RedKitten Malware Targets Iranian Protest Documenters

French cybersecurity firm HarfangLab has exposed a malware campaign targeting individuals and organizations documenting human rights abuses during recent Iranian protests. The operation, dubbed RedKitten, delivers a newly identified implant called SloppyMIO through emotionally manipulative lures masquerading as official casualty records.

How the Attack Works

The campaign begins with password-protected 7z archives titled "Tehran Forensic Medical Files" in Farsi. Inside, victims find five Excel spreadsheets claiming to list 200 individuals who allegedly died in Tehran between December 2025 and January 2026 during the latest wave of protests.

The files are designed to appear authentic and urgent—exactly the type of material that human rights workers, journalists, and civil society organizations would naturally want to verify. When users enable macros to view the content, hidden VBA code executes and deploys the SloppyMIO implant.

The fabricated victim data serves a dual purpose: it increases the likelihood targets will open the files, and it spreads disinformation about protest casualties.

SloppyMIO Technical Capabilities

HarfangLab named the malware "SloppyMIO" because each infection generates slightly different code, a technique that frustrates signature-based detection. The C# implant provides attackers with:

• File collection and exfiltration
• Arbitrary command execution on victim systems
• Deployment of additional malware
• Persistence via Windows scheduled tasks
• Steganography-based configuration storage in image files
• Telegram bot integration for command-and-control communications

The use of Telegram for C2 is common among threat actors targeting the Iranian population, as the platform remains popular despite government blocking attempts. This infrastructure choice also complicates attribution since Telegram bots are trivial to create and abandon.

Attribution Indicators

HarfangLab identified connections to Yellow Liderc (also tracked as Imperial Kitten), an Iranian threat actor known for targeting dissidents and civil society groups. The overlapping indicators include:

• Similar GitHub infrastructure usage
• Telegram-based C2 patterns
• Linguistic markers and Farsi language elements
• Tactical overlap with previous campaigns

The researchers also noted traces suggesting AI-assisted development in the code structure. This aligns with broader trends we've observed, such as the Konni APT's AI-generated PowerShell malware targeting blockchain developers.

Context on Iranian Cyber Operations

Iran maintains a sophisticated cyber threat ecosystem combining state-sponsored APT groups from the Islamic Revolutionary Guard Corps (IRGC) and Ministry of Intelligence (MOIS) with an expanding network of hacktivist fronts. Our recent analysis of CyberAv3ngers detailed how these actors blur the line between hacktivism and state-directed operations.

RedKitten represents the domestic surveillance facet of this apparatus—targeting regime critics rather than foreign adversaries. The campaign timing coincides with renewed protest activity and government crackdowns, suggesting responsive operational tasking.

For readers wanting deeper background on Iranian cyber capabilities, our recommended cybersecurity books include several titles covering state-sponsored threat actors and their evolution.

Timeline

• Early January 2026: Campaign first observed in the wild
• January 23, 2026: Researchers obtain malicious samples
• January 29, 2026: HarfangLab publishes technical analysis

Recommendations for At-Risk Groups

Organizations working on Iranian human rights issues should treat unexpected documents with extreme caution:

1. Never enable macros - Legitimate documents don't require macro execution to view content
2. Verify document sources - Confirm authenticity through trusted channels before opening
3. Use isolated environments - Open suspicious files in sandboxed systems disconnected from sensitive data
4. Monitor for persistence - Check scheduled tasks for unauthorized entries
5. Audit Telegram connections - Review network traffic for unexpected Telegram API communications

The campaign specifically exploits the urgency that human rights workers feel when potential evidence surfaces. That emotional manipulation is the real weapon—the malware is just what gets delivered.