RedKitten: AI-accelerated campaign targeting Iranian protests

RedKitten is a January 2026 campaign targeting Iranian interests that uses weaponized XLSM documents to deploy a C# implant (SloppyMIO) which retrieves configuration via steganographic images on GitHub, modules on Google Drive, and communicates with operators via Telegram. The campaign demonstrates AppDomainManager injection for execution, scheduled-task persistence, and likely AI-assisted development; #RedKitten #SloppyMIO

Keypoints

Attackers distributed a shock-lure 7z archive and XLSM spreadsheets in Farsi purporting to list Dey 1404 (Dec 2025–Jan 2026) victims; the documents contained VBA macros that drop a C# implant.
The VBA dropper writes C# source and configuration to disk, compiles a DLL, and forces a legitimate Windows binary (AppVStreamingUX.exe) to load the implant via AppDomainManager injection.
The implant, SloppyMIO, retrieves a steganographic configuration from images referenced in GitHub Gists, then downloads modular payloads (from Google Drive) and uses the Telegram Bot API for command-and-control and exfiltration.
SloppyMIO supports multiple modules (command execution, file collection/exfil, file write via image encoding, persistence, and process start), caches modules for up to 60 minutes, and beacons periodically to operators.
Infrastructure relied on legitimate services (GitHub as DDR, Google Drive for modules, Telegram for C2), complicating attribution but exposing metadata (Gist commits, bot accounts) useful to defenders.
Attribution is to a Farsi-speaking threat actor aligned with Iranian state interests with medium confidence; technical overlaps exist with IRGC-aligned clusters (e.g., IMPERIAL KITTEN) though direct attribution is inconclusive.

MITRE Techniques

[T1204 ] User Execution: Malicious File – Weaponized Excel (XLSM) documents with VBA macros trick users into enabling macros to execute the dropper (‘Enable Content’ or ‘Enable Editing’).
[T1574 ] Hijack Execution Flow – AppDomainManager injection is used to have AppVStreamingUX.exe load and instantiate the implant assembly (‘instantiate the AppVStreamingUXMainOff AppDomainManager class’).
[T1053 ] Scheduled Task – Execution and persistence are achieved via scheduled tasks (MediaSyncTask### for initial execution and ‘Enterprise Workstation Health Monitoring’ for persistence) (‘MediaSyncTask…runs the target binary one minute after being enabled’).
[T1001 ] Data Obfuscation (Steganography) – Configuration is concealed in images using Least-Significant Bit (LSB) steganography to embed XOR key, Telegram token/chat ID, and module URLs (‘Least-Significant Bit (LSB) steganography to conceal the configuration within the image’).
[T1102 ] Web Service – Legitimate web services are abused for C2 and staging: GitHub Gists act as a Dead Drop Resolver and Google Drive hosts modules; Telegram Bot API is used for command-and-control (‘leveraging the Telegram Bot API for command-and-control’).
[T1041 ] Exfiltration Over C2 Channel – Collected files and command output are exfiltrated via the Telegram bot (messages or documents when large) back to operator accounts (‘sends exfiltrated files over to a specified operator leveraging the Telegram Bot API’).

Indicators of Compromise

[Hashes ] Malware and weaponized document hashes – d3bb28307d11214867c570fe594f773ba90195ed22b834bad038b62bf75a4192 (XLSM), 6d474cf5aeb58a60f2f7c4d47143cc5a11a5c7f17a6b43263723d337231c3d60 (SloppyMIO), and 10 more hashes.
[Filenames ] Malicious archive and document names used in lure – فایل های پزشکی قانونی تهران(1).7z (Tehran Forensic Medical Files), لیست نهایی_جانباختگان_دی_1404_تهران_بخش اول.xlsm (Final List_Victims_D_1404_Tehran_Part one.xlsm).
[File paths ] Implant and module file locations on host – %LOCALAPPDATA%WindowsMediaSyncAppVStreamingUX_Multi_User.dll (SloppyMIO), %LOCALAPPDATA%MicrosoftCLR_v4.0_32NativeImages (module write target).
[Scheduled tasks ] Task names used for execution/persistence – ^MediaSyncTask[1-9][0-9]{2}$ (MediaSyncTask### initial execution), ‘Enterprise Workstation Health Monitoring’ (persistence task).
[GitHub account ] Developer DDR and Gist metadata – johnpeterson1304 (email [email protected]) used to publish Gists and steganographic image revisions.
[Telegram bots/accounts ] C2 endpoints and operator accounts observed – 13 Telegram bots across 7 accounts (example account ‘Mech-One’ with language_code ‘fa’), used to send commands and receive exfiltrated data.