A Persian-speaking threat actor linked to Iranian state interests is suspected of being behind a new campaign targeting NGOs and individuals involved in documenting recent human rights abuses.
The activity observed by HerfanLab in January 2026 is codenamed red kitten. It is said to coincide with nationwide unrest in Iran that began in late 2025 in protest against rising inflation, rising food prices and currency depreciation. The ensuing crackdown resulted in mass casualties and an internet blackout.
“The malware relies on GitHub and Google Drive for configuration and modular payload recovery, and uses Telegram for command-and-control,” the French cybersecurity company said.
What makes the campaign notable is the threat actor’s potential reliance on large language models (LLMs) to create and orchestrate the necessary tooling. The starting point of the attack is a 7-zip archive with Persian file name that contains macro-laced Microsoft Excel documents.
The XLSM spreadsheet claims to contain details about protesters killed in Tehran between December 22, 2025, and January 20, 2026. But embedded within each of them is a malicious VBA macro that, when enabled, acts as a dropper for a C#-based implant (“AppVStreamingUX_Multi_User.dll”) via a technique called AppDomainManager injection.
The VBA macro, on the other hand, shows signs of being generated by LLM due to the presence of comments such as “Overall style of VBA code, variable names, and methods” as well as “Part 5: Report results and schedule when successful.”
The attack is likely an attempt to target people who are searching for information about missing persons, exploiting their emotional distress to instill a false sense of urgency and trigger the infection chain. Analysis of spreadsheet data such as mismatched ages and dates of birth reveals that it is fabricated.
The backdoor, called SloppyMIO, uses GitHub as a dead drop resolver to retrieve Google Drive URLs that host images from which its configuration is steganographically obtained, including Telegram bot tokens, Telegram chat IDs, and details of various module staging links. Five different modules are supported –
- To execute command using cmd, “cmd.exe”
- To collect files on the compromised host and create a zip archive for each file that fits the Telegram API file size limit
- Above, to write a file to “%LOCALAPPDATA%\Microsoft\CLR_v4.0_32\NativeImages\” with the file data encoded within the image received via Telegram API
- PR, Creating a scheduled task for persistence to run an executable every two hours
- ra, to start a process
Additionally, the malware is able to contact the command-and-control (C2) server to beacon the configured Telegram chat ID, receive additional instructions, and send the results back to the operator:
- download , which runs the do module
- cmd, which runs the cm module
- runapp, to start a process
“The malware can fetch and cache multiple modules from remote storage, run arbitrary commands, collect and exfiltrate files, and deploy further malware through scheduled actions,” Harfanglab said. “SloppyMIO displays status messages, surveys for commands and sends exfiltrated files to a specified operator, leveraging the Telegram bot API for command-and-control.”
As far as attribution goes, links to Iranian actors are based on the presence of Persian artifacts, intriguing themes, and tactical similarities with previous campaigns, including TortoiseShell, which leveraged malicious Excel documents to distribute IMAPLoader using AppDomainManager injection.
Attackers choosing GitHub as a dead drop resolver is also not without precedent. In late 2022, SecureWorks (now part of Sophos) detailed a campaign conducted by a sub-group of the Iranian nation-state group called Nemesis Kitten, which used GitHub as a conduit to distribute a backdoor called Drokbak.
The matter has been further complicated by the adoption of artificial intelligence (AI) tools by adversaries, making it harder for defenders to distinguish one actor from another.
“The threat actor’s reliance on commoditized infrastructure (GitHub, Google Drive, and Telegram) hinders traditional infrastructure-based tracking, but paradoxically exposes useful metadata and poses other operational security challenges for the threat actor,” Harfanglaub said.
The development comes weeks after UK-based Iranian activist and independent cyber espionage investigator Nariman Gharib revealed details of a phishing link (“whatsapp-meeting.dkdns”).[.]org”) which is distributed via WhatsApp and captures victims’ credentials by displaying a fake WhatsApp web login page.
“The page polls the attacker’s server via /api/p/{victim_id}/ every second,” Gharib said. “This allows the attacker to send a live QR code directly to the victim from their own WhatsApp Web session. When the target scans it from their phone, thinking they are joining a ‘meeting,’ they are actually authenticating to the attacker’s browser session. The attacker gets full access to the victim’s WhatsApp account.”
The phishing page is also designed to request browser permissions to access the device camera, microphone, and geolocation, effectively turning it into a surveillance kit that can capture victims’ photos, audio, and current whereabouts. At present it is not known who is behind this campaign, or what was the motivation behind it.
TechCrunch’s Zack Whittaker, who uncovered more details about the activity, said it also aims to steal Gmail credentials by presenting a fake Gmail login page that collects the victim’s password and two-factor authentication (2FA) code. Around 50 persons have been found affected. This includes ordinary people, academics, government officials, business leaders and other senior figures from the Kurdish community.
These findings also come after a major leak by Iranian hacking group Charming Kitten, which exposed its inner workings, organizational structure and key personnel involved. The leak also highlights a surveillance platform called Kaashef (aka Discoverer or Revealer) to track Iranian citizens and foreign nationals by aggregating data collected by various departments linked to the Islamic Revolutionary Guard Corps (IRGC).
In October 2025, Gharib also provided a database of 1,051 individuals who had enrolled in various training programs offered by Ravin Academy, a cybersecurity school founded by two operatives from Iran’s Ministry of Intelligence and Security (MOIS), Seyed Mojtaba Mostafavi and Farzin Karimi. The entity was approved by the US Treasury Department in October 2022 to support and enable the operations of MOIS.
This includes assisting MOIS in information security training, threat hunting, cyber security, red teaming, digital forensics, malware analysis, security auditing, penetration testing, network defense, incident response, vulnerability analysis, mobile penetration testing, reverse engineering and security research.
“The model allows MOIS to outsource initial recruitment and investigation while maintaining operational control through a direct relationship with the intelligence service of the founders,” Gharib said. “This dual-purpose structure enables MOIS to develop human capital for cyber operations while maintaining a layer of separation from direct government responsibility.”
