"A Farsi-speaking threat actor aligned with Iranian state interests is suspected to be behind a new campaign targeting non-governmental organizations and individuals involved in documenting recent human rights abuses. The activity, observed by HarfangLab in January 2026, has been codenamed RedKitten. It's said to coincide with the nationwide unrest in Iran that began towards the end of 2025, protesting soaring inflation, rising food prices, and currency depreciation."
""The malware relies on GitHub and Google Drive for configuration and modular payload retrieval, and uses Telegram for command-and-control," the French cybersecurity company said. What makes the campaign noteworthy is the threat actor's likely reliance on large language models (LLMs) to build and orchestrate the necessary tooling. The starting point of the attack is a 7-Zip archive with a Farsi filename that contains macro-laced Microsoft Excel documents."
A campaign codenamed RedKitten targets non-governmental organizations and individuals documenting recent human-rights abuses, observed by HarfangLab in January 2026. The campaign aligns with nationwide unrest in late 2025 driven by inflation, food-price rises, and currency depreciation. The initial lure is a 7-Zip archive with a Farsi filename containing macro-laced XLSM spreadsheets that claim to list protesters who died between December 22, 2025, and January 20, 2026. Each spreadsheet embeds a malicious VBA macro acting as a dropper for a C# implant via AppDomainManager injection. Indicators point to LLM-generated VBA code and fabricated spreadsheet data designed to emotionally manipulate targets.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]