exfiltrated files over to a specified operator leveraging the Telegram Bot API for command-and-control.”
Attribution and Historical Parallels
When it comes to attribution, analysts point to multiple indicators linking the activity to Iranian actors. These include the presence of Farsi-language artifacts, protest-themed lures, and tactical overlaps with earlier campaigns. One such example is Tortoiseshell, which previously used malicious Excel documents to deliver IMAPLoader via AppDomainManager injection.
Similarly, the attackers’ use of GitHub as a dead drop resolver follows a familiar pattern. In late 2022, Secureworks (now part of Sophos) documented a campaign by a sub-cluster of an Iranian nation-state group known as Nemesis Kitten, which also leveraged GitHub to distribute a backdoor called Drokbk.
Compounding the challenge, adversaries increasingly adopt artificial intelligence (AI) tools, making it more difficult for defenders to reliably distinguish one threat actor from another.
“The threat actor’s reliance on commoditized infrastructure (GitHub, Google Drive, and Telegram) hinders traditional infrastructure-based tracking but paradoxically exposes useful metadata and poses other operational security challenges to the threat actor,” HarfangLab said.
Related Phishing Activity and WhatsApp Credential Theft
Meanwhile, this development follows revelations from U.K.-based Iranian activist and independent cyber espionage investigator Nariman Gharib. A few weeks earlier, Gharib disclosed details of a phishing link (“whatsapp-meeting.duckdns[.]org”) distributed via WhatsApp that captures victims’ credentials using a fake WhatsApp Web login page.
“The page polls the attacker’s server every second via /api/p/{victim_id}/,” Gharib explained. “This lets the attacker serve a live QR code from their own WhatsApp Web session directly to the victim. When the target scans it with their phone, thinking they’re joining a ‘meeting,’ they’re actually authenticating the attacker’s browser session. Attacker gets full access to the victim’s WhatsApp account.”
Additionally, the phishing page requests browser permissions for camera, microphone, and geolocation access. As a result, it effectively functions as a surveillance kit capable of capturing photos, audio, and real-time location data. At present, the identity of the operators and their precise motivations remain unclear.
Further reporting by TechCrunch’s Zack Whittaker uncovered additional aspects of the activity. According to Whittaker, the campaign also targets Gmail credentials by serving a counterfeit Gmail login page that harvests passwords and two-factor authentication (2FA) codes.
So far, investigators have identified approximately 50 affected individuals. These victims include members of the Kurdish community, academics, government officials, business leaders, and other senior figures.
Leaks, Training Programs, and MOIS Ties
These findings emerge against the backdrop of a significant leak affecting the Iranian hacking group Charming Kitten, which exposed internal operations, organizational structure, and key personnel. The leaked materials also revealed details about a surveillance platform called Kashef (also known as Discoverer or Revealer), used to track Iranian citizens and foreign nationals by aggregating data from multiple departments tied to the Islamic Revolutionary Guard Corps (IRGC).
In October 2025, Gharib also released a database containing information on 1,051 individuals enrolled in training programs offered by Ravin Academy, a cybersecurity school founded in 2019 by MOIS operatives Seyed Mojtaba Mostafavi and Farzin Karimi. The U.S. Department of the Treasury sanctioned the organization in October 2022 for supporting and enabling MOIS operations.
According to available records, Ravin Academy provided training across a wide range of disciplines, including information security, threat hunting, red teaming, digital forensics, malware analysis, security auditing, penetration testing, network defense, incident response, vulnerability analysis, mobile penetration testing, reverse engineering, and security research.
In a Telegram post dated October 22, 2025, Ravin Academy acknowledged the breach. The organization stated that attackers compromised an online system hosted outside its main network, leading to the leak of usernames and phone numbers belonging to some participants. It further claimed the attackers aimed to damage its reputation and asserted that a substantial portion of the leaked data was invalid.
“The model allows MOIS to outsource initial recruitment and vetting while maintaining operational control through the founders’ direct relationship with the intelligence service,” Gharib said. “This dual-purpose structure enables MOIS to develop human capital for cyber operations while maintaining a layer of separation from direct government attribution.”
Source: TheHackerNews
Read more at Impreza News
