A Farsi-speaking threat actor aligned with Iranian state interests is suspected to be behind a new campaign named RedKitten that targets non-governmental organisations and individuals documenting human rights abuses, according to HarfangLab’s January 2026 observations.
The operation uses a multi-stage approach beginning with a 7‑Zip archive whose Farsi file name contains macro-laced Microsoft Excel documents, and the embedded VBA macro acts as a dropper for a C# implant called AppVStreamingUX_Multi_User.dll via AppDomainManager injection. The attack chain relies on GitHub and Google Drive for configuration and modular payload retrieval, while Telegram serves as the command-and-control channel.
The campaign is noteworthy for likely leveraging large language models to build and orchestrate tooling, and it starts with spreadsheets claiming details about protesters who died in Tehran between 22 December 2025 and 20 January 2026.
The backdoor, dubbed SloppyMIO, uses GitHub as a dead drop resolver to fetch Google Drive URLs hosting images from which configuration data—such as the Telegram bot token and chat ID—are steganographically obtained, and it supports modules for executing commands, collecting files, writing to local paths, creating scheduled tasks, and starting processes.