JAKARTA - A new cyber espionage campaign linked to Iranian state interests has been revealed targeting human rights non-governmental organizations (NGOs) as well as activists and individuals documenting recent alleged human rights violations in Iran. The campaign is called RedKitten.
The activity was detected by the French cybersecurity company, HarfangLab, in January 2026. The RedKitten campaign is said to coincide with the wave of national unrest in Iran that broke out since late 2025, triggered by soaring inflation, rising food prices, and the plummeting value of the currency. The security forces' crackdown on the protests is reported to have caused many casualties and widespread internet outages.
"This malware relies on GitHub and Google Drive for configuration and retrieval of modular payloads, and uses Telegram as a command-and-control medium," HarfangLab said in its report.
What makes this campaign stand out is the strong suspicion that the threat actor is utilizing large language models (LLM) or artificial intelligence-based language models to build and orchestrate its entire attack apparatus. The attack starts from a 7-Zip archive with a Persian (Farsi) name containing an XLSM-formatted Microsoft Excel document that has been infiltrated with a malicious macro.
The spreadsheet claims to contain data on the protesters who were killed in Tehran between December 22, 2025, and January 20, 2026. However, it contains a dangerous VBA macro that, when activated, serves as a dropper for a C# based implant named AppVStreamingUX_Multi_User.dll, using the AppDomainManager injection technique.
HarfangLab assessed that the VBA macro was most likely produced by LLM. The indication can be seen from the "overall style of the VBA code, the names of the variables and methods used", as well as the presence of structured comments such as "PART 5: Report the result and schedule if successful."
The attack is believed to have specifically targeted individuals who were looking for information on missing people, by exploiting the emotional distress of the victims to create a false sense of urgency and trigger a chain of infections. Analysis of data in the spreadsheet, including inconsistencies between age and date of birth, suggests that the data were most likely fabricated.
The backdoor used in this campaign is named SloppyMIO. This malware uses GitHub as a dead drop resolver to obtain a Google Drive URL that stores images containing hidden configurations in a steganographic manner. The information includes Telegram bot tokens, Telegram chat IDs, and links to various additional modules.
There are at least five supported modules, namely cm to execute commands through cmd.exe, do to collect files from the victim's system and archive them in a ZIP format according to the Telegram API size limit, up to write files to the %LOCALAPPDATA%\Microsoft\CLR_v4.0_32\NativeImages\ directory with data encoded in the image, pr to create a scheduled task to maintain persistence by running the executable every two hours, and ra to run a new process.
In addition, this malware is able to communicate with the command-and-control (C2) server by sending beacons to the configured Telegram chat ID, receiving additional instructions, and sending the results of the execution back to the operator. Supported commands include downloading to run the do module, cmd to run the cm module, and runapp to launch a specific process.
"This malware can retrieve and store multiple modules from remote storage, execute arbitrary commands, collect and export files, as well as spread additional malware with persistence through scheduled tasks," said HarfangLab. "SloppyMIO sends status messages, checks commands, and sends the stolen files to the operator by utilizing the Telegram Bot API as a command-and-control."
The attribution to the Iranian actor is based on the presence of Persian-language artifacts, the attack bait theme, as well as the similarity of tactics with previous campaigns. One of them is Tortoiseshell, which also uses malicious Excel documents to spread IMAPLoader through the AppDomainManager injection technique.
The selection of GitHub as a dead drop resolver is also not new. At the end of 2022, Secureworks - which is now part of Sophos - revealed a sub-cluster campaign of the Iranian state group called Nemesis Kitten that used GitHub to distribute a backdoor called Drokbk.
This situation is further complicated by the increasing adoption of artificial intelligence tools by cybercriminals, which makes attribution and detection efforts increasingly difficult.
"The dependence of threat actors on commodity infrastructure such as GitHub, Google Drive, and Telegram hinders traditional infrastructure-based tracking, but paradoxically also opens up useful metadata and presents its own operational security challenges for actors," said HarfangLab.
This disclosure comes just weeks after British-based Iranian activist and independent cyber espionage researcher, Nariman Gharib, revealed another phishing campaign using the "whatsapp-meeting.duckdns[.]org" link. The link was spread via WhatsApp and tricked victims with a fake WhatsApp Web login page.
"This page checks the attacker's server every second via /api/p/{victim_id}/," explained Gharib. "This allows the attacker to present a QR code directly from their own WhatsApp Web session to the victim. When the target scans it with their phone, thinking they are joining a 'meeting', they are actually authenticating the attacker's browser session. The attacker then gains full access to the victim's WhatsApp account. "
The phishing page also asks for browser permission to access the camera, microphone, and geographic location, so that it functions like a surveillance device that is capable of recording photos, audio, and the victim's position in real time. Until now, it is not known for sure who the perpetrator behind the campaign is and what his main motive is.
TechCrunch journalist Zack Whittaker, who further traced this activity, said that the campaign also aimed to steal Gmail credentials by presenting fake Gmail login pages that collect passwords and two-factor authentication (2FA) codes. Around 50 people are reported to have been victims, including ordinary citizens from the Kurdish community, academics, government officials, businessmen, and other senior figures.
This finding comes shortly after another Iranian hacking group, Charming Kitten, suffered a major leak that revealed their organizational structure, internal workings, and key personnel. The leak also revealed the existence of a surveillance platform called Kashef - also known as Discoverer or Revealer - which is used to track Iranian and foreign citizens by combining data from various departments related to the Islamic Revolutionary Guard Corps (IRGC).
In October 2025, Gharib also released a database containing 1,051 individuals who attended various training programs at Ravin Academy, a cyber security school founded in 2019 by two operators of the Iranian Ministry of Intelligence and Security (MOIS), Seyed Mojtaba Mostafavi and Farzin Karimi. This institution has been sanctioned by the US Department of the Treasury in October 2022 for supporting and facilitating the MOIS's operations.
Ravin Academy is said to provide training in the fields of information security, threat hunting, red teaming, digital forensics, malware analysis, security audits, penetration testing, network defense, incident response, vulnerability analysis, mobile penetration testing, reverse engineering, and security research.
In a statement on its official Telegram channel on October 22, 2025, Ravin Academy confirmed the data breach. They said that one of the online systems hosted outside its internal network was the target of a cyber attack, which resulted in the leaking of the usernames and phone numbers of some of the training participants. However, the academy claims that the attack was aimed at damaging its reputation and most of the leaked data is invalid.
"This model allows MOIS to delegate the initial recruitment and screening process, while maintaining operational control through the direct relationship of its founders with the intelligence service," said Gharib. "This dual structure allows MOIS to develop human resources for cyber operations, while maintaining distance from direct attribution to the government."
The English, Chinese, Japanese, Arabic, and French versions are automatically generated by the AI. So there may still be inaccuracies in translating, please always see Indonesian as our main language. (system supported by DigitalSiber.id)
