RedKitten’s Digital Claws: Iran-Linked Cyber Campaign Preys on Human Rights Activists with AI-Enhanced Malware
A sophisticated and deeply unsettling cyber campaign, codenamed RedKitten, has emerged, raising alarms across the cybersecurity landscape. Suspected to be the work of a Farsi-speaking threat actor with clear ties to Iranian state interests, this operation specifically targets non-governmental organizations and individuals dedicated to documenting human rights abuses. First identified by HarfangLab in January 2026, RedKitten’s timing is no coincidence, aligning with the widespread civil unrest that swept Iran in late 2025, sparked by economic grievances and met with a severe government crackdown and internet blackouts. What makes RedKitten particularly noteworthy is its potential reliance on large language models (LLMs) for developing its malicious toolkit, marking a concerning evolution in state-sponsored cyber espionage.
Exploiting Emotional Distress: The Lure of Fabricated Data
The RedKitten campaign begins with a cruel psychological manipulation. Victims receive a 7-Zip archive, often with a Farsi filename, containing seemingly crucial Microsoft Excel documents. These macro-laced XLSM spreadsheets purport to offer vital information: lists of protesters who tragically died in Tehran between December 22, 2025, and January 20, 2026. This lure is designed to exploit the emotional distress and urgent need for information among those searching for missing loved ones or documenting atrocities. However, analysis by HarfangLab quickly revealed the data within these spreadsheets to be fabricated, featuring inconsistencies like mismatched ages and birthdates.
Enabling the embedded malicious VBA macro within these documents initiates the infection chain. This macro acts as a dropper for a C#-based implant, “AppVStreamingUX_Multi_User.dll,” deployed using an AppDomainManager injection technique. Intriguingly, the VBA code itself bears the hallmarks of LLM generation, exhibiting a distinct style, variable naming conventions, and even comments like “PART 5: Report the result and schedule if successful,” suggesting a new frontier in automated malware development.
SloppyMIO: A Modular Backdoor Leveraging Commoditized Infrastructure
The core of RedKitten’s arsenal is a backdoor dubbed SloppyMIO. This potent malware demonstrates a clever use of widely available, legitimate services for its command-and-control (C2) infrastructure, making it harder to detect and track. HarfangLab reports that SloppyMIO utilizes GitHub as a “dead drop resolver” to retrieve Google Drive URLs. These Google Drive links, in turn, host images from which the malware’s configuration is steganographically extracted. This hidden configuration includes critical details such as the Telegram bot token, Telegram chat ID, and links to various modular payloads.
SloppyMIO is highly modular, supporting at least five distinct functions:
- cm: Executes arbitrary commands via “cmd.exe.”
- do: Collects files from the compromised host, creating ZIP archives for exfiltration.
- up: Writes files to “%LOCALAPPDATA%MicrosoftCLR_v4.0_32NativeImages,” with data encoded within images fetched via the Telegram API.
- pr: Establishes persistence by creating a scheduled task to run an executable every two hours.
- ra: Starts a new process.
The malware communicates with its operators via the Telegram Bot API, beaconing status messages, polling for commands (such as download, cmd, runapp), and exfiltrating collected files. This reliance on Telegram for C2 and data exfiltration further underscores the threat actor’s preference for blending in with legitimate network traffic.
Attribution and the Evolving Threat Landscape
Attributing RedKitten to Iranian state-aligned actors is based on several key indicators: the presence of Farsi artifacts within the malware, the specific lure themes targeting Iranian domestic issues, and tactical similarities to previous campaigns. Notably, parallels are drawn to the Tortoiseshell group, which also employed malicious Excel documents and AppDomainManager injection to deliver malware like IMAPLoader. The use of GitHub as a dead drop resolver isn’t new either; Secureworks (now part of Sophos) documented a similar tactic by Nemesis Kitten, another Iranian nation-state sub-cluster, in late 2022.
The increasing adoption of AI tools by adversaries, as potentially seen with RedKitten’s LLM-generated VBA code, presents a significant challenge for defenders. It blurs the lines between different threat actors and makes traditional signature-based detection more difficult. HarfangLab highlights a paradox: while the use of commoditized infrastructure (GitHub, Google Drive, Telegram) complicates traditional tracking, it also exposes useful metadata and introduces operational security challenges for the attackers themselves.
A Broader Pattern of Digital Repression
This RedKitten campaign is not an isolated incident but fits into a broader pattern of digital repression. Just weeks prior, U.K.-based Iranian activist and cyber espionage investigator Nariman Gharib exposed a related phishing scheme. This involved a link (“whatsapp-meeting.duckdns[.]org”) distributed via WhatsApp, designed to capture credentials through a fake WhatsApp Web login page. The attacker would serve a live QR code from their own WhatsApp Web session directly to the victim, tricking them into scanning it with their phone, thinking they’re joining a meeting, and compromising their account. Both RedKitten and Gharib’s findings underscore a concerted effort to monitor, disrupt, and compromise individuals and organizations critical of the Iranian regime.
The RedKitten campaign serves as a stark reminder of the evolving and increasingly sophisticated threats faced by human rights defenders globally. The blend of psychological manipulation, advanced malware, and the potential integration of AI tools demands heightened vigilance and robust cybersecurity measures from those working in sensitive areas.
For more details, visit our website.
Source: Link
Leave a comment