**New AI-Developed Malware Campaign Targets Iranian Protests**

A sophisticated malware campaign, discovered by French cybersecurity firm HarfangLab, is spreading malicious code against individuals and organizations in Iran, targeting those involved in documenting recent human rights abuses during the protest wave in the country.

The campaign, dubbed RedKitten by the researchers, was first observed in early January 2026 and uses AI-generated malware to infect targets. The campaign's primary goal appears to be the exploitation of emotional distress among activists, journalists, or families searching for missing loved ones.

**Fake Forensic Files: A Calculated Approach**

The RedKitten campaign begins with a password-protected 7z archive containing five malicious Excel spreadsheets. These files claim to list 200 individuals who died in Tehran between December 2025 and January 2026, a period marked by unrest against the Iranian regime.

The Excel documents include disturbing details such as victims' personal information, graphic autopsy reports, and body releases to family members. However, the researchers noted that the data is riddled with inconsistencies, suggesting fabrication.

**SloppyMIO Implant: Data Theft, Exfiltration, and Spyware Capabilities**

When opened, the malicious Excel file prompts the user to "Enable Content," triggering a hidden VBA macro that extracts a more dangerous payload – a piece of malware written in C# dubbed SloppyMIO.

The name SloppyMIO hints at its messy design, as each infection generates slightly different code, making it harder for security tools to recognize and block. Once activated, the malware uses clever tricks to avoid detection, including hiding its settings inside seemingly normal images using steganography.

**Telegram Command and Control: A New Tactic**

Unlike traditional malware that connects to suspicious servers, SloppyMIO uses Telegram to receive commands from its operators. It sends a "beacon" message to a hacker-controlled Telegram bot, announcing that the infected computer is online.

The malware then periodically checks for new instructions, disguised as innocent chat messages. This tactic makes detection even harder, as security tools may struggle to identify suspicious activity within legitimate Telegram communication.

**Attribution and Motivation**

While the researchers could not clearly attribute this campaign at this stage, its infection chain shows overlaps with the tactics, techniques, and procedures (TTPs) of the Iranian, IRGC-aligned threat actor Yellow Liderc (aka Imperial Kitten, TA456).

The researchers outlined several clues in the RedKitten infrastructure that suggest the threat actor has links with previously observed Iran-aligned threat groups and speaks Farsi. The use of GitHub as a Dead Drop Resolver (DDR) and the use of Telegram for command-and-control (C2) have been reported in campaigns by separate Iranian threat clusters since 2022.

**Conclusion**

The RedKitten campaign highlights the growing adoption of AI-generated malware in attack campaigns, making it increasingly challenging to distinguish between Iranian-nexus actors.

The researchers concluded that "Distinguishing between Iranian-nexus actors is increasingly challenging due to the communalities shared between them and the growing adoption of LLMs in attack campaigns."

**Recommendations**

In light of this campaign, HarfangLab recommends:

* All organizations involved in documenting human rights abuses or supporting protesters should be cautious when opening files from unknown sources. * Security teams should monitor for suspicious activity within legitimate Telegram communication. * Researchers and security professionals should stay vigilant in identifying new tactics, techniques, and procedures (TTPs) used by Iranian-aligned threat actors.

The RedKitten campaign serves as a stark reminder of the evolving nature of cyber threats and the importance of staying ahead of AI-generated malware.