Executive Summary

Researchers at HarfangLab have identified a new cyber-espionage campaign attributed to a Farsi-speaking threat actor named RedKitten, believed to be aligned with Iranian state interests. The campaign, active in January 2026, specifically targets non-governmental organizations (NGOs) and individuals involved in documenting human rights abuses in Iran. The initial attack vector is a phishing email containing a malicious Microsoft Excel document. The malware is highly modular and leverages legitimate services—GitHub, Google Drive, and Telegram—for command-and-control (C2) and payload hosting, making it difficult to detect. The sophistication and structure of the malware have led researchers to suspect the use of Large Language Models (LLMs) in its development, signaling a potential evolution in threat actor capabilities.

Threat Overview

The RedKitten campaign is a politically motivated espionage operation designed to gather intelligence on and disrupt the activities of human rights organizations. The timing of the campaign coincides with a period of nationwide unrest in Iran, suggesting a direct link to the government's efforts to suppress dissent.

Attack Vector: The attack begins with a targeted phishing email. The email contains a 7-Zip archive with a Farsi filename, designed to look enticing to the target. Inside the archive is a Microsoft Excel file, which also has a lure-based filename (e.g., a list of deceased protesters). The Excel file contains malicious VBA macros.

Execution Flow:

1. Lure: The victim is tricked into opening the Excel file and enabling macros.
2. Downloader: The VBA macro acts as a downloader, connecting to a C2 server to fetch the next stage of the malware.
3. Modular Malware: The main payload is modular and uses public services to operate:
   • Configuration & Payloads: It retrieves its configuration files and additional malicious modules from repositories on GitHub and folders in Google Drive.
   • Command and Control: It uses the Telegram messaging API for C2 communications, sending stolen data and receiving commands from the attackers. This traffic blends in with legitimate Telegram usage, making it difficult to block at a network level.

Technical Analysis

The most novel aspect of this campaign is the suspected use of AI in its creation. Researchers noted that the code's structure, comments, and overall orchestration were unusually clean and well-organized, leading them to hypothesize that an LLM may have assisted the developers. This could allow less-skilled actors to produce more sophisticated malware or enable advanced actors to accelerate their development lifecycle.

MITRE ATT&CK TTPs

• T1566.001 - Spearphishing Attachment: The use of a malicious Excel file in a targeted email.
• T1059.005 - Visual Basic: The VBA macro in the Excel file acts as the initial dropper.
• T1105 - Ingress Tool Transfer: The malware downloads additional modules from GitHub and Google Drive.
• T1071.001 - Web Protocols: The use of standard HTTPS to communicate with GitHub and Google Drive.
• T1132.002 - Web Service: The use of the Telegram API for C2 communications is a form of C2 over a legitimate web service.
• T1564.001 - Hidden Files and Directories: The malware likely hides its components on the victim's filesystem to evade detection.

Impact Assessment

• Targeted Espionage: The primary impact is the theft of sensitive information from human rights organizations. This could include the identities of activists, sources, and victims of abuse, placing these individuals at extreme risk.
• Chilling Effect: Successful cyberattacks against NGOs can create a chilling effect, discouraging activists from their work due to fear of surveillance and reprisal.
• Threat Actor Evolution: If the use of LLMs for malware development is confirmed, it represents a significant evolution in the threat landscape. It could lower the barrier for creating sophisticated tools and increase the overall volume and quality of malware.

Cyber Observables for Detection

Detection & Response

• Detect: Monitor network traffic for connections to api.telegram.org, github.com, and drive.google.com from unusual processes. Use an EDR solution to monitor for Office applications spawning shell or script processes (e.g., Excel.exe -> powershell.exe). Enable and analyze PowerShell script block logging (Event ID 4104) to deobfuscate and inspect executed commands.
• Response: If a compromise is detected, isolate the host and block the identified C2 domains and IPs at the firewall. Preserve the initial phishing email and malicious document for forensic analysis. Investigate other hosts for similar activity, as the attackers may have moved laterally.

Mitigation

• Block Macros: The most effective mitigation is to configure Microsoft Office to block all macros from the internet. (M1028 - Operating System Configuration)
• User Training: Train high-risk users, such as those in NGOs, to identify and report phishing attempts. Emphasize the danger of opening unsolicited attachments and enabling macros. (M1017 - User Training)
• Egress Filtering: Restrict outbound network connections to only what is required for business purposes. While blocking all of GitHub, Google Drive, and Telegram may not be feasible, monitoring and restricting access from server segments or non-developer workstations can be effective. (M1037 - Filter Network Traffic)
• Application Control: Use application control to prevent unauthorized scripts and executables from running, which can stop the malware's execution chain even if the initial macro is enabled. (M1038 - Execution Prevention)