3 February 2026 saw researchers describe a cyber-espionage campaign dubbed “RedKitten” that targets Iranian protesters, with HarfangLab noting the operation first observed in early January 2026 and aimed at NGOs and activists documenting the regime’s crackdown.
ACCORDING to HarfangLab, victims are lured with a spreadsheet that purports to list “200 individuals, allegedly protesters, who died in Tehran between December 2025 and January 2026,” a dataset that is actually fabrication designed to provoke an emotional response.
Once opened, the document executes a hidden macro that deploys a custom malware implant called SloppyMIO, a C# tool described as a “Swiss Army knife” of surveillance capable of stealing files, executing commands, and fetching additional modules from the cloud. The campaign’s developers reportedly embed traces of large language model-assisted (LLM) development in the code, including an unedited stray comment praising a “Final Production Version” of a VBSCRIPT stager.
To avoid detection, RedKitten relies on legitimate services such as GitHub, Google Drive for configuration and modular payload retrieval, and Telegram for command and control, a strategy that leaves a trace for security researchers and aligns with Iranian state interests.