French security firm HarfangLab published research on January 31, 2026, detailing an Iran-linked espionage campaign they call RedKitten. The operation targets human rights NGOs and activists documenting alleged human rights violations during Iran’s ongoing protests, using AI-generated Office macros and a previously unknown backdoor called SloppyMIO.
Campaign overview
| Attribute | Details |
|---|---|
| Campaign name | RedKitten |
| Discovery | HarfangLab (January 2026) |
| Samples obtained | January 23, 2026 |
| Analysis published | January 29, 2026 |
| Attribution | Iran-affiliated (moderate confidence) |
| Targets | Human rights NGOs, activists, Kurdish community |
| Estimated victims | 50+ individuals directly impacted |
| Initial access | Macro-enabled Excel documents |
| Backdoor | SloppyMIO |
| Notable technique | AI-generated (LLM) malware code |
Context: Iran’s 2025-2026 protests
The campaign coincides with nationwide unrest in Iran that began in late 2025, protesting soaring inflation, rising food prices, and currency depreciation. The government crackdown has resulted in mass casualties and internet blackouts.
| Factor | Impact on campaign |
|---|---|
| Mass protests | Creates pool of potential targets |
| Missing persons | Emotional manipulation opportunity |
| Diaspora activism | Expands target surface internationally |
| Documentation efforts | NGOs become high-value targets |
RedKitten specifically targets individuals seeking information about missing persons and protesters who died—exploiting emotional distress to increase phishing effectiveness.
Target profile
| Category | Targeted |
|---|---|
| Human rights NGOs | Yes |
| Activists documenting violations | Yes |
| Kurdish community | Particular focus |
| Academics | Yes |
| Government officials | Yes |
| Business leaders | Yes |
HarfangLab believes the intended targets are “non-governmental organizations and individuals involved in documenting recent human rights violations, as well as the horrendous level of violence demonstrated by the Iranian regime towards protesters.”
Attack chain
Phase 1: Initial access
| Step | Action |
|---|---|
| 1 | Victim receives 7-Zip archive with Farsi filename |
| 2 | Archive contains macro-enabled Excel documents (.XLSM) |
| 3 | Documents claim to list protesters who died in Tehran (December 22, 2025 - January 20, 2026) |
Phase 2: Payload delivery
| Step | Action |
|---|---|
| 1 | Macro executes when document is opened |
| 2 | VBA dropper writes C# source and configuration to disk |
| 3 | DLL compiled locally on victim system |
| 4 | AppDomainManager injection via legitimate Windows binary |
| 5 | SloppyMIO backdoor deployed |
| 6 | Persistence established via scheduled tasks |
AppDomainManager injection technique
The attack uses a sophisticated execution method:
| Step | Action |
|---|---|
| 1 | VBA macro writes malicious C# code to disk |
| 2 | Code compiled into DLL using local .NET compiler |
| 3 | Legitimate Windows binary (AppVStreamingUX.exe) targeted |
| 4 | DLL injected via AppDomainManager hijacking |
| 5 | Malicious code runs in context of trusted process |
This technique, previously observed in Tortoiseshell campaigns, makes detection more difficult because the malicious code runs within a legitimate Windows process.
Fabricated victim data
Analysis of the spreadsheet data revealed inconsistencies between ages and dates of birth, suggesting the victim lists were fabricated to maximize emotional manipulation. The attackers created believable-looking data about deceased protesters to entice targets into opening the documents.
AI-generated malware
HarfangLab’s analysts believe the macro code was generated using a large language model (LLM):
Evidence of AI involvement
| Indicator | Significance |
|---|---|
| Oddly named variables | Inconsistent with human coding patterns |
| Structured comments | Read like automated notes |
| Distinctive code patterns | Match AI-assisted output |
| Polymorphic variants | Each infection generates slightly different code |
| Overall VBA style | Characteristic of LLM generation |
Why AI-generated malware matters
| Factor | Impact |
|---|---|
| Rapid development | Accelerates malware creation |
| Polymorphism | Each variant evades signature detection |
| Lower barrier | Less skilled operators can produce functional malware |
| Detection challenges | Traditional signatures ineffective |
The use of AI accelerates malware development and creates variants that evade signature-based detection.
SloppyMIO backdoor
The name “SloppyMIO” reflects its messy, inconsistent code structure—likely a result of AI generation with limited human refinement.
Technical characteristics
| Attribute | Details |
|---|---|
| Language | C# |
| Configuration storage | GitHub Gists, Google Drive |
| Configuration method | Steganographic images |
| Payload retrieval | Google Drive (modular) |
| Command-and-control | Telegram Bot API |
| Persistence | Scheduled tasks |
| Traffic blending | All legitimate cloud services |
Capabilities
| Function | Description |
|---|---|
| Keylogging | Captures keystrokes on schedule |
| Screenshots | Periodic screen capture |
| Document harvesting | Filters by file extension and keywords |
| Credential theft | Targets Chrome and Firefox |
| Data exfiltration | Uploads to attacker-controlled Google Drive |
| Self-update | Fetches signed payloads from GitHub |
| Persistence | Scheduled tasks survive reboot |
| Modular design | Can fetch and cache multiple modules |
| Steganographic config | Extracts settings from images in GitHub Gists |
| Arbitrary commands | Execute remote instructions |
Infrastructure
| Component | Service | Purpose |
|---|---|---|
| Dead Drop Resolver | GitHub | Configuration retrieval |
| Payload hosting | GitHub | Signed module delivery |
| Configuration storage | Google Drive | Dynamic settings |
| Command-and-control | Telegram Bot API | Bidirectional communication |
| Exfiltration | Google Drive | Stolen data upload |
All traffic uses legitimate cloud services, blending with normal organizational traffic.
Attribution
HarfangLab links RedKitten to Iran-affiliated actors with moderate confidence:
| Evidence | Details |
|---|---|
| Farsi artifacts | Language strings in tooling |
| Infrastructure overlaps | Connections to known IRGC-linked clusters |
| Target selection | Diaspora monitoring consistent with Iranian intelligence priorities |
| Tactical similarities | Matches Tortoiseshell campaigns using malicious Excel documents |
| GitHub as DDR | Technique observed in Iranian clusters since 2022 |
| Telegram C2 | Consistent with Iranian APT TTPs |
”Kitten” acknowledgment
Researchers noted “tongue-in-cheek” use of kitten imagery in payloads—possibly acknowledging the cybersecurity community’s convention of naming Iran-linked groups with “Kitten” suffixes (Charming Kitten, Rocket Kitten, etc.).
Evasion techniques
| Technique | Purpose |
|---|---|
| Legitimate cloud services | C2 traffic blends with normal activity |
| Polymorphic code | Each infection looks different |
| Signed GitHub payloads | Appear legitimate to security tools |
| Scheduled task persistence | Standard Windows mechanism |
| Telegram C2 | Encrypted, difficult to inspect |
Detection challenges
Network-level detection is difficult because all malicious traffic flows through Google Drive, GitHub, and Telegram—services organizations typically allow.
| Service | Legitimate use | Malicious use |
|---|---|---|
| Google Drive | Document collaboration | Exfiltration, configuration |
| GitHub | Code hosting | Payload delivery, DDR |
| Telegram | Messaging | C2 communication |
Recommendations
For human rights organizations and NGOs
| Priority | Action |
|---|---|
| Critical | Disable macros from external documents by default |
| High | Monitor cloud service traffic for anomalies |
| High | Verify document sources—be suspicious of emotionally charged content |
| High | Implement EDR for behavioral detection |
| High | Brief staff on grant-themed and human rights-themed phishing lures |
| Medium | Use document preview rather than opening suspicious files |
Detection indicators
| Indicator | Meaning |
|---|---|
| Excel documents with Farsi filenames in 7-Zip archives | Initial access attempt |
| Macro execution followed by GitHub downloads | Payload retrieval |
| Telegram API connections from non-Telegram applications | C2 communication |
| Google Drive uploads from unexpected processes | Exfiltration |
| Scheduled tasks created by Office applications | Persistence mechanism |
For security teams
| Priority | Action |
|---|---|
| High | Monitor for GitHub API calls from Office processes |
| High | Alert on Telegram connections from non-standard applications |
| High | Review scheduled task creation from Office applications |
| Medium | Implement DLP for Google Drive uploads |
| Ongoing | Track Iran-linked APT TTPs |
Context
RedKitten demonstrates how state-sponsored actors exploit humanitarian crises to target the very people trying to document abuses. The use of AI-generated malware lowers the barrier for creating evasive, polymorphic code.
The campaign’s focus on the Kurdish community and human rights activists aligns with known Iranian intelligence priorities. The emotional manipulation tactics—using fabricated lists of deceased protesters—represent a particularly cynical exploitation of genuine human tragedy.
Organizations working on Iran-related human rights issues should assume they are targeted and implement defensive measures accordingly. The combination of AI-accelerated malware development, legitimate cloud infrastructure abuse, and emotional manipulation makes RedKitten a sophisticated and concerning threat.
Steganographic configuration
SloppyMIO uses an unusual configuration retrieval method:
| Step | Action |
|---|---|
| 1 | Implant queries GitHub Gist for image file |
| 2 | Image contains hidden configuration data |
| 3 | Steganographic extraction reveals C2 addresses |
| 4 | Modular payloads fetched from Google Drive |
| 5 | Configuration updated without pushing new malware |
This technique allows attackers to update C2 infrastructure without modifying the deployed malware, making detection and blocking more difficult.
Comparison to Tortoiseshell
RedKitten shares tactical similarities with previous Iranian campaigns:
| Technique | Tortoiseshell | RedKitten |
|---|---|---|
| Initial access | Malicious Excel | Malicious Excel |
| Injection method | AppDomainManager | AppDomainManager |
| C2 platform | Telegram | Telegram |
| Configuration | GitHub | GitHub Gists |
| Exfiltration | Cloud services | Google Drive |
| AI assistance | Unknown | Confirmed |
The overlap suggests either the same threat actor or shared tooling within the Iranian APT ecosystem.