惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Threatpost
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
V
Visual Studio Blog
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Forbes - Security
Forbes - Security
人人都是产品经理
人人都是产品经理
N
Netflix TechBlog - Medium
Recent Commits to openclaw:main
Recent Commits to openclaw:main
WordPress大学
WordPress大学
Webroot Blog
Webroot Blog
Jina AI
Jina AI
H
Hacker News: Front Page
Attack and Defense Labs
Attack and Defense Labs
T
Troy Hunt's Blog
TaoSecurity Blog
TaoSecurity Blog
AI
AI
Hacker News - Newest:
Hacker News - Newest: "LLM"
Google Online Security Blog
Google Online Security Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Help Net Security
Help Net Security
美团技术团队
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
博客园 - 叶小钗
P
Privacy International News Feed
A
Arctic Wolf
IT之家
IT之家
云风的 BLOG
云风的 BLOG
S
Security Affairs
Simon Willison's Weblog
Simon Willison's Weblog
The Cloudflare Blog
博客园 - 司徒正美
Vercel News
Vercel News
C
Cyber Attacks, Cyber Crime and Cyber Security
SecWiki News
SecWiki News
K
Kaspersky official blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
N
News and Events Feed by Topic
S
Schneier on Security
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
有赞技术团队
有赞技术团队
PCI Perspectives
PCI Perspectives
F
Fortinet All Blogs
T
Tenable Blog
Spread Privacy
Spread Privacy
T
The Blog of Author Tim Ferriss
S
Securelist
L
LangChain Blog
Latest news
Latest news
Cloudbric
Cloudbric
博客园 - 三生石上(FineUI控件)

www.infosecurity-magazine.com

Just Three Ransomware Gangs Accounted for 40% of Attacks Last Month Google Chrome Rolls Out Protection Against Infostealers Targeting Session Cookies STX RAT Targets Finance Sector With Advanced Stealth Tactics Bitcoin Depot Reports $3.6m Crypto Theft After System Breach Atomic Stealer MacOS ClickFix Attack Bypasses Apple Security Warnings Middle East Hack-for-Hire Operation Traced to South Asian Cyber Espionage Group Governance Gaps Emerge as AI Agents Drive 76% Increase in NHIs Google Warns of New Threat Group Targeting BPOs and Helpdesks Google API Keys Quietly Gain Access to Gemini on Android Devices Critical Vulnerability in Ninja Forms Exposes WordPress Sites Anthropic Launches Project Glasswing to Use AI to Find and Fix Critical Software Vulnerabilities US Thwarts DNS Hijacking Network Controlled by Russian APT28 Hackers Claude Discovers Apache ActiveMQ Bug Hidden for 13 Years Iran‑Backed Threat Actors Hit US CNI Providers via Internet‑Facing OT Assets Russian APT28 Hackers Hijack Routers to Steal Credentials, UK Security Agency Warns GPU Rowhammer Attack Enables Privilege Escalation and Full System Compromise GrafanaGhost Exploit Bypasses AI Guardrails for Silent Data Exfiltration Over $17bn Lost to Cyber Fraud in the Last Year, Warns FBI Storm-1175 Exploits Flaws in High-Velocity Medusa Attacks Fortinet Releases Emergency Patch After FortiClient EMS Bug Is Exploited New Phishing Platform Used in Credential Theft Campaigns Against C-Suite Execs New 'Storm' Infostealer Remotely Decrypts Stolen Credentials NCSC Issues Security Alert Over Hackers Targeting WhatsApp and Signal Accounts Apple Expands iOS 18 Security Updates Amid DarkSword Threat Researchers Observe Sub-One-Hour Ransomware Attacks GitHub Used as Covert Channel in Multi-Stage Malware Campaign Most CNI Firms Face Up to £5m in Downtime from OT Attacks Google Introduces Android Dev Verification Amid Openness Debate New Venom Stealer MaaS Platform Automates Continuous Data Theft Chinese Hackers Target European Governments in Espionage Campaigns Eight in 10 UK Manufacturers Hit by Cyber Incident in a Year Hackers Hijack Axios npm Package to Spread RATs Maryland Man Charged Over $53m Uranium Finance Crypto Hack Phantom Project Bundles Infostealer, Crypter and RAT For Sale ChatGPT Security Issue Enabled Data Theft via Single Prompt TeamPCP Explores Ways to Exploit Stolen Supply Chain Secrets Employee Data Breaches Surge to Seven-Year High NCSC Urges Immediate Patching of F5 BIG-IP Bug Cybercriminals Exploit Tax Season With New Phishing Tactics Lloyds IT Glitch Exposed Data of Nearly 500,000 Banking Customers DeepLoad Malware Combines ClickFix With AI-Generated Code to Avoid Detection Critical Citrix NetScaler Vulnerability Exploited in the Wild ICO Fines UK Nuisance Call Scammers £100,000 European Commission Confirms Cloud Data Breach New Wave of AiTM Phishing Targets TikTok for Business TeamPCP Targets Telnyx Package in Latest PyPI Software Supply Chain Attack Quantum Computing Threat to Encryption Is Closer Than Expected, Warns Google UK Cracks Down on Chinese Crypto Marketplace for Funding Southeast Asia Scam Hubs Security Researchers Sound the Alarm on Vulnerabilities in AI-Generated Code Attackers Rapidly Weaponize Critical Oracle WebLogic RCE, Honeypot Study Finds EtherRAT Techniques Bypass Security Via Ethereum Smart Contracts AI Becomes the Top Cybersecurity Priority for Defenders as Criminals Exploit It, PwC Warns OpenAI Expands Bug Bounty to Cover AI Abuse and 'Safety' Concerns Iran-Linked Pay2Key Ransomware Group Re-Emerges Invoice Fraud Costs UK Construction Sector Millions, NCA Warns Cloud Phones Linked to Rising Financial Fraud Threat Hackers Exploit Compromised Enterprise Identities at Industrial Scale, Warns SentinelOne US: FCC Bans Foreign-Made Routers Over National Security Concerns TeamPCP Expands Supply Chain Campaign With LiteLLM PyPI Compromise Experts Sound Alarm Over “Prompt Poaching” Browser Extensions Operation Henhouse Nets Over 500 Arrests in UK Fraud Crackdown RSA Conference: UK NCSC Head Urges Industry to Develop Vibe Coding Safeguards Silver Fox Cyber Campaigns Show Shift Toward Dual Espionage Citrix Urges Immediate Patching for Critical NetScaler Vulnerabilities New Npm 'Ghost Campaign' Uses Fake Install Logs to Hide Malware Former Ukrainian Foreign Minister Dmytro Kuleba to Address the New Cyber Frontline at Infosecurity Europe Enterprise Cybersecurity Software Fails 20% of the Time, Warns Absolute Security Russian Initial Access Broker Handed 81-Month Sentence Handala Group Tied to Iranian Hack‑and‑Leak Operations, FBI Reveals Most Cybersecurity Staff Don’t Know How Fast They Could Stop a Cyber-Attack on AI Systems Tycoon2FA Phishing Service Resumes Activity Post-Takedown High-Tech Sector Overtakes Finance as Top Target for Cyber-Attacks, Mandiant Reports Trivy Supply Chain Attack Expands With New Compromised Docker Images CISA Orders US Government to Patch Maximum Severity Cisco Flaw Operation Alice Takes Down 370,000+ Dark Web Sites Hackers Exploit Critical Langflow Bug in Just 20 Hours NCA Boss Warns That Teens Are Being “Radicalized” Into Cybercrime Online Ransomware Affiliate Exposes Details of 'The Gentlemen' Operation Financial Brands Targeted in Global Mobile Banking Malware Surge FCA Updates Cyber Incident and Third-Party Reporting Rules AWS Warns Hackers Have Abused Cisco Firewall Zero-Day Since January UK: Regulation Drives Cyber Spending for Critical Infrastructure Orgs New Ubuntu Flaw Enables Local Attackers to Gain Root Access Crypto Scam "ShieldGuard" Dismantled After Malware Discovery AI-Enabled Adversaries Compress Time-to-Exploit Following Vulnerability Disclosure Vidar Stealer 2.0 Exploits GitHub, Reddit to Deliver Malware via Fake Game Cheats AI Issues Will Drive Half of Incident Response Efforts by 2028, Says Gartner Android OS-Level Attack Bypasses Mobile Payment Security 'CursorJack’ Attack Path Exposes Code Execution Risk in AI Development Environment Surge in Nation State Attacks on UK Firms Amid Cyber Warfare Fears Aeternum Botnet Shifts Command Control to Polygon Blockchain Leading Semiconductor Supplier Advantest Hit by Ransomware Attack Remcos RAT Expands Real-Time Surveillance Capabilities SMEs Wrong to Assume They Won’t Be Hit by Cyber-Attacks, NCSC Boss Warns Google Warns of In the Wild Exploit as It Patches New Chrome Zero Day Phorpiex Phishing Delivers Low-Noise Global Group Ransomware BridgePay Confirms Ransomware Attack, No Card Data Compromised New Hacking Campaign Exploits Microsoft Windows WinRAR Vulnerability Labyrinth Chollima Evolves into Three North Korean Hacking Groups Google Disrupts Extensive Residential Proxy Networks
New AI-Developed Malware Campaign Targets Iranian Protests
Kevin Poireault · 2026-01-30 · via www.infosecurity-magazine.com

A new malicious campaign is spreading malware against people in Iran, likely including non-governmental organizations and individuals involved in documenting recent human rights abuses during the protest wave in the country.

The campaign, discovered by the cyber threat research team at French cybersecurity firm HarfangLab, was first observed in early January 2026.

HarfangLab obtained malicious samples on January 23 and shared a malware analysis on January 29.

Dubbed RedKitten by the researchers, the campaign distributes forged ‘shock lures’ designed to target organizations or individuals seeking information about missing persons or political dissidents. These lures lead to a malware implant, dubbed SloppyMIO, that can collect and exfiltrate data, run arbitrary commands and deploy further malware with persistence via scheduled tasks.

The malware relies on GitHub and Google Drive for configuration and modular payload retrieval and uses Telegram for command and control.

The HarfangLab researchers assessed that it was built using AI tools, as indicated by multiple traces of large language model-assisted (LLM) development.

While the researchers could not reliably attribute the activity to an identified threat actor, they observed the use of techniques previously known to have been employed by Iranian state-sponsored attackers, alongside linguistic indicators.

They stated that they were confident the activity originated from a threat actor aligned with the Iranian government’s security interests.

Fake Forensic Files to Target Dissidents and Researchers

The RedKitten campaign begins with a password-protected 7z archive, titled "Tehran Forensic Medical Files" in Farsi, containing five malicious Excel spreadsheets. The files claim to list 200 individuals, allegedly protesters, who died in Tehran between December 2025 and January 2026, a period marked by unrest against the Iranian regime.

The Excel documents, named to appear as official records (e.g., "Final List_Victims_December 1404_Tehran_Part One.xlsm"), include five tabs of fabricated but disturbing data.

One sheet lists victims’ personal details alongside the security forces involved, such as the Islamic Revolutionary Guard Corps (IRGC), the Basij militia or the Ministry of Intelligence, while another provides graphic autopsy reports, including toxicology results. A third tab tracks body releases to family members and a final "Help" sheet urges users to enable macros, triggering the malware.

Message instructing user to enable macros on a malicious Excel document. Source: HarfangLab
Message instructing user to enable macros on a malicious Excel document. Source: HarfangLab

According to the HarfangLab researchers, the lures are designed to exploit emotional distress, targeting activists, journalists or families searching for missing loved ones.

However, the researchers noted that the data is riddled with inconsistencies, such as mismatched ages and birthdates and implausible workloads for the listed doctors, suggesting fabrication. The level of detail, including specific security agencies tied to each death, appears calculated to shock and provoke urgency – a tactic the researchers said is consistent with past Iranian cyber operations.

SloppyMIO Implant: Data Theft, Exfiltration and Spyware Capabilities

When opened, the malicious Excel file prompts the user to “Enable Content,” triggering a hidden VBA macro, a small program embedded in the document. This macro quietly extracts a more dangerous payload, a piece of malware written in C# that the HarfangLab researchers have dubbed SloppyMIO.

The name SloppyMIO hints at its messy design, as each infection generates slightly different code, making it harder for security tools to recognize and block.

Once activated, the malware uses clever tricks to avoid detection. It copies a legitimate Windows program (like AppVStreamingUX.exe) to a hidden folder, then forces it to load the malicious code as if it were a normal part of the system. To ensure it keeps running, the malware creates a scheduled task that launches itself every time the computer starts.

The hackers also left clues in the code suggesting it was at least partially generated by AI, with oddly named variables and comments that read like automated notes.

Unlike traditional malware that connects to suspicious servers, SloppyMIO uses Telegram to receive commands from its operators.

It first sends a "beacon" message to a hacker-controlled Telegram bot, announcing that the infected computer is online. The malware then periodically checks for new instructions, disguised as innocent chat messages.

To make detection even harder, the hackers hide their malware’s settings inside seemingly normal images (like memes or stock photos) using a technique called steganography, where data is concealed in the tiny, imperceptible details of a picture.

Once installed, SloppyMIO can perform a range of spying and sabotage tasks, including the following:

  • Collect and exfiltrate files
  • Run commands on the victim’s computer
  • Download additional malware
  • Install backdoors for long-term access

The hackers can send orders through Telegram, telling the malware to search for specific documents, execute programs or even spread to other machines.

Some versions of the malware also try to maintain persistence by creating scheduled tasks that reinstall it if removed.

RedKitten’s Victimology and Attribution

The malicious samples were uploaded by the HarfangLab researchers in the Netherlands to an online multiscanner. They said they cannot confirm if the uploader was an intended target or a researcher.

“We believe that non-governmental organizations and individuals involved in documenting recent human rights violations, as well as the horrendous level of violence demonstrated by the Iranian regime towards protesters, may be the intended targets of this campaign,” they wrote.

While the researchers did not clearly attribute this campaign at this stage, its infection chain shows overlaps with the tactics, techniques and procedures (TTPs) of the Iranian, IRGC-aligned threat actor Yellow Liderc (aka Imperial Kitten, TA456).

“Notably, this group has previously relied on malicious Excel documents to deliver .NET malware via ‘AppDomain Manager Injection’, specifically hijacking the same legitimate Windows binary, AppVStreamingUX.exe,” they wrote.

Additionally, the researchers outlined several clues in the RedKitten infrastructure that suggest the threat actor has links with previously observed Iran-aligned threat groups and speaks Farsi. For instance, the use of GitHub as a Dead Drop Resolver (DDR) and the use of Telegram for command-and-control (C2) have been reported in campaigns by separate Iranian threat clusters since 2022.

The researchers even noted the "tongue-in-cheek" use of kitten imagery in the payload, suggesting that the attackers may be playfully acknowledging the ‘Kitten’ naming convention commonly used by cybersecurity firms and government agencies to identify Iran-linked hacking groups.

Example of an image file used to store the malware configuration. Source: HarfangLab
Example of an image file used to store the malware configuration. Source: HarfangLab

“Distinguishing between Iranian-nexus actors is increasingly challenging due to the communalities shared between them and the growing adoption of LLMs in attack campaigns. This has been reported in groups such as Crimson Sandstorm and across the broader Iranian APT landscape,” the researchers concluded.