{
	"id": "e4e89718-b941-428c-8112-89de040f35f9",
	"created_at": "2026-04-06T00:19:04.519612Z",
	"updated_at": "2026-04-10T13:12:31.690576Z",
	"deleted_at": null,
	"sha1_hash": "8ddc3f060f4190a4c29b374f1e8b309a5b175b16",
	"title": "RedKitten: AI-accelerated campaign targeting Iranian protests",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3056969,
	"plain_text": "RedKitten: AI-accelerated campaign targeting Iranian protests\r\nPublished: 2026-01-29 · Archived: 2026-04-02 10:43:52 UTC\r\nPublished on 29 January, 2026 21min\r\nIdentifier: TRR260101.\r\nSummary\r\nRedKitten is a newly identified campaign targeting Iranian interests, likely including non-governmental\r\norganizations and individuals involved in documenting recent human rights abuses, first observed in\r\nhttps://harfanglab.io/insidethelab/redkitten-ai-accelerated-campaign-targeting-iranian-protests/\r\nPage 1 of 16\n\nearly January 2026. The malware relies on GitHub and Google Drive for configuration and modular\r\npayload retrieval, and uses Telegram for command and control.\r\nThis activity appears aligned with the “Dey 1404 Protests”, a wave of intense civil unrest in Iran that\r\nbegan in late December 2025, following widespread economic strikes in Tehran. The protests were met\r\nwith a deadly crackdown involving mass arrests and extensive civilian casualties. We assess that the\r\nthreat actor rapidly built this campaign using AI tools, as indicated by multiple traces of LLM-assisted\r\ndevelopment.\r\nWhile we could not reliably attribute this activity to an identified threat actor, we observed the use of\r\ntechniques known to have been previously utilized by Iranian state-sponsored attackers alongside\r\nlinguistic indicators, and we are confident that the activity originates from a threat actor aligned with\r\nthe Iranian’s government security interests. We currently track this cluster of activity as RedKitten.\r\n📑\r\nBackground: Iran efforts in suppressing the 2025-2026 protests\r\nInfection chain\r\nWeaponized XLSM documents\r\nC# implant: SloppyMIO\r\nInfrastructure\r\nTelegram bots and accounts\r\nTargets\r\nAttribution: it’s a kitten, but which one?\r\nActivity timeline\r\nConclusion: letting AI do all the heavy lifting\r\nAppendix: indicators and detection rules\r\nIndicators of compromise (IOCs)\r\nYARA rules\r\nBackground: Iran efforts in suppressing the 2025-2026 protests\r\nIn an effort to suppress information flow around the Dey 1404 protests and subsequent massacres, the regime\r\nenforced recurring internet blackouts to hinder documentation of abuses and disrupt civilian coordination. At the\r\nsame time, Iran’s leadership faced growing external pressure, particularly from the United States (U.S.) which\r\nwarned of possible intervention, should the regime attempt to violently repress the protests and if a nuclear deal\r\ncould not be met. The U.S. deployed an aircraft carrier strike group as part of this coercive signaling.\r\nAs more details of the violent repression emerged, threat actors appear to have exploited the staggering human toll\r\nto target organizations or individuals seeking information about the deadly crackdown. This modus operandi is\r\nconsistent with past Iranian state-linked campaigns, which have frequently combined crisis-driven lures, such as\r\nthe October 7 attacks in Israel.\r\nInfection chain\r\nhttps://harfanglab.io/insidethelab/redkitten-ai-accelerated-campaign-targeting-iranian-protests/\r\nPage 2 of 16\n\nWe identified a 7z archive uploaded on January 23, 2026 to an online multiscanner with the following filename in\r\nFarsi: 7.)1(تهران قانونی پزشکی های فایلz (translated: Tehran Forensic Medical Files ).\r\nzفایل های پزشکی قانونی تهران)1(7. Filename\r\nFile type 7z archive\r\nCreation time 2026-01-22 22:41:27\r\nHash (SHA-256) 8c0d75a043fa81d9600596f5dda8396856b5b6660908a0e60b699721e087d541\r\nThe archive contains 5 macro-enabled Excel spreadsheets (XLSM), supposedly parts one to five of a list of\r\nindividuals from Tehran who died between December 22, 2025 and January 20, 2026 (Dey 1404 in the Persian\r\ncalendar).\r\nWeaponized XLSM documents\r\nDecoy content\r\nThese files, named for example Final List_Victims_D_1404_Tehran_Part one.xlsm (translated from لیست\r\nاول بخش_تهران_1404_دی_جانباختگان_نهایی.xlsm ), most likely refer to the reported executions and the massacre of\r\nprotesters who rose up against the Iranian Ayatollah regime.\r\nSHA-256 hash Filename\r\nd3bb28307d11214867c570fe594f773ba90195ed22b834bad038b62bf75a4192\r\nلیست\r\nنهایی_جانباختگان_دی_1404_تهران_بخش\r\nxlsm.اول\r\n1\r\n90aebc9849b659515fd70dde6db717ad457ab2a90522a410d1fd531ca8640624\r\nلیست\r\nنهایی_جانباختگان_دی_1404_تهران_بخش\r\nxlsm.دوم\r\n2\r\n96ee9d3ed80c59c4bf39ed630efbfa53591fbe51155db7919ef64535a6171044\r\nلیست\r\nنهایی_جانباختگان_دی_1404_تهران_بخش\r\nxlsm.سوم\r\n3\r\nc40c94d787f6a35ac1cb4c5f031cf5777b77c79dc3929181badea33aaf177aa7\r\nلیست\r\nنهایی_جانباختگان_دی_1404_تهران_بخش\r\nxlsm.پنجم\r\n4\r\n59ee007fd17280470724eb8a11ab12a98e85fd2383af3065f5f09a7e1a73f88c\r\nلیست\r\nنهایی_جانباختگان_دی_1404_تهران_بخش\r\nxlsm.چهارم\r\n5\r\n]\r\nThe XLSM files all contain malicious VBA macros and identical lures.\r\nhttps://harfanglab.io/insidethelab/redkitten-ai-accelerated-campaign-targeting-iranian-protests/\r\nPage 3 of 16\n\nxlsm.لیست نهایی_جانباختگان_دی_1404_تهران_بخش اول of Contents – 1 Figure\r\nThe lure is composed of 5 sheets written in Farsi, listing a supposedly confidential database of 200 bodies\r\nprocessed during the aforementioned time period.\r\nSheet original (Persian) name English Translation\r\nهویتی Identity / Identification\r\nکالبدگشایی Autopsy / Dissection\r\nLaboratory آزمایشگاه\r\nجسد تحویل Body Delivery / Release\r\nنمایش راهنمای Display Guide / Help\r\nThe “Identify/Identification” sheet lists deceased individuals, their PII (Personally Identifiable Information) and\r\nthe referring organization, as well as officer name. Among the organizations listed are:\r\nBasij (paramilitary volunteer militia);\r\nMinistry of Intelligence and Security (MOIS);\r\nIRGC (Islamic Revolutionary Guard Corps);\r\nEmergency services (i.e. ambulance);\r\nPublic (implying a body found by citizens).\r\nhttps://harfanglab.io/insidethelab/redkitten-ai-accelerated-campaign-targeting-iranian-protests/\r\nPage 4 of 16\n\nThe “Autopsy” sheet details the time and cause of death, the appointed doctor and any special remarks (the\r\ncontents of this sheet are graphic and disturbing). Toxicology and narcotic test results are provided in the\r\n“Laboratory” sheet, listing some individuals being slightly under the influence of alcohol. The “Body release”\r\nprovides the casualties release date and the person (family member) to whom they were released to. Finally, the\r\n“Help” sheet entices the user to click the “Enable Content” or “Enable Editing” button in order to allow the\r\nmacros to run.\r\nFigure 2 – Message instructing user to enable macros\r\nWe assess that this document is a forged ‘shock lure’ designed to target organizations or individuals seeking\r\ninformation about missing persons or political dissidents. Several internal inconsistencies indicate the data is\r\nfabricated: most notably, the mismatch between birth dates and ages. Furthermore, the document lists implausible\r\nworkload for a small group of doctors over a very short period. And while the file omits important data, such as\r\nthe addresses of the family members, it provides an unnatural level of detail regarding the causes of death and the\r\nspecific security agencies involved.\r\nThis tactical reliance on high shock value aligns with Iranian-nexus campaigns, such as the one we previously\r\nreported.\r\nVBA Dropper\r\nEach XLSM file contains the same VBA macro, which acts as a dropper for a C# implant. Upon execution, it\r\nextracts the Base64-encoded C# source code and .NET application configuration files which are stored in in the\r\ncustom XML parts of the document. The source code is written to a temporary file in %TEMP% using a random\r\nname with the extension .cs (e.g. ~radFAC27.tmp.cs ). A first configuration file is written to\r\n%LOCALAPPDATA%\\WindowsMediaSync , alongside a legitimate binary, AppVStreamingUX.exe , copied over from\r\nC:\\Windows\\Sysnative\\AppV\\ or C:\\Windows\\System32\\AppV\\ .\r\nhttps://harfanglab.io/insidethelab/redkitten-ai-accelerated-campaign-targeting-iranian-protests/\r\nPage 5 of 16\n\nThe dropper then invokes the host’s .NET C# compiler to generate a DLL AppVStreamingUX_Multi_User.dll in\r\n%LOCALAPPDATA%\\WindowsMediaSync (remark: a compile log file is written to\r\n%USERPROFILE%\\Desktop\\compile_log.txt ).\r\nNote that in case the AppVStreamingUX.exe binary could not be copied to %LOCALAPPDATA%\\WindowsMediaSync ,\r\nthe dropper copies dfsvc.exe from %SYSTEMROOT%\\Microsoft.NET\\Framework\\v4.0.30319\\ instead, and writes a\r\nsecond .NET application configuration file previously extracted to the same target directory.\r\nBoth configuration files require the legitimate process to load the AppVStreamingUX_Multi_User assembly\r\nlocated alongside the executable, and to instantiate the AppVStreamingUXMainOff AppDomainManager class,\r\nresulting in the actual implant being loaded. This technique is known as “AppDomainManager injection”.\r\nThe execution is triggered by a scheduled task (named MediaSyncTask followed by a random number between\r\n100 and 999, e.g. MediaSyncTask276 ) which runs the target binary one minute after being enabled.\r\nThe overall style of the VBA code, the variable names and methods it used, as well as comments left in it (e.g. --\r\n- PART 5: Report the result and schedule if successful --- ) indicates that it was very likely and at least\r\npartially AI-generated.\r\nC# implant: SloppyMIO\r\nThe deployed implant we dubbed SloppyMIO ( AppVStreamingUX_Multi_User.dll ) is not compiled in a\r\ndeterministic way, resulting in different binaries for each compilation.\r\nIt retrieves its configuration steganographically from images whose URLs are obtained via a Dead Drop Resolver\r\n(DDR) backed by GitHub. From these images, it extracts a XOR key, Telegram bot token and chat ID, and module\r\nURLs from an LSB-hidden payload (details below).\r\nThe malware can fetch and cache multiple modules from remote storage, run arbitrary commands, collect and\r\nexfiltrate files and deploy further malware with persistence via scheduled tasks. SloppyMIO beacons status\r\nmessages, polls for commands and sends exfiltrated files over to a specified operator leveraging the Telegram Bot\r\nAPI for command-and-control.\r\nThe following sections cover the configuration extraction, the available modules as well as aspects related to the\r\nC2 communication, leaving a few peculiarities aside.\r\nConfiguration\r\nThe configuration is stored in image files similar to the one displayed hereafter and retrieved from URLs provided\r\nby a GitHub Gist.\r\nhttps://harfanglab.io/insidethelab/redkitten-ai-accelerated-campaign-targeting-iranian-protests/\r\nPage 6 of 16\n\nFigure 3 – Overview of an image file used to store the configuration\r\nSloppyMIO leverages Least-Significant Bit (LSB) steganography to conceal the configuration within the image. It\r\nfirst checks the retrieved image file to make sure that it is large enough to contain a payload length encoded on 32\r\nbits. For each pixel, it extracts the LSB of the current channel before incrementing the channel index. Channels\r\nare incremented from 0 to 2, following the RGB – Red, Green and Blue – order. This process allows to produce a\r\nbit stream with the following pattern (with R, G, B respectively designating the Red, Green and Blue channels,\r\nand the digit indicating the current pixel index): R0, G0, B0, R1, G1, B1, R2, G2, B2, [...] .\r\nThis bit stream is then converted to an integer value which is the expected payload length. The latter is being\r\nchecked so that it is positive and does not exceed 5,242,880 bytes (which may be related to an old file size limit\r\nfor the Telegram Bot API).\r\nThen, the implants proceeds to the payload retrieval, performing an LSB extraction 8 times the number of bytes of\r\nthe payload.\r\nThe extracted configuration is a made of a list of key-value pairs separated by a | , and formatted as follows:\r\nxor=\u003cvalue\u003e|tel=\u003cvalue\u003e|chat=\u003cvalue\u003e|m1=\u003cvalue\u003e|m2=\u003cvalue\u003e|m3=\u003cvalue\u003e|m4=\u003cvalue\u003e|m5=\u003cvalue\u003e\r\nhttps://harfanglab.io/insidethelab/redkitten-ai-accelerated-campaign-targeting-iranian-protests/\r\nPage 7 of 16\n\nEach value is Base64 and XOR-decoded using the provided key ( xor being the only value which is simply\r\nBase64-encoded). Based on the previous example, the implant configuration is the following:\r\ntel : Telegram API token;\r\nchat : Telegram chat ID;\r\nm1 , m2 , m3 , m4 , m5 : URLs to retrieve modules 1 to 5 (see section Modules).\r\nEvery 10 loop iterations, SloppyMIO attempts to refresh its configuration by retrieving the contents of the GitHub\r\nGist providing the image download URL.\r\nModules\r\nSloppyMIO has the ability to retrieve and execute different modules from a repository (in our case, Google\r\nDrive). The analyzed sample’s configuration implementation suggests that it could support 10 specific modules,\r\nalthough the download implementation handles the retrieval of 5 modules.\r\nThe implant provides a caching mechanism for the modules in order not to require a new download each time an\r\noperator wants to run one of them. The downloaded modules remain available from the cache during 60 minutes\r\nafter their compilation or last execution time. The cache is updated each time a module has to be run, and outdated\r\nmodules are removed prior to running the target module. This results in the latter being downloaded again if it has\r\nnot been used within the past 60 minutes.\r\nThe modules can be distributed as text files containing the Base64 and XOR-encoded C# source code of the\r\nmodule, or as already compiled DLLs. SloppyMIO relies on the document file name extension to make the\r\ndistinction between these 2 cases ( .cs or .dll ). If a module is downloaded as source code, it is compiled to\r\nproduce an in-memory assembly. Prior to adding it to the list of cached modules, the implant checks for the\r\npresence of a public static Run() method which is to be invoked upon module execution.\r\nThe analyzed sample supports the following modules:\r\ncm : execute arbitrary commands via cmd.exe ;\r\ndo : collect files on the compromised host (path provided as a parameter). A ZIP archive is created for\r\neach collected file, taking into account the Telegram API file size limits. In the module we analyzed, 2\r\nconcurrent threads are used to proceed to the upload;\r\nup : write a file to %LOCALAPPDATA%\\Microsoft\\CLR_v4.0_32\\NativeImages\\ . The file’s data is encoded\r\nwithin an image retrieved via the Telegram API. In this case, the relevant data is encoded within the blue\r\nchannel of each pixel. Once retrieved, from top to bottom and right to left, the data stores the following\r\ninformation:\r\nthe file length, encoded using the first 4 bytes;\r\nthe file extension, encoded using the next 10 bytes;\r\nthe file’s content, starting from byte 14.\r\npr : create a scheduled task ( Enterprise Workstation Health Monitoring ) using the TaskScheduler\r\nCOM interface in order to run an executable which path is provided as a parameter every 2 hours;\r\nra : start a process by providing an executable file path and optional parameters.\r\nhttps://harfanglab.io/insidethelab/redkitten-ai-accelerated-campaign-targeting-iranian-protests/\r\nPage 8 of 16\n\nNote that when SloppyMIO is loaded, it downloads and runs the pr module in order to setup persistence for the\r\nexecutable associated with its host process before entering an infinite loop, expecting commands from the\r\noperators.\r\nC2 communication\r\nBeaconing mechanism\r\nUpon execution, SloppyMIO signals that it is available by sending the [\u003cid\u003e] - is online -- \u003cdate-time\u003e\r\nmessage via the Telegram bot to the configured Telegram chat id, where \u003cid\u003e consists of the compromised\r\nmachine name, the current user name, and the first 6 characters of a generated unique identifier concatenated with\r\n_ acting as a separator: \u003cMACHINE-NAME\u003e_\u003cuser-name\u003e_\u003cfirst-6-characters-of-a-generated-uid\u003e .\r\nThroughout its execution, the implant signals its availability by sending a [\u003cid\u003e] - is online \u003csleep-time\u003e --\r\n\u003cdate-time\u003e message via the Telegram bot, where \u003csleep-time\u003e is the duration it will remain idle, in\r\nmilliseconds.\r\nReceiving commands\r\nSloppyMIO regularly attempts to retrieve an update from the Telegram bot. After each received update, it will\r\nsleep between 5 seconds and 1 minute before attempting to retrieve another update. If no update could be\r\nretrieved, the implant sleeps between 1 and 15 minutes before querying the bot for an update.\r\nIf an update message contains a document or photo accompanied with a caption, SloppyMIO checks if the latter\r\ncontains the dllexec string pattern. In such case, it processes the document in order to retrieve a module (either\r\na C# source code file or a compiled DLL) to execute. If the message’s caption does not contain dllexec , it\r\nproceeds to running the up module in order to upload a file to the compromised system. Note that the implant\r\ndoes not check for the presence of the up command in the caption.\r\nIf the retrieved message does not contain any document or photo, but does contain text, the latter is being\r\nprocessed as an input command by the implant. The following string commands are expected (provided hereafter\r\nin lowercase as the comparison is not case-sensitive):\r\ndownload : will run the do module, which allows to download one or several file(s) from the\r\ncompromised system;\r\ncmd : to run the cm module which allows arbitrary command execution;\r\nrunapp : to start a process (see Modules section).\r\nData is sent back to the C2 server via the Telegram bot messages themselves, or via documents (with test.txt\r\nas a filename) if the size of the data exceeds 50000 bytes.\r\nNote that for each action or command, SloppyMIO checks that the received document caption or message text\r\nstarts with the [\u003cid\u003e] string pattern.\r\nImplant process termination\r\nhttps://harfanglab.io/insidethelab/redkitten-ai-accelerated-campaign-targeting-iranian-protests/\r\nPage 9 of 16\n\nWhen the user logs off or shuts down the compromised host, SloppyMIO sends a [\u003cid\u003e] - End With:\u003csession-ending-reason\u003e -- \u003cdate-time\u003e message to the Telegram bot, where \u003csession-ending-reason\u003e specifies either\r\na log off or a system shutdown.\r\nInfrastructure\r\nThe threat actor relied on legitimate services to host its malware modules (Google Drive), act as a Dead Drop\r\nResolver (GitHub), and provide a C2 channel (Telegram). While this somewhat limits our ability to pivot and\r\ndiscover additional, related infrastructure, it still divulges some useful information.\r\nThe GitHub account that is used for this campaign, johnpeterson1304 ( johnpeterson202024@proton.me ), was\r\nregistered on September 20, 2025. It does not host any public repositories, but published 15 Gists, dating back to\r\nOctober 4, 2025. These Gists and their revisions show his progress developing SloppyMIO, with 9 different\r\nversions of the steganographic configuration image. The malware developer introduced an additional module over\r\ntime, but mostly made changes to the Telegram bot configuration data.\r\nBelow is a complete timeline of the malware developer GitHub Gist commits, spanning from October 4, 2025 to\r\nJanuary 23, 2026:\r\nFigure 4 – Timeline of all Gist commits\r\nWe suspect that the Google accounts used to host the modules and the steganographic image were most likely\r\nstolen. The malware developer used a total of two accounts, and for one of them we could find a legitimate owner.\r\nTelegram bots and accounts\r\nWe observed a total of 9 variations of configuration data implanted into the same AI-generated kittens image,\r\ndating from October 4, 2025 to December 16, 2025. We also discovered a total of 13 Telegram bots, operated by 7\r\naccounts. One of the accounts, named “Mech-One” had its language set to Farsi ( \"language_code\":\"fa\" ).\r\nhttps://harfanglab.io/insidethelab/redkitten-ai-accelerated-campaign-targeting-iranian-protests/\r\nPage 10 of 16\n\nMonitoring the bots’ activity, we were able to catch commands sent to a few infected hosts. However, it appears\r\nthat these compromised hosts were running in sandbox environments. The Telegram bots are configured to send\r\nthe command results back to the operators’ respective Telegram accounts, preventing us from catching the\r\nresponses.\r\nNevertheless, knowing the operators’ Telegram accounts, we could filter for commands sent by them. The\r\ncommands seen on January 26, 2026 are listed below:\r\nTime (GMT) Victim ID Command\r\n14:39:14 cd81b9 tasklist\r\n14:42:06 cd81b9 ipconfig\r\n14:43:42 cd81b9 dir C:\\\r\n14:44:44 cd81b9 tasklist\r\n14:48:03 cd81b9 tasklist\r\n16:22:27 484c8c tasklist\r\n16:33:28 a5f879 wmic computersystem get model,manufacturer\r\n16:33:50 484c8c whoami\r\n16:34:15 a5f879 wmic computersystem get model,manufacturer\r\n16:34:16 a5f879 wmic computersystem get model,manufacturer\r\n16:34:32 484c8c whoami\r\n16:34:39 a5f879 wmic computersystem get model,manufacturer\r\n16:35:33 a5f879 wmic logicaldisk get name,size,freespace,filesystem\r\nNote that bots could be hijacked to receive commands from third parties, but they submit the results only to the\r\nconfigured Telegram accounts.\r\nTargets\r\nThe malicious samples were uploaded from the Netherlands to an online multiscanner on January 23, 2026. At the\r\ntime of writing, we cannot confirm if the uploader was an intended target or a researcher. Monitoring the bot\r\ncommands, we only observed malware check-ins coming from sandbox environments.\r\nWe believe that non-governmental organizations and individuals involved in documenting recent human rights\r\nviolations, as well as the horrendous level of violence demonstrated by the Iranian regime towards protesters, may\r\nbe the intended targets of this campaign.\r\nhttps://harfanglab.io/insidethelab/redkitten-ai-accelerated-campaign-targeting-iranian-protests/\r\nPage 11 of 16\n\ncommit 57ebb18dc884db19a3471d7b8473fc315088a93e\r\nAuthor: johnpeterson1304 \u003cjohnpeterson202024@proton.me\u003e\r\nDate: Mon Oct 27 08:14:11 2025 -0700\r\nTimelining the commits using these timezones, we obtain strange working hours:\r\nFigure 5 – Hourly distribution of git commits as they were reported\r\nShifting the commits hours to a more likely 9-5 hour spread, we observe a good match with the UTC/GMT\r\ntimezone:\r\nFigure 6 – Hourly distribution of git commits shifted to UTC\r\nThis hourly breakdown also fits the Google Drive files creation time:\r\nhttps://harfanglab.io/insidethelab/redkitten-ai-accelerated-campaign-targeting-iranian-protests/\r\nPage 13 of 16\n\nFigure 7 – Hourly distribution of Google Drive file uploads\r\nWe therefore assume that the malware developer(s) were operating around the GMT timezone.\r\nConclusion: letting AI do all the heavy lifting\r\nRedKitten represents an AI-accelerated campaign that exploits the humanitarian crisis surrounding Iran’s Dey\r\n1404 protests. While precise attribution remains difficult, similarities in Tactics, Techniques, and Procedures\r\n(TTPs) as well as other artifacts we discovered clearly points to a Farsi-speaking threat actor aligned with Iranian\r\nstate interests.\r\nThe threat actor’s reliance on commoditized infrastructure (GitHub, Google Drive and Telegram) hinders\r\ntraditional infrastructure-based tracking but paradoxically exposes useful metadata and poses other operational\r\nsecurity challenges to the threat actor.\r\nAlthough AI tools likely enabled the malware developer to introduce support for modular implants and to\r\nincorporate capabilities like steganography, it could not compensate for an apparent hasty integration and lack of\r\ndeep technical understanding. The reliance on generative AI is perhaps best exemplified by an unedited code\r\ncomment found in one of the malware developer’s Gist: “ULTRA-RELIABLE \u0026 STEALTHY VBSCRIPT STAGER\r\n(Final Production Version)”. We leave it to the reader to imagine how the prompt for this response looked like.\r\nAppendix: indicators and detection rules\r\nIndicators of compromise (IOCs)\r\nAssociated IOCs are also available on our GitHub repository.\r\nHashes (SHA-256)\r\nd3bb28307d11214867c570fe594f773ba90195ed22b834bad038b62bf75a4192|XLSM spreadsheet\r\nc40c94d787f6a35ac1cb4c5f031cf5777b77c79dc3929181badea33aaf177aa7|XLSM spreadsheet\r\nhttps://harfanglab.io/insidethelab/redkitten-ai-accelerated-campaign-targeting-iranian-protests/\r\nPage 14 of 16\n\n59ee007fd17280470724eb8a11ab12a98e85fd2383af3065f5f09a7e1a73f88c|XLSM spreadsheet\r\n90aebc9849b659515fd70dde6db717ad457ab2a90522a410d1fd531ca8640624|XLSM spreadsheet\r\n96ee9d3ed80c59c4bf39ed630efbfa53591fbe51155db7919ef64535a6171044|XLSM spreadsheet\r\n6d474cf5aeb58a60f2f7c4d47143cc5a11a5c7f17a6b43263723d337231c3d60|SloppyMIO\r\n16164c83ce4786ab85aa3fc9566a317519e866ff6cad3fbd647f3e955b8a8255|SloppyMIO\r\n36413af1a7c7dc9e49fdf465ebc5abc3b4bb6b33f1c5ccaa17ae5e0794b6faaa|SloppyMIO\r\n6e1bb2c41500ee18bd55a2de04bb3d74bd5c5e8c45eaeef030c7c6ea661cc2db|SloppyMIO\r\nac0e045b6f3683315ef420971f382e167385e39023d118d023fa6989e35fadf6|SloppyMIO\r\nd58e3617d759d46248718ac4dfb46535d73febffd17fad1fd8ab47ce08da2fb4|SloppyMIO\r\ne5c4295c5c57d80c875860b44f4c33ee921393bb8ce14c7be0f5ef47d7171265|SloppyMIO\r\nFile paths\r\n%LOCALAPPDATA%\\WindowsMediaSync\\AppVStreamingUX_Multi_User.dll|SloppyMIO\r\nScheduled tasks names\r\n^MediaSyncTask[1-9][0-9]{2}$|Initial execution (regular expression: MediaSyncTask followed by a number between\r\nEnterprise Workstation Health Monitoring|Scheduled task used for persistence\r\nYARA rules\r\nrule trr260101_sloppymio {\r\n meta:\r\n description = \"Detects SloppyMIO, a C# implant leveraged by an Iranian threat actor in January 2026.\"\r\n references = \"TRR260101\"\r\n hash = \"6d474cf5aeb58a60f2f7c4d47143cc5a11a5c7f17a6b43263723d337231c3d60\"\r\n date = \"2026-01-28\"\r\n author = \"HarfangLab\"\r\n context = \"file\"\r\n strings:\r\n $s1 = \"AppVStreamingUXMainOff\" fullword\r\n $s2 = \"Process exiting. Restart if allowed.\" wide fullword\r\n $s3 = \"[ errors in module '\" wide fullword\r\n $s4 = \"[Error] Method '' not found in module '\" wide fullword\r\n $s5 = \"href=[\\\"'](.*?/raw/.*?/\" wide\r\n $s6 = \"FREE|\" wide fullword\r\n $s7 = \"USED|\" wide fullword\r\n $s8 = \"GET FAILED:\" wide fullword\r\n $s9 = \"PATCH FAILED: \" wide fullword\r\n $s10 = \"FILE NOT FOUND IN GIST\" wide fullword\r\n $s11 = \"CONTENT FIELD NOT FOUND\" wide fullword\r\n $m1 = \"StegoLsb\" fullword\r\nhttps://harfanglab.io/insidethelab/redkitten-ai-accelerated-campaign-targeting-iranian-protests/\r\nPage 15 of 16\n\n$m2 = \"CachedModule\" fullword\r\n $m3 = \"SystemEvents_SessionEnding\" fullword\r\n $m4 = \"ExecuteCoreLogic\" fullword\r\n $m5 = \"BuildInputParams\" fullword\r\n $m6 = \"SendAsFileFromMemory\" fullword\r\n $m7 = \"SendReplyInParts\" fullword\r\n $m8 = \"ExecuteLib\" fullword\r\n $m9 = \"ExecuteDirectModule\" fullword\r\n $m10 = \"ExecuteModule\" fullword\r\n $m11 = \"DownloadModuleCode\" fullword\r\n $m12 = \"CompileDirectModuleCode\" fullword\r\n $m13 = \"CompileModuleCode\" fullword\r\n $m14 = \"GistRawLink\" fullword\r\n $m15 = \"GetRemoteConfig\" fullword\r\n $m16 = \"GetGistJson\" fullword\r\n $m17 = \"UpdateGist\" fullword\r\n condition:\r\n filesize \u003c 100KB and\r\n uint16be(0) == 0x4D5A and\r\n (6 of ($s*) or (all of ($m*)))\r\n}\r\nSource: https://harfanglab.io/insidethelab/redkitten-ai-accelerated-campaign-targeting-iranian-protests/\r\nhttps://harfanglab.io/insidethelab/redkitten-ai-accelerated-campaign-targeting-iranian-protests/\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://harfanglab.io/insidethelab/redkitten-ai-accelerated-campaign-targeting-iranian-protests/"
	],
	"report_names": [
		"redkitten-ai-accelerated-campaign-targeting-iranian-protests"
	],
	"threat_actors": [
		{
			"id": "1c4fa1ca-2d9a-47d4-9176-8cdc067481c5",
			"created_at": "2026-02-11T02:00:03.94265Z",
			"updated_at": "2026-04-10T02:00:03.969007Z",
			"deleted_at": null,
			"main_name": "RedKitten",
			"aliases": [],
			"source_name": "MISPGALAXY:RedKitten",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434744,
	"ts_updated_at": 1775826751,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8ddc3f060f4190a4c29b374f1e8b309a5b175b16.pdf",
		"text": "https://archive.orkl.eu/8ddc3f060f4190a4c29b374f1e8b309a5b175b16.txt",
		"img": "https://archive.orkl.eu/8ddc3f060f4190a4c29b374f1e8b309a5b175b16.jpg"
	}
}