• Posted by: Eng. Donya Bino
• January 31, 2026

Iranian-Linked Malware Targets Protest Documenters

In the midst of Iran's ongoing economic protests sparked late last year by skyrocketing inflation, food shortages, and a plunging currency a new cyber campaign has emerged that's as cynical as it is technically slick. French cybersecurity firm HarfangLab spotted it in early January 2026 and dubbed it RedKitten. 

The targets? Non-governmental organizations and individuals trying to document human rights abuses amid the crackdown, which has left many families desperately searching for information about missing loved ones.

The bait is heartbreakingly effective: a password-protected 7-Zip archive with a Farsi filename, containing Excel spreadsheets (.XLSM) that purport to list protesters killed in Tehran from late December 2025 through mid-January 2026. Open the file, enable macros (as many anxious recipients might), and a malicious VBA script kicks in. That script drops a C#-based backdoor called SloppyMIO (disguised as "AppVStreamingUX_Multi_User.dll") using a technique known as AppDomainManager injection.

What stands out here is the strong suspicion that large language models helped generate parts of the tooling. The VBA code has that telltale LLM flavor, odd variable names, structured comments like "PART 5: Report the result and schedule if successful," and an overall style that feels machine-assisted rather than hand-crafted by a veteran coder. It's a sign of how quickly threat actors can now prototype and deploy custom malware.

Once installed, SloppyMIO turns commodity cloud services into its playground:
1. It pulls initial configuration from images hosted on Google Drive, with details hidden via steganography (think secrets tucked into kitten pictures, hence the campaign name?).
2. GitHub acts as a "dead drop" Resolver, which points to image URLs.
3. Commands and data communicate between Telegram bots: beaconing status, polling for instructions, and exfiltrating files.

The backdoor supports five modules for flexibility:
1. cm - Run commands through cmd.exe
2. do - Collect files, zip them (within the limits of Telegram's size), and send them
3. up - Drop new files into a specific path to continue payload delivery
4. pr - Create scheduled persistence to run every two hours
5. ra - Start processes

From long distances, operators are able to create commands that force a computer to execute a 'download' operation, launch applications, and persistently store data on a device. The software is modular, operates with stealth, and is mostly reliant on everyday platforms (like Github, Google Drive, and Telegram), making it difficult for defenders to track its use via traditional infrastructure monitoring; however, it does leave behind metadata that may assist them in tracking down the attacker. 

Based on language cues, theme of lures (exploiting grief from the loss of a protest victim), and using tactics of known actors such as Tortoiseshell (who both use similar Excel droppers/injects) or previous clusters of Nemesis Kitten that used Github as a delivery vehicle, they believe the group that created it is a Farsi-speaking group that has some affiliation with the Iranian state. 

The information contained within the lure appears to be fake (i.e., ages don’t match up with birth dates), indicating that the operator rushed the operation with little thought to creating accurate data; rather, he simply created data to prey on people's emotions. 

This has not occurred in isolation as it is occurring at the same time as an increase in Iran-affiliated cyber operations: 
1. The previous week, UK-based Iranian activist/investigator Nariman Gharib disclosed a phishing scheme using WhatsApp (i.e., domain address of "whatsapp-meeting.duckdns[.]org") whereby the attacker hijacks WhatsApp accounts by sending live QR Codes that can be used to log into their (the attacker) WhatsApp accounts and gives the attacker access to victim's camera, mic, and location for the purpose of conducting total surveillance of the victim's activity.

2. TechCrunch reported the same kit also phished Gmail credentials (password + 2FA codes), hitting around 50 people including Kurdish community members, academics, officials, and business leaders.

3. A major 2025 leak exposed Charming Kitten (APT35/IRGC-linked) internals: organizational structure, personnel, and the Kashef surveillance platform that aggregates data on citizens and foreigners.

4. Earlier disclosures highlighted Ravin Academy, a MOIS-tied "cybersecurity school" used for recruitment and training in everything from malware analysis to red teaming.

HarfangLab notes the double-edged sword: relying on public cloud services lowers barriers for attackers but creates OPSEC risks through logs and artifacts. As AI tools democratize malware creation, distinguishing between different Iranian clusters or even state vs. aligned actors gets harder.

For those in the crosshairs (activists, journalists, rights workers), the takeaway is simple but urgent: treat any unsolicited file about missing persons or protest casualties as suspicious, disable macros by default, and lean on phishing-resistant authentication wherever possible. In times of unrest, the most dangerous links are often the ones that promise answers.

Source: The Hacker News