A suspected Farsi-speaking threat actor aligned with Iranian state interests is believed to be behind a recent campaign targeting non-governmental organizations and individuals involved in documenting human rights abuses.
The campaign, named RedKitten, coincides with nationwide unrest in Iran that began in late 2025, protesting economic issues. This has led to mass casualties and an internet blackout.
The malware used in the campaign relies on GitHub and Google Drive for configuration and uses Telegram for command-and-control, according to HarfangLab.
The attack is notable for the use of large language models to orchestrate the attack, starting with a malicious 7-Zip archive containing macro-laced Excel documents.
The malicious Excel documents contain a VBA macro that acts as a dropper for a C#-based implant, utilizing an AppDomainManager injection technique.
The attack targets individuals seeking information about missing persons, exploiting their emotions to trigger the infection chain.
The backdoor, named SloppyMIO, uses GitHub as a dead drop resolver to retrieve configuration details and modules from Google Drive. It can execute commands, collect files, create persistence, and communicate with a C2 server via Telegram.
Attribution to Iranian actors is based on Farsi artifacts, lure themes, and similarities with previous campaigns.
The use of commoditized infrastructure such as GitHub, Google Drive, and Telegram poses challenges for tracking the threat actor.
Recently, Iranian activists uncovered a phishing campaign targeting WhatsApp and Gmail users, impacting various individuals including government officials.
The findings come after a leak exposing the inner workings of the Iranian hacking group Charming Kitten and its surveillance platform named Kashef.
In October 2025, a cybersecurity school founded by operatives of Iran’s MOIS was sanctioned for supporting MOIS operations.
The school confirmed a cyber attack leading to the leak of participant information, aimed at undermining its reputation.
