Full Report
A Farsi-speaking threat actor aligned with Iranian state interests is suspected to be behind a new campaign targeting non-governmental organizations and individuals involved in documenting recent human rights abuses. The activity, observed by HarfangLab in January 2026, has been codenamed RedKitten. It's said to coincide with the nationwide unrest in Iran that began towards the end of 2025,
Analysis Summary
# Threat Actor: RedKitten
## Attribution & Identity
* **Identification:** Farsi-speaking threat actor suspected to be aligned with Iranian state interests.
* **Known Aliases and Associated Groups:** Tactical similarities observed with prior campaigns attributed to **Tortoiseshell**.
## Activity Summary
* **Recent Campaigns:** A new cyber espionage campaign codenamed **RedKitten** observed in January 2026 by HarfangLab.
* **Context:** The activity coincides with nationwide civil unrest in Iran that began towards the end of 2025.
* **Noteworthy Feature:** The malware utilized shows signs of being generated or orchestrated using Large Language Models (LLMs).
## Tactics, Techniques & Procedures
* **Initial Access:** Delivery via a 7-Zip archive containing macro-laced Microsoft Excel documents with Farsi filenames.
* **Execution & Dropper:** Malicious VBA macros within XLSM spreadsheets execute upon enabling. These macros function as a dropper for a C#-based implant (`AppVStreamingUX_Multi_User.dll`) using **AppDomainManager injection** (similar to technique used by Tortoiseshell).
* **Persistence:** Creation of a scheduled task using the `pr` module to run an executable every two hours.
* **Command and Control (C2):** Reliance on **Telegram** for C2 communication (polling for commands and sending results via a configured Telegram bot chat ID).
* **Payload Retrieval & Configuration:** Uses **GitHub** as a dead drop resolver to fetch Google Drive URLs, which host images containing the steganographically encoded configuration data (including Telegram tokens/IDs and staging links).
* **LLM Artifacts:** The VBA code exhibits characteristics indicative of LLM generation ("overall style of the VBA code, the variable names and methods") and specific comments like "PART 5: Report the result and schedule if successful."
* **Modules Supported (via SloppyMIO backdoor):**
* `cm`: Execute commands via `cmd.exe`.
* `do`: Collect files and create ZIP archives.
* `up`: Write a file encoded within a fetched image to a specific local application data path (`%LOCALAPPDATA%\Microsoft\CLR_v4.0_32\NativeImages\`).
* `pr`: Create persistence via scheduled tasks.
* `ra`: Start a new process.
* Remote commands also include: `download` (runs `do` module) and `runapp` (launches a process).
* **MITRE ATT&CK IDs (Inferred/Mentioned technique):** Techniques related to DLL side-loading or injection may align with T1550 (Use Alternate Authentication Material) or T1547 (Persistent Mechanisms), specifically through AppDomainManager injection linked to prior campaigns.
## Targeting
* **Sectors:** Non-Governmental Organizations (NGOs), and individuals involved in documenting recent human rights abuses.
* **Geography:** Targeted at individuals/groups concerned with events in **Iran**.
* **Victims:** Individuals researching or documenting the nationwide unrest in Iran (late 2025/early 2026) and ensuing crackdowns, mass casualties, and internet blackouts. The lures involve fabricated details about deceased protesters.
## Tools & Infrastructure
* **Malware Families Used:** SloppyMIO (backdoor/implant), C#-based implant (`AppVStreamingUX_Multi_User.dll`).
* **Infrastructure:**
* C2/Communication: **Telegram Bot API**.
* Configuration/Dead Drop: **GitHub** (as a resolver).
* Staging/Retrieval: **Google Drive** (hosting encrypted/steganographically encoded configuration data as images).
## Implications
* The campaign is highly topical, exploiting high-stress situations (human rights documentation amid civil unrest in Iran) to drive infection.
* The suspected use of LLMs for generating malicious code components signals a potential increase in the speed and complexity of tooling development by state-aligned actors.
* The reliance on legitimate cloud services (GitHub, Google Drive) and Telegram obscures true infrastructure attribution and increases the difficulty of network-level blocking.
## Mitigations
* Implement heightened email/document security awareness, specifically scrutinizing Excel files received from untrusted sources, particularly those containing lures related to sensitive current affairs.
* Monitor for suspicious VBA macro execution and the use of **AppDomainManager injection**.
* Restrict or monitor outbound C2 traffic to common legitimate services if possible, or establish strict allow-listing policies for traffic originating from endpoints.
* Monitor for persistence mechanisms created via scheduled tasks (`schtasks.exe`).
* Organizations should prioritize detection of suspicious file drops in standard user application data paths (e.g., `%LOCALAPPDATA%\Microsoft\CLR_v4.0_32\NativeImages\`).