AI-Powered Malware Targets Iranian Protesters
▼ Summary
– A new malware campaign called RedKitten is targeting individuals and NGOs in Iran, particularly those documenting human rights abuses during protests.
– The campaign uses malicious Excel files disguised as official “Tehran Forensic Medical Files” to lure victims into enabling macros, which deploys the SloppyMIO malware.
– The SloppyMIO malware can steal data, run commands, deploy more malware, and uses GitHub, Google Drive, and Telegram for its operations.
– Researchers assess the malware was likely built with AI-assisted tools and originates from a threat actor aligned with the Iranian government’s interests.
– While not definitively attributed, the campaign uses techniques and shows linguistic indicators previously linked to Iranian state-sponsored attackers.
A sophisticated new cyber threat is actively targeting individuals and organizations within Iran, particularly those focused on human rights documentation and political dissent. Security researchers have identified a malicious campaign, first detected in early 2026, that uses AI-generated content and forged documents to deploy spyware. This operation leverages emotionally charged “shock lures” related to missing persons and protest casualties to trick victims into installing malware capable of extensive data theft and system control.
The campaign, named RedKitten by analysts at cybersecurity firm HarfangLab, was detailed in a late January report. It centers on a malicious implant called SloppyMIO, which provides attackers with the ability to collect sensitive information, execute commands remotely, and ensure long-term access to compromised systems. The malware’s infrastructure is notably agile, utilizing public platforms like GitHub and Google Drive for managing its operations and Telegram for covert communications with its operators.
Forensic evidence strongly suggests the malware’s development was assisted by artificial intelligence. Researchers identified multiple traces indicative of large language model (LLM) use during the coding process, pointing to a modernized approach to cyber threat creation. While a specific group has not been conclusively named, the tactics and linguistic markers align with known activities of Iranian state-sponsored threat actors. Analysts express high confidence that the operation serves the security interests of the Iranian government.
The attack begins with a carefully crafted lure: a password-protected archive file labeled “Tehran Forensic Medical Files” in Farsi. This archive contains five malicious Excel spreadsheets designed to appear as official records. The files purport to list 200 individuals who died in Tehran between December 2025 and January 2026, directly referencing a period of significant anti-government protests.
These Excel documents are convincingly fabricated, containing multiple tabs with disturbing, falsified data. One sheet lists supposed victim details alongside implicated security forces like the IRGC or Basij militia. Another includes graphic, fictional autopsy and toxicology reports. A final tab, deceptively named “Help,” instructs users to enable macros, the action that ultimately triggers the download and execution of the SloppyMIO malware, compromising the victim’s computer.
(Source: InfoSecurity Magazine)
