Posted in

Iran-Linked RedKitten Cyber Campaign Targets Human Rights NGOs

by Rakesh0

Nation-state cyber operations increasingly blur the line between espionage, psychological manipulation, and digital repression. A newly uncovered campaign—tracked as RedKitten—highlights this convergence, targeting human rights organizations, activists, and individuals documenting abuses in Iran.

Observed in January 2026 by HarfangLab, RedKitten appears aligned with Iranian state interests and coincides with nationwide unrest that erupted in late 2025 amid inflation, food shortages, and currency collapse. The campaign weaponizes emotionally charged lures, AI-assisted malware development, and legitimate cloud platforms to quietly compromise victims already under pressure.

This article breaks down:

  • How the RedKitten campaign works end-to-end
  • The malware tooling and command-and-control (C2) design
  • The role of large language models (LLMs) in modern cyber espionage
  • Attribution signals linking the activity to Iranian threat actors
  • Defensive guidance for NGOs, journalists, and security teams

What Is the RedKitten Cyber Campaign?

RedKitten is a suspected Iran-linked cyber espionage operation focused on surveillance, data exfiltration, and long-term access rather than disruptive attacks.

Key Characteristics

  • 🎯 Targets: Human rights NGOs, activists, researchers, journalists
  • 🌍 Geographic focus: Iran and diaspora communities
  • 🧠 Motivation: Intelligence gathering, monitoring dissent
  • 🛠️ Tradecraft: Social engineering, cloud-native malware, stealthy persistence

The campaign reflects a broader pattern among Iranian threat groups: low-cost infrastructure, plausible deniability, and high psychological leverage.

Attack Chain Overview: From Emotional Lure to Full Compromise

The RedKitten infection chain is designed to exploit trust and urgency, particularly among individuals searching for information about missing or deceased protesters.

Step 1: Weaponized Excel Lures

Victims receive a 7-Zip archive with a Farsi filename containing:

  • Macro-enabled Excel spreadsheets (.XLSM)
  • Claims of documenting protesters killed in Tehran
  • Date ranges spanning Dec 22, 2025 – Jan 20, 2026

Analysis reveals the data is fabricated, with mismatched ages and birthdates—indicating the lure’s sole purpose is infection.

Step 2: Malicious VBA Macros (Likely AI-Generated)

Once macros are enabled, a malicious VBA macro executes.

HarfangLab noted strong indicators of LLM-generated code, including:

  • Unnatural variable naming conventions
  • Modular structure with verbose comments
  • Comments such as: “PART 5: Report the result and schedule if successful”

This suggests attackers are using AI tools to accelerate malware development and obfuscate attribution.

Malware Delivery via AppDomainManager Injection

The macro acts as a dropper for a C# implant named:

AppVStreamingUX_Multi_User.dll

Injection Technique: AppDomainManager Abuse

  • Leverages the .NET AppDomainManager mechanism
  • Executes malicious code during application initialization
  • Bypasses some traditional application control defenses

This technique has been previously observed in Iranian-linked campaigns, reinforcing attribution confidence.

SloppyMIO Backdoor: Modular, Cloud-Native, Stealthy

The implanted malware—dubbed SloppyMIO—is a modular backdoor designed for flexibility and persistence.

Cloud-Based Command-and-Control Design

SloppyMIO avoids traditional C2 infrastructure by abusing trusted services:

  • GitHub – Dead drop resolver
  • Google Drive – Hosts images containing steganographic configuration data
  • Telegram – Primary command-and-control channel via Bot API

This approach:

  • Evades domain-based blocking
  • Complicates attribution
  • Blends malicious traffic with normal cloud usage

SloppyMIO Supported Modules

SloppyMIO supports at least five functional modules, dynamically fetched and cached.

ModuleFunctionImpact
cmExecute commands via cmd.exeRemote command execution
doCollect files and ZIP themData exfiltration
upWrite files using image-encoded dataPayload deployment
prCreate scheduled tasksPersistence
raStart arbitrary processesMalware execution

Additional C2 Commands

The malware also supports higher-level instructions:

  • download – Triggers file collection
  • cmd – Executes shell commands
  • runapp – Launches processes

All activity is reported back via Telegram chat IDs, enabling near real-time operator control.

Persistence and Surveillance Capabilities

SloppyMIO is designed for long-term access, not smash-and-grab theft.

Persistence Mechanism

  • Scheduled task execution every two hours
  • Survives reboots and user logouts

Surveillance Implications

Combined with file collection and command execution, this tooling supports:

  • Monitoring activist communications
  • Exfiltrating sensitive documentation
  • Deploying secondary malware

Attribution: Ties to Iranian Threat Actors

While no attribution is absolute, multiple indicators point toward Iran-aligned actors.

Attribution Signals

  • Farsi-language artifacts and filenames
  • Lure themes tied to Iranian protests
  • Use of Excel-based malware delivery
  • AppDomainManager injection technique

Historical Parallels

RedKitten shares similarities with known campaigns by:

  • Tortoiseshell – Excel-delivered IMAPLoader
  • Nemesis Kitten – GitHub-based backdoor delivery
  • Charming Kitten – Targeting activists and academics

These overlaps suggest shared tooling, training, or operational doctrine.

AI and LLMs: A Force Multiplier for Espionage

One of the most significant aspects of RedKitten is the apparent use of large language models.

Why This Matters

LLMs enable threat actors to:

  • Rapidly generate malware code
  • Reduce development errors
  • Obfuscate developer “fingerprints”
  • Scale operations with fewer skilled operators

For defenders, this means code style is no longer a reliable attribution signal.

Parallel Campaigns: WhatsApp and Gmail Phishing

RedKitten activity coincides with separate but related phishing campaigns targeting Iranian activists abroad.

WhatsApp Web Phishing via QR Codes

A phishing site impersonates WhatsApp Web and:

  • Serves a live QR code from the attacker’s session
  • Tricks victims into authenticating the attacker
  • Grants full access to the victim’s WhatsApp account

The page also requests permissions for:

  • Camera
  • Microphone
  • Geolocation

Effectively turning the browser into a surveillance tool.

Gmail Credential Harvesting

Another phishing flow targets Gmail accounts, stealing:

  • Passwords
  • 2FA codes

Approximately 50 victims have been identified, spanning:

  • Kurdish community members
  • Academics
  • Government and business leaders

Broader Context: Iran’s Cyber Ecosystem and Human Capital

These findings follow major leaks involving Charming Kitten and revelations about Kashef, a surveillance platform linked to the IRGC.

They also intersect with disclosures around Ravin Academy, a sanctioned entity used to:

  • Train cybersecurity professionals
  • Vet and recruit talent
  • Indirectly support MOIS cyber operations

This outsourcing model allows Iranian intelligence to scale capability while maintaining plausible deniability.

Defensive Guidance: What NGOs and Security Teams Should Do

Immediate Mitigations

  • Disable Office macros by default
  • Block AppDomainManager abuse where possible
  • Restrict outbound access to Telegram where feasible

Detection Opportunities

  • Monitor for unusual Excel macro execution
  • Alert on scheduled task creation
  • Inspect outbound traffic to cloud services for anomalies

Strategic Recommendations

  • Apply zero trust principles to user endpoints
  • Conduct targeted phishing resilience training
  • Align incident response plans with NIST SP 800-61
  • Map activity to MITRE ATT&CK (TA0001, TA0002, TA0011)

Frequently Asked Questions (FAQs)

What is the RedKitten cyber campaign?

RedKitten is a suspected Iran-linked cyber espionage operation targeting NGOs and activists using malware-laced Excel documents.

How does RedKitten deliver malware?

Via macro-enabled Excel spreadsheets that drop a C# backdoor using AppDomainManager injection.

What makes this campaign unique?

Its use of AI-generated code, cloud-native C2 (GitHub, Google Drive, Telegram), and emotionally manipulative lures.

Is this ransomware?

No. The campaign focuses on surveillance, intelligence collection, and persistence.

Who is most at risk?

Human rights organizations, activists, journalists, researchers, and diaspora communities.

Conclusion

The RedKitten cyber campaign underscores how modern cyber espionage blends human vulnerability, AI-assisted tooling, and trusted platforms to suppress dissent and collect intelligence at scale.

For defenders, the lesson is clear:
Threats are no longer just technical—they’re psychological, contextual, and deeply human.

Organizations operating in sensitive political or humanitarian spaces must assume they are targets and design security programs accordingly.

👉 Next step: Conduct a targeted threat model for activist-facing workflows and reassess macro, cloud, and messaging platform exposure.

Subscribe

Leave a Reply

Your email address will not be published. Required fields are marked *