The RedKitten campaign represents a sophisticated, AI-accelerated malware operation targeting Iranian interests, particularly organizations involved in documenting human rights abuses during the Dey 1404 protests. First observed in January 2026, the malware SloppyMIO uses a multi-stage infection chain leveraging popular cloud services (GitHub and Google Drive) for configuration and payload retrieval, and Telegram as a command and control (C2) channel. This use of legitimate platforms complicates detection and attribution. The campaign’s rapid development was assisted by large language models (LLMs), indicating a new trend of AI-augmented threat actor capabilities. SloppyMIO’s functionality includes fetching and executing additional modules, arbitrary command execution, file collection, and deploying further malware to maintain persistence. It employs AppDomainManager injection, a technique to hijack execution flow, and uses steganography to conceal data within files, increasing stealth. The malware also uses scheduled tasks (T1053) for persistence, alternate authentication materials (T1550) to evade detection, and network communication over Telegram (T1102). Although no CVEs or known exploits are associated, the campaign’s tactics align with Iranian state-sponsored actors, suggesting a politically motivated espionage and surveillance operation. The campaign’s targeting of human rights organizations and protest documentation efforts indicates a focus on suppressing dissent and controlling information flow. The campaign’s medium severity rating reflects its targeted nature and moderate impact scope, but the use of AI tools and advanced techniques elevates its threat profile.

For European organizations, the primary impact lies in the potential compromise of entities involved in human rights advocacy, journalism, diplomatic missions, or NGOs monitoring Iranian affairs. Successful infection could lead to unauthorized data exfiltration, loss of confidentiality of sensitive information, and potential disruption of operations through malware deployment. The use of legitimate cloud services and Telegram for C2 complicates detection, increasing the risk of prolonged undetected presence. Although the campaign is geographically focused on Iranian interests, European organizations with ties to Iran or hosting Iranian diaspora communities could be collateral targets. The campaign’s persistence and modularity allow for extended espionage and potential lateral movement within networks, posing risks to organizational integrity and availability of critical systems. Additionally, the AI-assisted rapid development of the malware suggests future campaigns may evolve quickly, increasing the threat landscape complexity for European defenders.

1. Implement strict monitoring and filtering of network traffic to and from GitHub, Google Drive, and Telegram, focusing on unusual or unauthorized access patterns. 2. Employ application whitelisting and restrict execution of unknown or unsigned binaries, especially those attempting AppDomainManager injection or similar persistence techniques. 3. Use behavioral analytics and endpoint detection and response (EDR) solutions to identify suspicious activities such as scheduled task creation (T1053), file deobfuscation (T1140), and alternate authentication usage (T1550). 4. Conduct regular threat hunting exercises focusing on steganography indicators and unusual file modifications. 5. Educate staff on spear-phishing and social engineering risks, as initial infection vectors may involve user interaction. 6. Maintain up-to-date threat intelligence feeds to detect hashes and indicators of compromise (IOCs) related to SloppyMIO. 7. Segment networks to limit lateral movement and isolate sensitive systems involved in human rights or diplomatic work. 8. Review and harden authentication mechanisms to prevent abuse of alternate credentials. 9. Collaborate with law enforcement and international cybersecurity organizations to share intelligence and response strategies.