Iran-Linked RedKitten Cyber Campaign Targets Human Rights NGOs and Activists
These articles are AI-generated summaries. Please check the original sources for full details.
RedKitten Cyber Campaign
The RedKitten cyber campaign, attributed to a Farsi-speaking threat actor aligned with Iranian state interests, has been observed targeting non-governmental organizations and individuals involved in documenting recent human rights abuses in Iran, with the malware relying on GitHub and Google Drive for configuration and modular payload retrieval. The campaign, codenamed RedKitten, has been linked to the Iranian government due to the presence of Farsi artifacts, lure themes, and tactical similarities with prior campaigns.
Why This Matters
The RedKitten campaign highlights the growing use of artificial intelligence (AI) tools by adversaries, making it harder for defenders to distinguish one actor from the other, and the increasing sophistication of cyber attacks, which can have significant consequences, including the compromise of sensitive information and the undermining of human rights efforts, with the potential to impact thousands of individuals and organizations.
Key Insights
- The RedKitten campaign uses AI-generated macros to build and orchestrate the necessary tooling, making it a notable example of the use of AI in cyber attacks (HarfangLab, 2026)
- The campaign relies on commoditized infrastructure, including GitHub and Google Drive, to deliver a backdoor referred to as SloppyMIO, which can fetch and cache multiple modules from remote storage (HarfangLab, 2026)
- The use of Telegram for command-and-control and the presence of Farsi artifacts suggest a link to Iranian state interests, similar to previous campaigns such as Tortoiseshell (Secureworks, 2022)
Working Example
// Example of the SloppyMIO backdoor's AppDomainManager injection technique
using System;
using System.Reflection;
class AppVStreamingUX_Multi_User
{
public static void Main(string[] args)
{
// Load the malicious assembly
Assembly assembly = Assembly.LoadFrom("AppVStreamingUX_Multi_User.dll");
// Create an instance of the malicious class
object instance = assembly.CreateInstance("MaliciousClass");
// Invoke the malicious method
MethodInfo method = instance.GetType().GetMethod("MaliciousMethod");
method.Invoke(instance, null);
}
}Practical Applications
- Use Case: The RedKitten campaign demonstrates the use of AI-generated macros and commoditized infrastructure to deliver a backdoor, highlighting the need for organizations to implement robust security measures, such as email filtering and employee training, to prevent similar attacks.
- Pitfall: The use of AI-generated macros can make it difficult for defenders to distinguish one actor from the other, highlighting the need for advanced threat detection and incident response capabilities to quickly identify and respond to such attacks.
References:
Continue reading
Next article
Mandiant Exposes ShinyHunters-Style Vishing Attacks Breaching SaaS Platforms
Related Content
Iranian Hackers Launch ‘SpearSpecter’ Spy Operation on Defense & Government Targets
Iran’s APT42 launched the ‘SpearSpecter’ campaign in September 2025, targeting defense and government officials with the TAMECAT malware.
China-Linked APT31 Leverages Cloud Services in Stealthy Russian IT Attacks
APT31 conducted a multi-year espionage campaign against Russian IT firms, successfully exfiltrating data via cloud services like Yandex Cloud.
Hackers Hijack Blender 3D Assets to Deploy StealC V2 Data-Stealing Malware
A new campaign leverages malicious Blender .blend files on CGTrader to install StealC V2, stealing data from browsers, plugins, and crypto wallets.