RedKitten

RedKitten is an Iran-linked, Farsi-speaking threat actor or campaign aligned with Iranian state interests, first observed in January 2026 and reported as active since late 2025. It has conducted targeted cyber-espionage operations against Iranian civil society, including human rights NGOs, activists, and other individuals documenting human rights abuses and protest crackdowns in Iran. Reported victim categories also include academics, journalists, government officials, business leaders, and members of the Kurdish community. Multiple reports state the activity targeted Iranian interests and that at least 50 individuals were directly impacted. RedKitten is associated with a custom backdoor/implant called SloppyMIO. Reported delivery commonly used Farsi-named 7-Zip archives containing macro-enabled Microsoft Excel lures themed around lists of protesters killed in Tehran between late December 2025 and January 2026. Enabling the malicious VBA macro triggered AppDomainManager injection to load a dropped C# DLL, AppVStreamingUX_Multi_User.dll, from %LOCALAPPDATA%\Microsoft\CLR_v4.0_32\NativeImages, leading to execution of SloppyMIO. HarfangLab reported indicators that the VBA macro may have been generated or obfuscated with large language models, and other reporting described the campaign as incorporating AI or LLM-assisted development into the attack lifecycle. SloppyMIO is described as modular and capable of retrieving and caching modules, arbitrary command execution, file collection and exfiltration, writing files to disk, launching arbitrary processes, and further malware distribution. Persistence was reported via scheduled tasks executed every two hours. For command-and-control and staging, RedKitten used GitHub as a dead-drop resolver, Google Drive for configuration and payload/module retrieval including steganographically embedded configuration data, and Telegram or the Telegram Bot API for command-and-control and exfiltration. Use of GitHub, Google Drive, and Telegram was specifically noted as commoditized infrastructure that complicates infrastructure-based tracking while creating OPSEC exposure. The campaign also operated credential-harvesting phishing infrastructure, including a WhatsApp-themed site at whatsapp-meeting.duckdns[.]org and a Gmail-themed phishing page. The WhatsApp lure mimicked WhatsApp Web, captured credentials, and requested camera, microphone, and geolocation access; the Gmail lure harvested email credentials and two-factor authentication codes. Reporting notes TTP overlap with Iranian threat activity, including MuddyWater’s Operation Olalampo and similarities to Tortoiseshell, Nemesis Kitten, and Charming Kitten. HarfangLab assessed the actor as aligned with Iranian government security interests, but the content does not provide a more specific formal attribution to a named state organization. Known alias in the provided content: redkitten.