SloppyMIO Backdoor
A Farsi-speaking threat actor assessed to be aligned with Iranian state interests is suspected of orchestrating a new cyber-espionage campaign targeting non-governmental organizations and individuals involved in documenting recent human rights violations. Security researchers identified the activity in January 2026 and assigned it the codename RedKitten.
Table of Contents
Political Context and Targeting Strategy
The campaign closely overlaps with widespread unrest in Iran that began in late 2025, driven by sharp inflation, escalating food prices, and severe currency devaluation. Subsequent government crackdowns reportedly resulted in significant casualties and prolonged internet disruptions. The operation appears designed to exploit this environment by preying on people searching for information about missing or deceased protesters, leveraging emotional distress to induce urgency and lower skepticism.
Initial Infection Vector and LLM-Driven Development
The intrusion chain begins with a 7-Zip archive carrying a Farsi-language filename. Inside are Microsoft Excel spreadsheets containing malicious macros. These XLSM files purport to list protesters killed in Tehran between December 22, 2025, and January 20, 2026; however, inconsistencies such as mismatched ages and birthdates indicate the data is fabricated. When macros are enabled, a VBA-based dropper deploys a C# implant named 'AppVStreamingUX_Multi_User.dll' using AppDomainManager injection.
Code analysis suggests that large language models were likely used in development, based on the macro's structure, naming conventions, and embedded comments resembling automated or instructional prompts.
SloppyMIO Backdoor Architecture and Capabilities
The implanted backdoor, tracked as SloppyMIO, relies heavily on legitimate cloud and collaboration platforms. GitHub is used as a dead drop resolver to obtain Google Drive URLs hosting images that conceal configuration data via steganography. Extracted settings include Telegram bot credentials, chat identifiers, and links to additional payloads.
SloppyMIO supports multiple functional modules that enable command execution, file collection and exfiltration, payload deployment, persistence through scheduled tasks, and process execution. The malware can download, cache, and run these modules on demand, giving operators broad control over compromised systems.
Supported functional modules include:
- Command execution via the Windows command interpreter
- File collection and ZIP-based exfiltration sized to Telegram API limits
- File writing to a local application data directory using image-encoded payloads
- Scheduled-task creation for recurring execution
- Arbitrary process initiation
- Command-and-Control via Telegram
Beyond modular payload delivery, SloppyMIO maintains continuous communication with its operators using the Telegram Bot API. The implant beacons system status, polls for instructions, and transmits collected data through Telegram chats, while also supporting direct tasking from a separate command-and-control endpoint.
Observed operator commands include:
- Triggering file collection and exfiltration
- Executing arbitrary shell commands
- Launching specified applications or processes
Attribution and Historical Parallels
Attribution to Iranian-aligned actors is based on multiple indicators: Farsi-language artifacts, lure themes tied to domestic unrest, and tactical overlap with earlier campaigns. Notably, similarities exist with operations attributed to Tortoiseshell, which previously abused malicious Excel files and AppDomainManager injection, as well as a 2022 campaign linked to a Nemesis Kitten sub-cluster that used GitHub to distribute the Drokbk backdoor. The increasing use of AI-assisted tooling further complicates actor differentiation and attribution confidence.
Parallel Phishing Operations and Broader Impact
Separately, investigators disclosed a phishing campaign delivered through WhatsApp that uses a spoofed WhatsApp Web interface hosted on a DuckDNS domain. The page continuously polls an attacker-controlled endpoint to display a live QR code linked to the adversary's own WhatsApp Web session. Victims scanning the code unknowingly authenticate the attacker, granting full account access. The phishing infrastructure also seeks browser permissions for camera, microphone, and geolocation access, effectively enabling real-time surveillance.
Additional findings indicate related activity aimed at harvesting Gmail credentials, including passwords and two-factor authentication codes, through counterfeit login pages. Approximately 50 individuals have been affected, spanning members of the Kurdish community, academics, government personnel, business leaders, and other high-profile figures. The operators behind these phishing efforts and their precise motivations remain unconfirmed.
Operational Tradecraft and Defensive Implications
The extensive use of commoditized platforms such as GitHub, Google Drive, and Telegram hampers traditional infrastructure-based tracking while simultaneously introducing exploitable metadata and operational security risks for the attackers. Combined with the growing adoption of AI by threat actors, campaigns like RedKitten underscore the need for defenders to focus on behavioral analysis, content validation, and user awareness rather than relying solely on infrastructure indicators.
