Cyber Campaign Targeting Human Rights NGOs and Activists Linked to Iran's RedKitten

Background

The RedKitten cyber campaign is suspected to be linked to Iranian state interests and is targeting non-governmental organizations (NGOs) and individuals involved in documenting recent human rights abuses in Iran.
The campaign was observed by the French cybersecurity company HarfangLab in January 2026, coinciding with the nationwide unrest in Iran that began towards the end of 2025.
The unrest in Iran was sparked by soaring inflation, rising food prices, and currency depreciation, leading to a crackdown by the government and resulting in mass casualties and an internet blackout.

The attack vector is a 7-Zip archive with a Farsi filename that contains macro-laced Microsoft Excel documents.
The XLSM spreadsheets claim to include details about protesters who died in Tehran between December 22, 2025, and January 20, 2026, but they are actually used to deliver a malicious VBA macro.
The VBA macro functions as a dropper for a C#-based implant ("AppVStreamingUX_Multi_User.dll") by using a technique called AppDomainManager injection.
The VBA macro shows signs of being generated by a large language model (LLM) due to the overall style, variable names, methods, and presence of comments like "PART 5: Report the result and schedule if successful."
The attack is likely an effort to target individuals who are looking for information about missing persons, exploiting their emotional distress to trigger the infection chain.
Analysis of the spreadsheet data suggests it is fabricated, with mismatched ages and birthdates.

The backdoor, dubbed SloppyMIO, uses GitHub as a dead drop resolver to retrieve Google Drive URLs that host images from which its configuration is steganographically obtained.
The configuration includes details of the Telegram bot token, Telegram chat ID, and links staging various modules.
The malware supports five different modules: `cm` (execute commands using "cmd.exe"), `do` (collect files and create a ZIP archive), `up` (write a file to "%LOCALAPPDATA%\Microsoft\CLR_v4.0_32\NativeImages\"), `pr` (create a scheduled task for persistence), and `ra` (start a process).
The malware can fetch and cache multiple modules from remote storage, run arbitrary commands, collect and exfiltrate files, and deploy further malware with persistence via scheduled tasks.
SloppyMIO beacons status messages, polls for commands, and sends exfiltrated files over to a specified operator using the Telegram Bot API for command-and-control.

The attribution to Iranian actors is based on the presence of Farsi artifacts, the lure themes, and tactical similarities with prior campaigns, including that of Tortoiseshell, which has leveraged malicious Excel documents to deliver malware using AppDomainManager injection.
The attackers' choice of GitHub as a dead drop resolver is also not without precedent, as seen in a campaign undertaken by a sub-cluster of an Iranian nation-state group known as Nemesis Kitten that used GitHub to deliver a backdoor referred to as Drokbk.
The growing adoption of artificial intelligence (AI) tools by adversaries, including the use of LLMs, complicates attribution and makes it harder for defenders to distinguish one actor from the other.

The threat actor's reliance on commoditized infrastructure (GitHub, Google Drive, and Telegram) hinders traditional infrastructure-based tracking but paradoxically exposes useful metadata and poses other operational security challenges to the threat actor.

The development comes a couple of weeks after U.K.-based Iranian activist and independent cyber espionage investigator Nariman Gharib revealed details of a phishing link that's distributed via WhatsApp and captures victims' credentials by displaying a fake WhatsApp Web login page.

https://thehackernews.com/2026/01/iran-linked-redkitten-cyber-campaign.html
https://x.com/TheCyberSecHub/status/2017578256854356027
https://www.reddit.com/r/SecOpsDaily/comments/1qs1sbp/iranlinked_redkitten_cyber_campaign_targets_human/
https://www.socdefenders.ai/item/d5573f33-47b9-42d7-9663-c2338439b3fb