A Farsi-speaking threat actor aligned with Iranian state interests has been linked to RedKitten, a campaign that uses Farsi-named XLSM spreadsheets with malicious VBA macros to drop a C# implant via AppDomainManager injection and deploy the SloppyMIO backdoor. SloppyMIO retrieves steganographic configuration from GitHub and Google Drive, uses the Telegram Bot API for command-and-control with multiple modular capabilities, and the VBA shows signs of LLM generation while the campaign targets people seeking information about missing protesters. #RedKitten #SloppyMIO
Keypoints
- HarfangLab observed the RedKitten campaign using Farsi-named XLSM files to drop a C# implant via AppDomainManager injection.
- The SloppyMIO backdoor uses GitHub and Google Drive to retrieve steganographic configuration and Telegram Bot API for command-and-control.
- SloppyMIO supports modules for running cmd commands, collecting and exfiltrating files, writing files via image-encoded data, creating scheduled-task persistence, and starting processes.
- VBA macros exhibit signs of LLM generation, indicating adversaries are leveraging AI to develop and orchestrate tooling.
- Attribution points to Iranian-aligned actors based on Farsi artifacts, lure themes, and similarities to prior campaigns like Tortoiseshell and Nemesis Kitten.
Read More: https://thehackernews.com/2026/01/iran-linked-redkitten-cyber-campaign.html