Iranian Cyber Group RedKitten Targets Human Rights NGOs and Activists
In January 2026, cybersecurity researchers identified a sophisticated cyber espionage campaign attributed to a Farsi-speaking threat actor, dubbed RedKitten. This group has been actively targeting non-governmental organizations (NGOs) and individuals involved in documenting human rights abuses in Iran. The campaign coincides with widespread unrest in Iran that began in late 2025, driven by economic hardships such as soaring inflation, rising food prices, and currency depreciation. The government’s response to these protests has been severe, resulting in numerous casualties and an internet blackout.
Attack Methodology
RedKitten employs a multi-faceted approach to infiltrate target systems:
1. Initial Infection Vector: The attack begins with a 7-Zip archive bearing a Farsi filename, containing macro-enabled Microsoft Excel documents. These documents purport to list details about protesters who died in Tehran between December 22, 2025, and January 20, 2026. However, the data within these spreadsheets is fabricated, featuring inconsistencies such as mismatched ages and birthdates.
2. Malicious Macros: Embedded within the Excel files are VBA macros that, when enabled, act as droppers for a C#-based implant named AppVStreamingUX_Multi_User.dll. The macros utilize AppDomainManager injection to execute the payload. Notably, the style and structure of the VBA code, including variable names and method usage, suggest that large language models (LLMs) may have been employed in their generation.
3. Backdoor Deployment: The primary payload, dubbed SloppyMIO, is a backdoor that leverages GitHub as a dead drop resolver to retrieve Google Drive URLs. These URLs host images containing steganographically embedded configuration data, such as Telegram bot tokens and chat IDs. This setup enables the malware to establish command-and-control (C2) communication via Telegram.
Capabilities of SloppyMIO
SloppyMIO is designed with modular functionality, allowing it to perform various malicious activities:
– Command Execution: The cm module enables the execution of commands using cmd.exe.
– Data Exfiltration: The do module collects files from the compromised host, creating ZIP archives for each file that fits within Telegram’s API file size limits.
– File Deployment: The up module writes files to a specific directory, with the file data encoded within images fetched via the Telegram API.
– Persistence Mechanism: The pr module creates scheduled tasks to ensure the malware’s persistence, executing an executable every two hours.
– Process Management: The ra module initiates processes on the infected system.
Additionally, SloppyMIO can communicate with a C2 server to receive further instructions, such as downloading additional modules, executing commands, and launching processes. It transmits status messages and exfiltrated data to the operator via the Telegram Bot API.
Attribution and Implications
Several indicators point to Iranian state-sponsored actors as the perpetrators of this campaign:
– Language Artifacts: The presence of Farsi in the filenames and code comments suggests involvement of Iranian operatives.
– Target Selection: The focus on NGOs and activists documenting human rights abuses aligns with the interests of Iranian state actors seeking to suppress dissent and monitor opposition.
– Tactical Similarities: The use of malicious Excel documents and AppDomainManager injection mirrors techniques previously employed by Iranian groups such as Tortoiseshell.
This campaign underscores the evolving tactics of Iranian cyber actors, who are increasingly integrating advanced technologies like LLMs into their operations. By exploiting the emotional distress of individuals seeking information about missing persons, RedKitten effectively lures victims into enabling malicious macros, thereby compromising their systems.
Recommendations for Mitigation
To defend against such sophisticated threats, organizations and individuals should adopt the following measures:
– Exercise Caution with Email Attachments: Be wary of unsolicited emails containing attachments, especially those claiming to provide sensitive information.
– Disable Macros by Default: Configure Microsoft Office applications to disable macros and only enable them when absolutely necessary and from trusted sources.
– Implement Multi-Factor Authentication (MFA): Enhance account security by requiring multiple forms of verification.
– Regular Software Updates: Keep all software and operating systems up to date to patch known vulnerabilities.
– User Education: Conduct regular training sessions to educate users about phishing tactics and the importance of cybersecurity hygiene.
By remaining vigilant and implementing robust security practices, organizations and individuals can better protect themselves against the evolving landscape of cyber threats posed by state-sponsored actors like RedKitten.
