Researchers Uncover RedKitten: AI-Accelerated Cyber Espionage Aimed at Iranian Activists

CyberDefender 8 mins0

In late January 2026, cybersecurity researchers uncovered a sophisticated cyber espionage campaign – which they’ve dubbed RedKitten – that appears to be targeting Iranian civil society organizations, activists, journalists, and individuals trying to collect or share information about human rights abuses during the mass protests in Iran known as the Dey 1404 protests.

Context and Threat Overview

The RedKitten operation leverages the humanitarian crisis unfolding in Iran as a social engineering hook to entice victims into running malicious software. The choice of lures showing lists of allegedly deceased protesters makes them especially effective for those seeking truth about violent crackdowns.

Based on linguistic fingerprints and overlaps with known tactics, HarfangLab assesses with moderate confidence that the threat actor is a Farsi-speaking, Iran-aligned actor, though they cannot attribute it to a single named group with certainty.

How the Attack Works (Infection Chain)

  1. Initial Payload – 7z Archive
    • The attack begins with a password-protected 7-Zip archive whose filename in Farsi translates to “Tehran Forensic Medical Files.”
    • This archive contains five macro-enabled Microsoft Excel spreadsheets (XLSM) intended to look like official lists of people who died during the protests.
  2. Macro Lures
    • These spreadsheets are written in Farsi and include tabs like Identity, Autopsy, Laboratory, Body Delivery, and Help.
    • The “Help” sheet encourages the user to enable macros, which is how the malicious code gets executed.
  3. Dropper Behavior (VBA Macro)
    • When macros are enabled, the embedded VBA code extracts a C# implant source and config that are embedded inside the document, then writes them to disk.
    • It performs AppDomain Manager Injection by copying a legitimate Windows binary (e.g., AppVStreamingUX.exe) to a hidden folder and compiling a malicious DLL (AppVStreamingUX_Multi_User.dll) that loads the implant code.
    • A scheduled task named like MediaSyncTask### is created to ensure the malware runs on startup.
  4. Implant – SloppyMIO
    • The implant DLL, called SloppyMIO, is highly modular and unique each time it’s compiled, complicating detection.

Malware Capabilities

Once installed, SloppyMIO can:

  • Retrieve configuration data hidden inside images using steganography. These images come from URLs listed in a GitHub Gist and contain encoded settings like Telegram bot tokens and module URLs.
  • Download and run multiple modules from Google Drive or other cloud storage.
  • Execute arbitrary system commands.
  • Collect files and exfiltrate them back to the operators.
  • Create persistence mechanisms via scheduled tasks or through module instructions.
  • Communicate with operators using Telegram Bot API – sending status beacons and receiving commands over Telegram chats.

Because it uses legitimate services (GitHub, Google Drive, Telegram) and embedding techniques, common network filters and signature-based tools may not spot this activity easily.

Indicators of Compromise (IOCs)

Here are known IOCs from the HarfangLab appendix that defenders can use to identify potential infections:

XLSM Document Hashes

d3bb28307d11214867c570fe594f773ba90195ed22b834bad038b62bf75a4192
c40c94d787f6a35ac1cb4c5f031cf5777b77c79dc3929181badea33aaf177aa7
59ee007fd17280470724eb8a11ab12a98e85fd2383af3065f5f09a7e1a73f88c
90aebc9849b659515fd70dde6db717ad457ab2a90522a410d1fd531ca8640624
96ee9d3ed80c59c4bf39ed630efbfa53591fbe51155db7919ef64535a6171044

SloppyMIO DLL and Samples

6d474cf5aeb58a60f2f7c4d47143cc5a11a5c7f17a6b43263723d337231c3d60
16164c83ce4786ab85aa3fc9566a317519e866ff6cad3fbd647f3e955b8a8255
36413af1a7c7dc9e49fdf465ebc5abc3b4bb6b33f1c5ccaa17ae5e0794b6faaa
6e1bb2c41500ee18bd55a2de04bb3d74bd5c5e8c45eaeef030c7c6ea661cc2db
ac0e045b6f3683315ef420971f382e167385e39023d118d023fa6989e35fadf6
d58e3617d759d46248718ac4dfb46535d73febffd17fad1fd8ab47ce08da2fb4

These hashes correspond to the malicious spreadsheets and the SloppyMIO DLLs compiled from the malware source code.

Detection and Mitigation Tips

Defenders and security teams should consider:

  • Blocking or alerting on execution of signed binaries loading unexpected DLLs (like AppVStreamingUX.exe loading an unusual AppVStreamingUX_Multi_User.dll).
  • Monitoring for creation of scheduled tasks with unusual names or times.
  • Filtering downloaded files against the known XLSM hashes and flagged GitHub Gist URLs.
  • Watching for telemetry hitting Telegram Bot APIs from internal hosts.
  • Flagging hosts that extract data from images with steganographic signatures.

Attribution and Significance

While no definitive threat group has been publicly tied to RedKitten, the techniques and lure themes strongly resemble previous campaigns linked to Iranian state-aligned actors. The use of Farsi text inside macros and bot-related accounts strengthens this view, as does the consistent targeting of individuals interested in the protests.

Notably, HarfangLab also flagged traces of AI assistance in the malware’s code structure and comments, indicating that Large Language Models likely helped accelerate development.

CyberDefender