RedKitten’s Silent Hunt: When Human Rights Become the Lure
- Javier Conejo del Cerro
- 2 feb
- 3 Min. de lectura
In times of unrest, information becomes both a necessity and a weapon. The RedKitten campaign shows how Iran-aligned threat actors weaponize political repression and human rights documentation to infiltrate NGOs, activists, and individuals seeking the truth. By combining emotionally charged lures, AI-assisted malware development, and trusted cloud services, the operation builds a quiet but powerful surveillance and data-exfiltration pipeline that is difficult to attribute and even harder to detect.
Phase 1 – Emotional Lures and Initial Access
The infection chain begins with highly targeted spear-phishing aimed at NGOs, activists, journalists, and individuals documenting human rights abuses linked to Iran’s nationwide unrest that escalated in late 2025. Victims receive 7-Zip archives with Farsi filenames, crafted to appear as sensitive records of protesters allegedly killed in Tehran between December 2025 and January 2026.
Inside these archives are macro-enabled Excel (XLSM) documents claiming to contain lists of missing or deceased protesters. The documents exploit emotional urgency and grief, encouraging recipients to enable macros to access “protected” content. Analysis shows the spreadsheet data itself is fabricated, with inconsistencies such as mismatched ages and birthdates, indicating that the document’s sole purpose is malware delivery.
Phase 2 – AI-Assisted Macro Execution and Payload Delivery
Once macros are enabled, a VBA dropper—likely generated or assisted by a large language model (LLM)—executes. Indicators include structured comments, readable function naming, and sections such as “PART 5: Report the result and schedule if successful.”
The macro deploys a C# backdoor implant named SloppyMIO using AppDomainManager injection, a stealthy technique that allows malicious code to execute early in the .NET application lifecycle. This approach avoids traditional executable drops and reduces detection by signature-based defenses.
Phase 3 – Modular Backdoor and Cloud-Based Command and Control
Once active, SloppyMIO establishes a resilient command-and-control chain using commoditized, trusted platforms:
GitHub is used as a dead-drop resolver to fetch configuration data
The configuration points to Google Drive, where images hide C2 details via steganography
Extracted configuration includes Telegram bot tokens, chat IDs, and module URLs
Telegram Bot API is then used as the primary C2 channel for tasking and exfiltration
This design blends malicious traffic into legitimate developer and consumer cloud services, complicating infrastructure-based detection and attribution.
Phase 4 – Capabilities, Persistence, and Data Exfiltration
SloppyMIO supports a modular command set that enables full host control and long-term persistence:
Execute arbitrary commands via cmd.exe
Collect and exfiltrate files in ZIP archives sized to Telegram API limits
Write files to disk using image-encoded payloads
Launch processes and deploy additional malware
Establish persistence via scheduled tasks running every two hours
The malware continuously beacons status updates, polls for new commands, and sends stolen files directly through Telegram, turning a consumer messaging platform into a covert exfiltration channel.
Phase 5 – Parallel Credential Theft and Surveillance Operations
Alongside RedKitten, related activity has surfaced involving WhatsApp-themed phishing and fake WhatsApp Web login pages distributed via WhatsApp messages. Victims are tricked into scanning live attacker-controlled QR codes, granting full access to their WhatsApp accounts.
These phishing pages also request browser permissions for camera, microphone, and geolocation, effectively transforming them into ad-hoc surveillance tools. Additional campaigns leverage fake Gmail login pages to steal credentials and 2FA codes, impacting dozens of individuals across activist, academic, government, and business communities.
Attribution and Strategic Context
The campaign is attributed with moderate confidence to Iran-aligned actors, based on:
Farsi language artifacts and region-specific lure themes
Technical overlap with prior Iranian operations such as Tortoiseshell and Nemesis Kitten
Use of malicious Excel documents, AppDomainManager injection, and GitHub-based dead drops
Alignment with Iran’s internal unrest and external intelligence priorities
The increasing use of AI-assisted tooling further complicates attribution, as it lowers development barriers and standardizes code quality across different operators.
Measures to Defend Against RedKitten-Style Campaigns
Block or tightly restrict macro execution in Office documents
Monitor for AppDomainManager injection and abnormal .NET startup behavior
Inspect outbound connections to Telegram Bot API, GitHub, and Google Drive for abuse
Disable execution of files extracted from compressed archives by default
Apply least-privilege and restrict scheduled task creation
Train users to recognize emotionally manipulative lures, especially around crises
Enforce phishing-resistant MFA for email, messaging, and cloud accounts
Monitor for unauthorized access to WhatsApp Web and Gmail sessions
RedKitten demonstrates how modern cyber-espionage no longer relies on zero-days or exotic malware. Instead, it weaponizes emotion, trust, and familiarity—human rights documentation, Office files, GitHub, Google Drive, and Telegram—combined with AI-assisted development and modular backdoors.
By targeting those who seek information during moments of crisis, the campaign transforms empathy into an attack surface. As adversaries increasingly blend social engineering, cloud abuse, and artificial intelligence, defenders must shift from purely technical controls to context-aware detection, behavioral monitoring, and user resilience. In this landscape, the most dangerous payload is not the malware itself, but the story used to deliver it.
The Hacker News
Comentarios