VERY IMPORTANT

RedKitten is a newly identified campaign targeting Iranian interests, first observed in January 2026. The malware uses GitHub and Google Drive for configuration and payload retrieval, and Telegram for command and control. It appears to exploit the Dey 1404 Protests in Iran, targeting organizations documenting human rights abuses. The threat actor rapidly built this campaign using AI tools, as evidenced by traces of LLM-assisted development. While attribution is not definitive, the activity aligns with Iranian state-sponsored attackers. The malware, dubbed SloppyMIO, can fetch modules, execute commands, collect files, and deploy additional malware with persistence.