Ddos 
In a disturbing fusion of human rights abuses and artificial intelligence, researchers at HarfangLab have uncovered a new cyber-espionage campaign targeting Iranian protesters. Dubbed “RedKitten,” the operation capitalizes on the chaos of recent civil unrest in Iran to distribute surveillance malware, likely built with the help of generative AI.
The campaign, first observed in early January 2026, zeroes in on Non-Governmental Organizations (NGOs) and activists documenting the regime’s crackdown. By masquerading as a list of victims, the attackers prey on those seeking truth in a blackout.
The attack begins with a file that promises grim answers. Victims receive an Excel spreadsheet claiming to be a list of “200 individuals, allegedly protesters, who died in Tehran between December 2025 and January 2026”.
For families and activists desperate for information on missing loved ones, this lure is nearly impossible to ignore. However, the data inside is a fabrication—filled with “mismatched ages and birthdates” designed solely to trigger an emotional response.
Once opened, the document executes a hidden macro that deploys a custom malware implant HarfangLab calls SloppyMIO. This C# malware is a “Swiss Army knife” of surveillance, capable of stealing files, running arbitrary commands, and fetching additional modules from the cloud.
What makes RedKitten unique is not just its target, but its construction. The malware bears the distinct fingerprints of Large Language Models (LLMs).
HarfangLab’s analysis revealed “multiple traces of large language model-assisted (LLM) development” within the code. In one striking example, researchers found an enthusiastic, unedited comment left in the script: “ULTRA-RELIABLE & STEALTHY VBSCRIPT STAGER (Final Production Version)”.
As the report notes, “We leave it to the reader to imagine how the prompt for this response looked like”. This suggests that while the attackers are motivated, they may lack deep technical expertise, relying instead on AI tools to bridge the gap.
To evade detection, the RedKitten operators use the very tools their victims trust. The malware relies on “GitHub and Google Drive for configuration and modular payload retrieval, and uses Telegram for command and control”.
By piggybacking on these legitimate services, the attackers make their traffic look normal to security scanners. However, this reliance on public platforms also left a trail of metadata that allowed researchers to track them.
While HarfangLab stopped short of a definitive attribution, all signs point to Tehran. The campaign’s timing coincides perfectly with the “Dey 1404 Protests”—a wave of unrest sparked by economic hardship in late 2025.
The researchers conclude that the activity is “aligned with Iranian state interests,” utilizing techniques and linguistic markers consistent with known state-sponsored groups.
Related Posts:
- After the mass demonstrations, Infy hacker group launched a cyber-attack to target protesters and their contacts abroad
- Chinese Hackers Suspected in Ivanti CSA Attacks: Webshells and Lateral Movement Detected Sources and related content
- UAC-0057 Targets Ukraine and Poland with Weaponized Archives and Evolving Implants
- Gamaredon’s PteroLNK Malware: Stealthy Espionage Tactics Uncovered
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
