AI-accelerated campaign targeting Iranian protests
Essential information
- Published
- 29/01/2026 21:45
- Modified
- 30/01/2026 08:19
- Tags
- 2026-01-29 ai-assisted appdomainmanager injection github google drive iran protests sloppymio steganography telegram
- Related entities
- 13 observables, 1 intrusion sets (apt), 1 malware, 3 others
Description
RedKitten is a newly identified campaign targeting Iranian interests, first observed in January 2026. The malware uses GitHub and Google Drive for configuration and payload retrieval, and Telegram for command and control. It appears to exploit the Dey 1404 Protests in Iran, targeting organizations documenting human rights abuses. The threat actor rapidly built this campaign using AI tools, as evidenced by traces of LLM-assisted development. While attribution is not definitive, the activity aligns with Iranian state-sponsored attackers. The malware, dubbed SloppyMIO, can fetch modules, execute commands, collect files, and deploy additional malware with persistence.