State-Aligned Actors Exploit Unrest with RedKitten AI-Accelerated Campaign Targeting Iranian Protests
Published on February 2, 2026
Key Takeaways
- Targeted Lure: Weaponized Excel files disguised as lists of protesters killed during the Dey 1404 protests target investigators documenting human rights abuses in Iran.
- AI-Accelerated Development: The threat actor, tracked as RedKitten, rapidly developed the campaign using LLMs, as evidenced by AI-generated code comments.
- Infrastructure: The malware, dubbed SloppyMIO, uses GitHub for configuration, Google Drive for payload retrieval, and the Telegram Bot API for C2 communications.
A new threat cluster, tracked as RedKitten, has launched an AI-accelerated malware campaign targeting individuals and organizations monitoring human rights violations related to the Dey 1404 protests in Iran, researchers say. The RedKitten campaign leverages a sophisticated C2 implant called SloppyMIO, delivered via macro-enabled Excel spreadsheets.
These documents are designed as "shock lures," falsely claiming to contain lists of casualties from the recent civil unrest.
SloppyMIO Implant Analysis
Upon execution, the malware uses a technique known as AppDomainManager injection, according to security researchers. It then retrieves its configuration steganographically from images hosted online, whose URLs are provided by a Dead Drop Resolver (DDR) hosted on GitHub via suspected stolen accounts.
This configuration includes a Telegram bot token and chat ID for command-and-control (C2) communications. The malware is capable of:
- Fetching and executing additional payloads from Google Drive,
- Running arbitrary commands,
- Harvesting and exfiltrating files,
- Deploying further malware with persistence via scheduled tasks.
The researchers believe that Large Language Model (LLM) assistance was leveraged in this campaign.
Cybersecurity Recommendations and Attribution
While attribution is challenging due to overlapping TTPs among Iranian-nexus groups, evidence links this campaign to a Farsi-speaking actor, as well as IRGC-aligned threat actor Yellow Liderc (also known as IMPERIAL KITTEN, TA456) and COBALT MIRAGE.
To mitigate threats from Iranian protest-themed cyberattacks, organizations must enhance their security posture. Key cybersecurity recommendations include:
- Training employees to recognize sophisticated phishing and social engineering lures.
- Auditing developer tools and environments for signs of compromise.
Using shocking lures is a tactic that aligns with alleged prior operations conducted by threat actors supporting Iranian state interests. A January report outlined a new malware strain tracked as Devixor that combines a banking RAT and ransomware to target Iranian banks, crypto platforms, and payment services.
Similarly, Afghan government workers were targeted with phishing lures such as decoy documents disguised as official correspondence to deliver FalseCub Malware.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular