An Iranian-linked group dubbed RedKitten is targeting activists and human rights observers using artificial intelligence to build malicious tools. The campaign exploits current civil unrest in Iran by using fake documents about deceased protesters to infect victims with a modular backdoor.

An Iranian state-sponsored threat actor identified as RedKitten has launched a sophisticated cyber campaign targeting non-governmental organizations and individuals documenting human rights abuses. This activity coincides with widespread protests in Iran sparked by economic instability and government crackdowns. The attackers use emotional lures, specifically Excel files claiming to list deceased protesters, to trick victims into activating malicious macros. These files are actually filled with fabricated data designed to exploit the distress of those searching for missing loved ones.

Security researchers have noted that the malware used in this campaign likely relies on large language models to generate code and orchestrate attacks. The primary infection tool is a C# backdoor called SloppyMIO, which is delivered via a technique known as AppDomainManager injection. Analysis of the VBA macros within the lure documents revealed coding styles and comments characteristic of AI-generated output, signaling a shift in how regional threat actors are developing their digital weaponry.

SloppyMIO utilizes a complex communication chain involving reputable services like GitHub and Google Drive to hide its activities. It uses GitHub as a dead drop resolver to find Google Drive links, which then host images containing hidden configuration data. This data allows the malware to connect to Telegram for its final command-and-control operations. Once active, the backdoor can execute commands, steal files, and maintain a permanent presence on the victim's computer through scheduled tasks.

The attribution to Iranian interests is supported by the use of Farsi language artifacts and tactical similarities to known groups like Tortoiseshell and Nemesis Kitten. By using commoditized infrastructure such as Telegram and Google, the attackers make traditional tracking difficult for defenders. This campaign is part of a broader surge in Iranian cyber activity, which includes recent credential-stealing operations on WhatsApp and Gmail that targeted high-profile figures, academics, and members of the Kurdish community.

The regional cyber landscape is further complicated by recent leaks exposing the inner workings of Iranian hacking groups and their recruitment pipelines. Data breaches at entities like Ravin Academy have revealed how the Iranian Ministry of Intelligence and Security vets and trains cyber personnel through seemingly independent schools. As these actors increasingly adopt artificial intelligence and multi-platform social engineering, the line between government operations and private recruitment continues to blur, posing significant challenges for international cybersecurity efforts.

Source: Iran Linked RedKitten Cyber Campaign Targets Human Rights NGOs And Activists