A new malicious campaign is spreading malware against people in Iran, likely including non-governmental organizations and individuals involved in documenting recent human rights abuses during the protest wave in the country.

The campaign, discovered by the cyber threat research team at French cybersecurity firm HarfangLab, was first observed in early January 2026.

HarfangLab obtained malicious samples on January 23 and shared a malware analysis on January 29.

Dubbed RedKitten by the researchers, the campaign distributes forged ‘shock lures’ designed to target organizations or individuals seeking information about missing persons or political dissidents. These lures lead to a malware implant, dubbed SloppyMIO, that can collect and exfiltrate data, run arbitrary commands and deploy further malware with persistence via scheduled tasks.

The malware relies on GitHub and Google Drive for configuration and modular payload retrieval and uses Telegram for command and control.

The HarfangLab researchers assessed that it was built using AI tools, as indicated by multiple traces of large language model-assisted (LLM) development.

While the researchers could not reliably attribute the activity to an identified threat actor, they observed the use of techniques previously known to have been employed by Iranian state-sponsored attackers, alongside linguistic indicators.

They stated that they were confident the activity originated from a threat actor aligned with the Iranian government’s security interests.

Fake Forensic Files to Target Dissidents and Researchers

The RedKitten campaign begins with a password-protected 7z archive, titled "Tehran Forensic Medical Files" in Farsi, containing five malicious Excel spreadsheets. The files claim to list 200 individuals, allegedly protesters, who died in Tehran between December 2025 and January 2026, a period marked by unrest against the Iranian regime.

The Excel documents, named to appear as official records (e.g., "Final List_Victims_December 1404_Tehran_Part One.xlsm"), include five tabs of fabricated but disturbing data.

One sheet lists victims’ personal details alongside the security forces involved, such as the Islamic Revolutionary Guard Corps (IRGC), the Basij militia or the Ministry of Intelligence, while another provides graphic autopsy reports, including toxicology results. A third tab tracks body releases to family members and a final "Help" sheet urges users to enable macros, triggering the malware.