RedKitten: the deception of a XLSM that activates digital espionage with IA to monitor protests in Iran

In recent weeks, security investigators have unleashed a digital espionage campaign that directly targets those who document and seek information on abuses in Iran since the end of 2025. The French firm HarfangLab named this operation as RedKitten after identifying an infection chain that starts with a 7-Zip compressed file and ends with a persistent implant capable of receiving instructions through Telegram. You can read the technical analysis of HarfangLab here: harfanglab.io.

The context is not less: the campaign coincides with a wave of national protests that erupted at the end of 2025 because of the rise in prices and the depreciation of the currency, and that, according to organizations such as Amnesty International they triggered strong repression, numerous victims and massive Internet courts that complicated the flow of information. Press reports have also documented the very serious impact on daily life during these digital blackouts: see for example the coverage of Cloudflare on connectivity closures and the difficulty of communicating.

The initial trap is apparently simple and emotionally powerful: a XLSM file with a farsi name that promises lists of missing or deceased persons in the protests. But behind the compassionate appearance is a malicious VBA macro that, if the user enables the macros, acts as a drip for a C # library that is injected into the process by a technique known as AppDomainManager injection. The file detected by the community is archived in VirusTotal: 7-Zip record.

One of the most striking aspects of the report is the observation of analysts about the authorship of the VBA code: style, variable names and certain comments suggest that the code could have been generated with the help of a language model. This fits a growing trend in which malicious actors use artificial intelligence tools to accelerate phishing and malware creation, complicating both attribution and detection.

The resulting implant has been called SloppyMIO and has a modular architecture. Instead of relying on its own exposed infrastructure, operators use public services such as GitHub and Google Drive to hide the way they recover their configuration: a public repository acts as a "dead drop" resolution that points to Google Drive's URLs where there are images that, when downloaded, contain the hidden configuration using steganographic techniques. That configuration includes the token of a Telegram bot and the chat identifier that malware uses to communicate with its operator.

With that running channel, SloppyMIO can download additional modules and run remote orders. Its capabilities include running remote commands, collecting and compressing files for exfiltration within the limits of Telegram API, deploying encoded binaries within images and establishing persistence through programmed tasks. In short, it is a complete tool for espionage and exfiltration that avoids using traditional servers and thus makes it difficult to track them, although the use of shared services leaves metadata that can also be useful for defenders.

The signs that point to a connection with Iranian state interests are not limited to the language of the files: the issue of decoy, the techniques used and tactical parallels with previous campaigns cause the researchers to raise a link with groups like Tehran. This is not the first time that actors use legitimate platforms like GitHub to leave "messages" or links that malware then interprets; previous reports had already documented campaigns with similar tactics. The use of third-party infrastructure also poses a dilemma: on the one hand it makes it difficult to block traditional, but on the other, it leaves traces that response teams can use to trace the operation.

This episode is also part of a larger context of hostile activity in the region: in recent weeks, researcher and activist Nariman Gharib has published samples of a phishing campaign that supplants WhatsApp to steal QR sessions and even requests camera and microphone permissions to turn the browser into a surveillance tool. Your report and artifacts are publicly available in GitHub and on site: github.com / narimangharib and blog.narimangharib.com.

The journalistic and technical investigation into these attacks has also discovered a pattern of victims that goes beyond activists and journalists: academics, community leaders, entrepreneurs and officials have been the target of techniques designed to steal credentials - including the falsification of login pages that request passwords and two-factor verification codes -, as TechCrunch detailed in a recent report: techcrunch.com.

Disclosures of groups such as Charming Kitten and internal monitoring tools add another layer of concern: previous leaks have shown tracking systems and data collection platforms associated with different power centres in Iran, and have also exposed training and recruitment networks with connections to state institutions that complicate the separation between civil activities and intelligence operations. Some documents published by external researchers provide details of these structures and entities that have been sanctioned in the past, as reflected in public information from the United States Treasury Department: home.treasury.gov.

While technical investigations are crucial, this case highlights something more human: the attackers are exploiting the legitimate concern of the victims, producing lists that appear to be evidence of lost or missing lives to cause impulsive reactions. The analysis of the files published by the researchers revealed inconsistencies in the data (contradictory dates and ages, for example), suggesting that the lures were artificially built to attract clicks.

In broader terms, RedKitten is a warning signal on the convergence between traditional threats and new tools: the combination of emotional lures, public infrastructure and possibly code-generation assistants accelerates the operational capacity of hostile actors. For defenders and users it is a double challenge: to educate vulnerable communities about the risks of opening unverified attachments, and at the same time to improve technical defenses to detect patterns of malicious behavior that are not only based on the presence of a "classic" C2 server.

The pieces of the puzzle - technical reports, forensic analysis and previous leaks - today do not give a definitive answer to the ultimate interest behind each operation, but they do show an increasing sophistication in how to run espionage campaigns. When the narratives used to deceive touch real wounds, the responsibility of researchers, media and platforms is twofold: to document and explain without revictiizing, and to help design barriers that reduce the success of those who take advantage of other people's pain. For those who seek to follow closely the research, reports and technical samples shared by HarfangLab and other researchers are a good starting point: harfanglab.io, the dossier of Nariman Gharib in GitHub and the coverage of technical means such as TechCrunch.