Cybersecurity

Cyber: Iran-linked Redkitten Cyber Campaign Targets Human Rights Ngos And...

2026-01-31 0 views admin
Cyber: Iran-linked Redkitten Cyber Campaign Targets Human Rights Ngos And...

A Farsi-speaking threat actor aligned with Iranian state interests is suspected to be behind a new campaign targeting non-governmental organizations and individuals involved in documenting recent human rights abuses.

The activity, observed by HarfangLab in January 2026, has been codenamed RedKitten. It's said to coincide with the nationwide unrest in Iran that began towards the end of 2025, protesting soaring inflation, rising food prices, and currency depreciation. The ensuing crackdown has resulted in mass casualties and an internet blackout.

"The malware relies on GitHub and Google Drive for configuration and modular payload retrieval, and uses Telegram for command-and-control," the French cybersecurity company said.

What makes the campaign noteworthy is the threat actor's likely reliance on large language models (LLMs) to build and orchestrate the necessary tooling. The starting point of the attack is a 7-Zip archive with a Farsi filename that contains macro-laced Microsoft Excel documents.

The XLSM spreadsheets claim to include details about protesters who died in Tehran between December 22, 2025, and January 20, 2026. But embedded within each of them is a malicious VBA macro, which, when enabled, functions as a dropper for a C#-based implant ("AppVStreamingUX_Multi_User.dll") by means of a technique called AppDomainManager injection.

The VBA macro, for its part, shows signs of being generated by an LLM due to the "overall style of the VBA code, the variable names and methods" used, as well as the presence of comments like "PART 5: Report the result and schedule if successful."

The attack is likely an effort to target individuals who are looking for information about missing persons, exploiting their emotional distress to provoke a false sense of urgency and trigger the infection chain. Analysis of the spreadsheet data, such as mismatched ages and birthdates, suggests it's fabricated.

The backdoor, dubbed SloppyMIO, uses GitHub as a dead drop resolver to retrieve Google Drive URLs that host images from which its configuration is steganographically obtained, including details of the Telegram bot token, Telegram chat ID, and links staging various modules. As many as five different modules are supported -

In addition, the malware is capable of contacting a command-and-control (C2) server to beacon to the configured Telegram chat ID, receiving additional instructions and sending the results back to the operator:

"The malware can fetch and cache m

Source: The Hacker News

🏷️ Tags

cybersecuritysecuritymalwareattackthreat

More from Cybersecurity

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

2026-02-24 0
Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

2026-02-24 0
Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

2026-02-24 0
Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

2026-02-24 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views