Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actor

SloppyMIO

SloppyMIO is a modular backdoor/implant used in the Iran-linked RedKitten campaign targeting NGOs, activists, journalists, academics, government officials, business leaders, and other individuals involved in documenting human rights abuses and protests in Iran, with reported emphasis on Kurdish community targets. It has been described as both a C# implant and, in some reporting, a C-based implant loaded via AppDomainManager injection. Delivery was observed through spearphishing lures such as Farsi-named 7-Zip archives containing malicious or macro-enabled Excel spreadsheets themed around protester deaths; weaponized spreadsheet documents and VBA macros were used to trigger the infection chain. The malware is also reported in one source as being delivered by weaponized spreadsheet documents with steganographic configuration extraction from images hosted on legitimate code repositories.

SloppyMIO uses GitHub as a dead-drop resolver to obtain a Google Drive URL, then retrieves images containing steganographically embedded configuration data. Reported configuration elements include a Telegram bot token, Telegram chat ID, and links for staging additional modules. Command-and-control and exfiltration are conducted through the Telegram Bot API. HarfangLab noted the actor relied on commoditized infrastructure including GitHub, Google Drive, and Telegram, which complicates infrastructure-based tracking while creating potential OPSEC exposure.

The implant is modular and supports arbitrary command execution, file collection and exfiltration, retrieval and caching of additional modules, further malware delivery, and launching arbitrary processes. Reported modules include: "cm" for shell command execution via cmd.exe; "do" for collecting, ZIP-archiving, and exfiltrating files subject to Telegram API size limits; "up" for writing files to disk using data encoded in images delivered via Telegram; "ra" for launching processes; and "pr" for persistence. Persistence has been reported via scheduled tasks executed every two hours. Additional reported behaviors include beaconing to a configured Telegram chat ID, polling for commands, and returning results.

Known file/path details directly mentioned in reporting include the dropped DLL name AppVStreamingUX_Multi_User.dll and placement under %LOCALAPPDATA%\Microsoft\CLR_v4.0_32\NativeImages. The malware has been associated with AppDomainManager injection, scheduled task persistence, steganographic configuration retrieval, and use of GitHub/Google Drive/Telegram as part of its multi-hop C2 and payload staging chain.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
RedKitten

Weaponized spreadsheet documents deployed the SloppyMIO implant, a C# backdoor that used steganography to extract configuration data from images hosted on legitimate code repositories...

via trellix blogtrellix.com
MITRE ATT&CK

Techniques & procedures

8 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566PhishingEvidence2

"it's suspected that the threat actors are relying on spear-phishing or 'protracted social engineering efforts' in which the operators build rapport with the victims over time before sending the malicious payloads... approaching prospective targets under fake personas and cultivating a relationship"

Execution

1 technique
T1059.001PowerShellEvidence1

PowerShell and Cmd serve as the universal backbone for execution across nearly all groups.

Stealth

2 techniques
T1027.003SteganographyEvidence1

used steganography to extract configuration data from images hosted on legitimate code repositories

T1140Deobfuscate/Decode Files or InformationEvidence1

“Defense evasion … employ multiple obfuscation techniques (T1140) …” plus described obfuscation (polyglots, XOR, double extensions, packed payloads, layered encryption).

Command and Control

3 techniques
T1071Application Layer ProtocolEvidence1

Finally, for command and control and exfiltration, Iranian-linked groups most commonly rely on application layer protocols (T1071), such as HTTP

T1071.001Web ProtocolsEvidence1

“redundant command-and-control channels across HTTPS …” / “Cloudflare Workers, Firebase, OneDrive …” / “Firebase-hosted staging pages”

T1102.001Dead Drop ResolverEvidence1

communicated exclusively through messaging platform APIs — a dead-drop resolver architecture designed to blend malicious traffic into ordinary cloud service noise

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence1

“exfiltration over C2 channel (T1041) …” and examples include uploading files via web requests and exfil via web services/alternative protocols.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
trellix blogNews
Mar 2, 2026
The Iranian Cyber Capability 2026

C# backdoor using steganography and dead-drop resolver architecture via cloud and messaging APIs to blend malicious traffic with legitimate services.

Read more
the hacker newsNews
Feb 19, 2026
CRESCENTHARVEST Campaign Targets Iran Protest Supporters With RAT Malware

Custom backdoor used in a separate, Iran-focused targeting campaign (RedKitten) against NGOs and individuals documenting human rights abuses.

Read more
scworldNews
Feb 3, 2026
AI tapped by Iranian hackers in protest-aimed cyberattacks | SC Media

C-based implant/backdoor delivered via malicious Excel VBA macro; uses AppDomainManager injection and leverages GitHub as a dead drop resolver to retrieve/cache modules, execute arbitrary commands, exfiltrate files, and distribute additional malware.

Read more
checkpoint research blogNews
Feb 2, 2026
2nd February - Threat Intelligence Report - Check Point Research

C# implant/backdoor delivered via password-protected Excel lures; uses Telegram for command-and-control and GitHub/Google Drive for payload hosting, with steganographic configuration, AppDomain Manager injection, and scheduled task persistence.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping8

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.