SloppyMIO: AI-Assisted Malware Campaign Exploits Iran's Dey 1404 Unrest
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Backdoor,Dropper,Malicious Macro,Baiting,Phishing
- Attack Complexity: Medium
- Threat Risk: Low Impact/High Probability
Threat Overview
The RedKitten campaign, observed in early 2026, targets Iranian interests, specifically NGOs and individuals documenting human rights abuses during the "Dey 1404" protests. Assessing the actor as Iranian state-aligned, researchers identified "SloppyMIO," a modular .NET implant likely developed with AI assistance. The attack chain utilizes spearphishing with "shock lures" regarding execution lists to deliver malware via AppDomainManager injection. The threat actor leverages legitimate infrastructure, using GitHub as a Dead Drop Resolver for steganographic configuration, Google Drive for payload hosting, and Telegram for command and control. This campaign highlights the growing use of LLMs in rapid malware development and the exploitation of civil unrest for targeted surveillance in Iran.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | Human Rights | Verified |
| Region | Netherlands | Medium |
Extracted IOCs
- 16164c83ce4786ab85aa3fc9566a317519e866ff6cad3fbd647f3e955b8a8255
- 36413af1a7c7dc9e49fdf465ebc5abc3b4bb6b33f1c5ccaa17ae5e0794b6faaa
- 59ee007fd17280470724eb8a11ab12a98e85fd2383af3065f5f09a7e1a73f88c
- 6d474cf5aeb58a60f2f7c4d47143cc5a11a5c7f17a6b43263723d337231c3d60
- 6e1bb2c41500ee18bd55a2de04bb3d74bd5c5e8c45eaeef030c7c6ea661cc2db
- 90aebc9849b659515fd70dde6db717ad457ab2a90522a410d1fd531ca8640624
- 96ee9d3ed80c59c4bf39ed630efbfa53591fbe51155db7919ef64535a6171044
- ac0e045b6f3683315ef420971f382e167385e39023d118d023fa6989e35fadf6
- c40c94d787f6a35ac1cb4c5f031cf5777b77c79dc3929181badea33aaf177aa7
- d3bb28307d11214867c570fe594f773ba90195ed22b834bad038b62bf75a4192
- d58e3617d759d46248718ac4dfb46535d73febffd17fad1fd8ab47ce08da2fb4
- e5c4295c5c57d80c875860b44f4c33ee921393bb8ce14c7be0f5ef47d7171265
Tip: 12 related IOCs (0 IP, 0 domain, 0 URL, 0 email, 12 file hash) to this threat have been found.
FAQs
Operation RedKitten
A new cyber espionage campaign named "RedKitten" was discovered using fake documents about Iranian protest victims to infect computers with malware. The attackers used AI tools to quickly build their software, which hides inside legitimate-looking files to steal data from unsuspecting users.
While a specific group hasn't been named, evidence strongly suggests the attackers are Farsi-speaking and aligned with the interests of the Iranian government. Their goal appears to be surveillance and the collection of information from people or groups who are documenting human rights issues within Iran.
The attack starts with a "shock lure"—a file claiming to be a secret list of people killed during recent protests. If a user opens the file and enables "macros" as prompted, the document automatically builds and installs a hidden program called "SloppyMIO." This program then uses Telegram, a popular messaging app, to receive orders from the hackers and send them your private files.
The campaign specifically targets individuals and non-governmental organizations (NGOs) focused on the "Dey 1404 Protests" in Iran. This includes activists, researchers, and human rights defenders who are looking for information about missing persons or government crackdowns.
Be extremely cautious of any unsolicited files related to political crises or "leaked" government data, even if they look official. You should ensure that "Macros" are disabled in your Microsoft Office settings and avoid clicking "Enable Content" on any document sent from an unverified source.
Currently, this appears to be a highly targeted campaign focused on specific people involved with Iranian civil rights issues. However, because the attackers use common services like Google Drive and GitHub to run their operation, it can be difficult for standard security software to block it automatically.