Executive Summary

A newly identified Iran-linked threat actor, designated RedKitten, has launched a highly targeted cyber-espionage campaign against human rights NGOs and activists, particularly those involved in documenting or supporting protests and civil unrest in Iran. This campaign, active since late 2025, leverages advanced social engineering, AI-generated malicious macros, and multi-stage malware to infiltrate organizations, exfiltrate sensitive data, and conduct persistent surveillance. The operation demonstrates a significant evolution in Iranian cyber capabilities, utilizing cloud-based infrastructure and legitimate communication platforms for command and control, while employing sophisticated anti-detection and persistence techniques. The campaign’s technical complexity and focus on civil society targets underscore the urgent need for heightened vigilance and robust security controls among at-risk organizations.

Threat Actor Profile

RedKitten is a Farsi-speaking, Iran-aligned advanced persistent threat (APT) group, exhibiting strong operational security and technical sophistication. The group’s tactics, techniques, and procedures (TTPs) overlap with those of established Iranian APTs such as Tortoiseshell, Nemesis Kitten, and Charming Kitten, particularly in their use of malicious Excel documents, AppDomainManager injection, and cloud-based dead drop resolvers. Notably, RedKitten has adopted AI-generated code, likely produced by large language models (LLMs), to craft obfuscated macros and malware, complicating detection and attribution. The group’s infrastructure leverages legitimate services including GitHub, Google Drive, and Telegram, enabling resilient and stealthy command and control (C2) operations. The campaign’s targeting and lure content, which centers on recent Iranian protests and human rights abuses, strongly indicate state sponsorship and a focus on civil society disruption.

Technical Analysis of Malware/TTPs

The initial infection vector is a 7-Zip archive with a Farsi filename, distributed via spearphishing emails or messaging platforms. The archive contains a macro-enabled Microsoft Excel (XLSM) document, purporting to list details of protesters killed in Tehran between December 2025 and January 2026. This emotionally charged lure is designed to exploit the victim’s trust and urgency, increasing the likelihood of macro execution.

Upon enabling macros, a VBA script—likely generated or obfuscated using AI—executes a dropper routine. This dropper deploys a C#-based dynamic link library (AppVStreamingUX_Multi_User.dll) into the %LOCALAPPDATA%\Microsoft\CLR_v4.0_32\NativeImages\ directory. The DLL leverages AppDomainManager injection to gain execution within the context of legitimate processes, evading many endpoint detection and response (EDR) solutions.

The primary payload, dubbed SloppyMIO, is a modular implant with the following capabilities: it establishes C2 by first querying a GitHub repository for a dead drop resolver, which provides a Google Drive URL. The Google Drive resource contains images with steganographically embedded configuration data, including a Telegram bot token, chat ID, and module download links. The implant supports multiple modules: cm for executing arbitrary shell commands via cmd.exe, do for collecting and exfiltrating files (zipped and sent via Telegram, subject to API size limits), up for writing files to disk (with data encoded in images and delivered via Telegram), pr for establishing persistence through scheduled tasks (executed every two hours), and ra for launching arbitrary processes.

Persistence is achieved by creating scheduled tasks that invoke the malicious DLL at regular intervals. Exfiltration and C2 communications are conducted over the Telegram Bot API, with status messages and stolen data sent directly to attacker-controlled Telegram channels. The use of GitHub and Google Drive for payload delivery and configuration, combined with Telegram-based C2, provides robust redundancy and complicates detection by blending malicious traffic with legitimate cloud service usage.

In addition to the primary malware, RedKitten employs advanced phishing techniques. Notably, the group has deployed a WhatsApp-themed phishing site (whatsapp-meeting.duckdns[.]org), which mimics the WhatsApp Web login page, captures credentials, and requests access to the victim’s camera, microphone, and geolocation. A parallel Gmail-themed phishing site is used to harvest email credentials and two-factor authentication codes. These phishing sites are distributed via targeted messages and are tailored to the victim’s language and context.

Exploitation in the Wild

The RedKitten campaign has been observed actively targeting human rights NGOs, activists, academics, government officials, and business leaders, with a particular focus on the Kurdish community and individuals involved in documenting human rights abuses in Iran. At least 50 individuals have been directly impacted, with many more potentially exposed through secondary targeting and credential compromise.

Attackers deliver malicious archives and phishing links via email, WhatsApp, and other messaging platforms. Victims who open the macro-laden Excel documents and enable macros inadvertently install the SloppyMIO implant, granting attackers persistent access to their systems. The malware exfiltrates sensitive documents, credentials, and, in the case of successful phishing, device sensor data such as camera feeds, microphone recordings, and geolocation information. The campaign’s infrastructure is highly dynamic, with frequent updates to GitHub repositories, Google Drive payloads, and Telegram bot configurations to evade takedowns and detection.

Victimology and Targeting

The primary targets of the RedKitten campaign are human rights NGOs, civil society organizations, and activists operating in or focused on Iran, especially those documenting protest activity or advocating for political prisoners. Secondary targets include academics, journalists, government officials, and business leaders with ties to the Iranian diaspora or Kurdish community. The campaign’s lures are highly contextual, referencing recent protest casualties and missing persons, and are crafted in Farsi to maximize credibility and emotional impact. The attackers demonstrate a nuanced understanding of their targets’ communication channels and trust networks, leveraging both technical and psychological tactics to maximize infection rates and data exfiltration.

Mitigation and Countermeasures

Organizations and individuals at risk from the RedKitten campaign should implement the following countermeasures. All access to known malicious infrastructure, including GitHub repositories, Google Drive links, Telegram Bot API endpoints, and the phishing domain whatsapp-meeting.duckdns[.]org, should be blocked and monitored. Macros should be disabled by default in Microsoft Office applications, and users should be trained to avoid enabling macros in documents from untrusted sources. Security teams should monitor for the creation of scheduled tasks in the %LOCALAPPDATA%\Microsoft\CLR_v4.0_32\NativeImages\ directory and investigate any presence of the AppVStreamingUX_Multi_User.dll file or similar C# DLLs dropped via Excel macros.

Endpoint monitoring should include alerting on unusual use of Telegram, GitHub, and Google Drive from user workstations, as well as detection of steganographic payloads in image files. User awareness training is critical, particularly for NGOs and activists, to recognize and report targeted phishing and social engineering attempts. Incident response plans should be updated to include procedures for identifying and remediating infections involving cloud-based C2 and modular implants.

References

The following sources provide additional technical details and context for the RedKitten campaign:

The Hacker News: Iran-Linked RedKitten Cyber Campaign Targets Human Rights NGOs and Activists (https://thehackernews.com/2026/01/iran-linked-redkitten-cyber-campaign.html), HarfangLab: RedKitten AI-accelerated campaign (https://harfanglab.io/insidethelab/redkitten-ai-accelerated-campaign-targeting-iranian-protests/), TechCrunch: Iranian phishing campaign targets WhatsApp, Gmail (https://techcrunch.com/), Secureworks/Sophos: Nemesis Kitten, Drokbk backdoor (https://www.sophos.com/en-us), MITRE ATT&CK Framework (https://attack.mitre.org/), Reddit: Iran’s RedKitten Campaign Targets NGOs (https://www.reddit.com/r/pwnhub/comments/1qs5tbz/irans_redkitten_campaign_targets_ngos_amid_human/), LinkedIn: Cyber News Live (https://www.linkedin.com/posts/cyber-news-live_iran-linked-redkitten-cyber-campaign-targets-activity-7423590193590448128-lt_k).

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their extended supply chain. Our platform leverages advanced threat intelligence, continuous monitoring, and automated workflows to help organizations proactively identify and address emerging threats. For more information or to discuss how Rescana can support your organization’s cybersecurity posture, please contact us at ops@rescana.com.