AI-Powered Espionage: RedKitten Targeted NGOs and Activists During Iran Protest Crackdown

Aegiron 12 mins0

RedKitten Campaign – Detailed Incident Analysis

Date observed: January 2026
Threat actor: RedKitten (Farsi-speaking, politically motivated)
Primary region of impact: Human rights ecosystem linked to Iran

Executive Summary

In late January 2026, multiple human rights organizations and individual activists were targeted in a coordinated cyber-espionage campaign attributed to a Farsi-speaking threat actor known as RedKitten. The activity coincided directly with widespread protests that began in late 2025.

The campaign focused on surveillance, credential theft, and long-term access, rather than disruption. Victims were selected based on their involvement in documenting protests, detainee lists, evidence collection, and international advocacy.

The intrusions were low-noise, socially engineered, and persistent, relying more on deception than on advanced exploits. In several cases, compromised accounts were later used to target additional activists, expanding the campaign organically.

What Happened

Attackers sent carefully crafted, highly targeted emails to specific NGO staff members and activists. These emails were written in fluent, natural language and referenced real-world events, protest victims, and ongoing investigations.

The messages contained password-protected archive files with emotionally charged filenames referencing deceased protestors, missing persons, or urgent human-rights documentation. This approach increased the likelihood that recipients would open the files quickly and bypass caution.

When the archive was opened, the victim found a Microsoft Excel file. Upon opening the file, Excel prompted the user to enable macros, claiming this was required to view the full content. If the victim enabled macros, a hidden backdoor was installed on the system.

Once installed, attackers gained long-term remote access, allowing them to silently monitor activity, steal documents, and issue commands remotely. In several cases, access persisted for weeks or months before detection.

No software vulnerability or exploit was used. The breach relied entirely on social engineering and user interaction.

How the Attack Worked

1. Initial Access – Targeted Email Delivery

The attack began with highly selective spear-phishing emails. Targets were chosen individually, not in bulk.

Key characteristics of the emails:

  • Written in fluent Farsi with natural phrasing
  • Referenced real protest events and known victims
  • Matched the tone and urgency common in NGO communications
  • Often impersonated trusted contacts or partner organizations

Common email themes included:

  • Lists of deceased or detained protestors
  • Requests to review evidence before public release
  • Internal NGO coordination documents
  • Legal or advocacy material allegedly prepared for international bodies

Attachments were delivered as password-protected 7-Zip archives, with the password included in the email body. This effectively bypassed most email security systems, which could not inspect the contents of the encrypted archive.

2. Weaponized Attachment

Inside the archive was a single file:

  • Microsoft Excel macro-enabled workbook (.xlsm)
  • Filename written in Persian (Farsi)
  • Spreadsheet content designed to resemble legitimate protest-related data

When opened, Excel displayed a macro-enable warning. The document claimed macros were required to decrypt or display the full dataset. The visible spreadsheet content was intentionally incomplete or blurred to reinforce this claim.

Once macros were enabled, the malicious code executed automatically.

3. Macro Execution – LLM-Assisted VBA Code

The Excel document contained Visual Basic for Applications (VBA) macro code with multiple characteristics strongly suggesting assistance from an LLM rather than hand-written malware alone.

Observed characteristics:

  • Clean, modular code structure
  • Logical separation into stages
  • Descriptive, human-like comments
  • Consistent naming conventions
  • Minimal syntax or logic errors
  • No unnecessary obfuscation

The macro performed the following actions:

  1. Environment checks
    • Verified Windows version
    • Checked user permissions
    • Ensured execution in a non-sandboxed environment
  2. Payload preparation
    • Decoded embedded data stored as Base64-like strings
    • Reassembled the secondary payload in memory
  3. Payload deployment
    • Dropped a loader component to disk
    • Executed it silently using native Windows utilities

All activity occurred under the context of the logged-in user.

4. Payload Delivery – SloppyMIO Backdoor

The macro installed a custom .NET backdoor internally referred to as SloppyMIO.

SloppyMIO Characteristics

  • Written in C# (.NET)
  • Runs entirely in user space
  • No kernel access or exploit usage
  • Loaded via AppDomainManager injection
  • Designed to appear benign to static antivirus scans

The malware prioritized reliability and stealth over advanced evasion techniques. Its simplicity reduced crash risk and avoided behavior that would trigger automated defenses.

5. Command-and-Control Infrastructure

Once active, SloppyMIO established outbound communication using multiple legitimate cloud services, rather than a single command-and-control server.

Observed C2 channels included:

  • Telegram bots for real-time command execution
  • GitHub repositories (raw content) for configuration updates
  • Google Drive images containing steganographically hidden instructions

This approach provided several advantages:

  • Rapid infrastructure rotation
  • Blending malicious traffic into normal user activity
  • Avoiding reputation-based blocking
  • Reducing dependency on custom servers

Communication occurred over HTTPS, with small, periodic data transfers designed to look like normal background traffic.

6. Post-Compromise Activity

After access was established, attackers conducted long-term surveillance rather than immediate exploitation.

Capabilities observed:

  • Uploading and downloading files
  • Executing shell commands
  • Capturing screenshots
  • Collecting browser credentials and session data
  • Monitoring document creation and modification
  • Scheduling tasks for persistence

Data of interest included:

  • Human-rights investigation files
  • NGO internal communications
  • Protest evidence and media
  • Research notes and draft reports

There was no evidence of ransomware deployment, data destruction, or financial theft. The operation was focused entirely on intelligence collection.

Impacted Systems and Data

Impacted Targets

  • Human-rights NGOs
  • Journalists and independent researchers
  • Activists and organizers
  • Legal advocates and documentation teams

Impacted Assets

  • Individual Windows endpoints
  • Local and cloud-stored documents
  • Email and messaging communications
  • Research files and evidentiary material

What Was Not Impacted

  • No confirmed lateral movement to servers
  • No domain-wide compromise
  • No operational disruption or sabotage

Vulnerabilities Exploited

This campaign did not exploit:

  • Software vulnerabilities
  • Zero-day exploits
  • Misconfigured services

The only weakness exploited was human trust, emotional urgency, and routine workflow behavior.

Anti-Malware Evasion Techniques

  • Password-protected archives
  • Legitimate cloud platforms for C2
  • In-memory execution
  • Low-frequency network communication
  • Minimal on-disk artifacts
  • Avoidance of exploit-based techniques

Traditional antivirus and EDR tools were largely ineffective unless behavioral detection rules were in place.

Indicators of Compromise (IOCs)

File Artifacts

  • Excel files with:
    • .xlsm extension
    • Persian filenames
    • Embedded VBA macros
  • Dropped .NET executables located in:
    • %AppData%
    • %LocalAppData%
    • %Temp%

Behavioral Indicators

  • Excel spawning:
    • powershell.exe
    • cmd.exe
    • mshta.exe
  • Scheduled tasks created shortly after Excel execution
  • Registry run keys modified by user-level processes

Network Indicators

  • Outbound connections to:
    • api.telegram.org
    • raw.githubusercontent.com
    • drive.google.com
  • Regular HTTPS beaconing intervals
  • Small, consistent data uploads

Detection & Threat Hunting Guidance

Email Security

  • Flag password-protected archives from external senders
  • Alert on protest-related lures outside known contact lists
  • Monitor unexpected Farsi-language attachments

Endpoint Detection

Suspicious Parent-Child Relationships

  • EXCEL.EXE → powershell.exe
  • EXCEL.EXE → cmd.exe
  • EXCEL.EXE → mshta.exe

Persistence Checks

  • Scheduled tasks created by user context
  • New registry run keys after document execution

Network Hunting

  • Non-browser systems making Telegram API calls
  • GitHub raw content access without developer activity
  • Google Drive image downloads followed by in-memory execution

Detection Logic

Rule Logic (EDR/SIEM)

IF process = EXCEL.EXE
AND child_process IN (powershell.exe, cmd.exe, mshta.exe)
AND external_network_connection = TRUE
THEN alert: Suspicious Macro-Based Execution

Why This Matters

This campaign demonstrates that AI-assisted malware development has moved into real-world operations.

Attackers can now:

  • Produce cleaner, more reliable malware
  • Reduce development time and errors
  • Scale espionage campaigns without large teams

The technical complexity was moderate, but the discipline, targeting accuracy, and patience were high. The weakest link was not software — it was human behavior.

Defenders should expect more campaigns where trust and urgency are the primary attack surface.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.