The RedKitten campaign, attributed to a Farsi-speaking threat actor aligned with Iranian state interests, emerged in early 2026 amid Iran's nationwide unrest. It targets NGOs and individuals documenting human rights abuses, exploiting their emotional vulnerability through malicious Excel XLSM files named in Farsi and purporting to contain protester death data. These spreadsheets contain VBA macros that, when enabled, deploy a C# implant (AppVStreamingUX_Multi_User.dll) via AppDomainManager injection. The VBA code exhibits signs of AI generation, indicating the use of large language models to develop the malware. The backdoor, SloppyMIO, uses GitHub as a dead drop resolver to retrieve Google Drive-hosted images containing steganographically embedded configuration data, including Telegram bot tokens and chat IDs for command-and-control. SloppyMIO supports at least five modules enabling command execution via cmd.exe, file collection and exfiltration within Telegram API limits, file writing to local app data directories, scheduled task creation for persistence, and process launching. The malware communicates with operators through Telegram Bot API, sending status beacons, polling for commands, and exfiltrating data. The campaign's infrastructure choice complicates traditional tracking but exposes metadata useful for defenders. The attack leverages emotional manipulation with fabricated protest data to induce victims to enable macros, triggering infection. The campaign aligns with prior Iranian operations like Tortoiseshell and Nemesis Kitten, which also used GitHub and Excel-based delivery. The threat actor's use of AI tools and commoditized infrastructure reflects an evolution in Iranian cyber espionage tactics. Approximately 50 victims have been identified, spanning Kurdish communities, academics, government officials, and business leaders. The campaign coincides with recent leaks exposing Iranian cyber operations and surveillance platforms, underscoring the broader intelligence context. No public CVEs or patches exist, and no active exploits are reported, but the campaign's modularity and persistence mechanisms pose ongoing risks.

European organizations, particularly NGOs, human rights defenders, and activists connected to Middle Eastern affairs, face significant risks from RedKitten. The campaign's targeting of individuals involved in documenting human rights abuses could lead to the compromise of sensitive information, endangering sources and undermining advocacy efforts. The malware's capability to exfiltrate files, execute arbitrary commands, and maintain persistence threatens confidentiality, integrity, and availability of affected systems. The use of widely accessible platforms like GitHub, Google Drive, and Telegram for C2 complicates detection and response, increasing the likelihood of successful infiltration. Emotional manipulation tactics may lead to higher infection rates among targeted communities in Europe, especially those with ties to Iranian or Kurdish populations. The campaign could also serve as a vector for broader espionage activities against European entities engaged in geopolitical or human rights issues related to Iran. The modular design allows for tailored payloads, potentially escalating impact over time. Overall, the campaign poses a medium to high espionage threat with potential long-term operational consequences for European civil society and governmental organizations involved in related domains.

European organizations should implement targeted defenses beyond generic controls. First, conduct focused user awareness training emphasizing the risks of enabling macros in unsolicited Excel files, especially those claiming to contain sensitive or emotionally charged information. Deploy advanced endpoint detection and response (EDR) solutions capable of detecting AppDomainManager injection and anomalous use of cmd.exe and scheduled tasks. Monitor network traffic for unusual connections to GitHub, Google Drive, and Telegram APIs, particularly from endpoints handling sensitive data. Employ steganalysis tools to detect hidden payloads in image files retrieved from cloud services. Restrict or closely monitor the use of Telegram and similar messaging platforms for command-and-control traffic within corporate networks. Implement strict application whitelisting to prevent unauthorized DLL execution and scheduled task creation. Regularly audit and update incident response plans to include scenarios involving AI-generated malware and commodity infrastructure abuse. Collaborate with threat intelligence providers to receive timely indicators of compromise related to RedKitten. Finally, encourage secure communication channels and multi-factor authentication for individuals at risk, reducing the impact of credential theft attempts linked to phishing campaigns associated with this threat.