What happened
A cyber espionage campaign attributed to an Iran-linked threat actor known as RedKitten was observed targeting NGOs and human rights activists. The campaign used malicious Excel files with embedded VBA macros themed around protest-related content to lure victims into enabling execution. Once activated, the documents deployed a backdoor called SloppyMIO, which relied on cloud services such as GitHub and Google Drive for configuration and used Telegram for command-and-control communications.
Who is affected
Human rights organizations and individuals who opened the malicious Excel files were affected through installation of backdoor malware.
Why CISOs should care
The activity demonstrates continued use of social engineering and cloud-based infrastructure by state-aligned actors.
3 practical actions
- Scan for malicious macro usage. Detect suspicious Excel macro execution.
- Monitor cloud storage access. Identify misuse of GitHub or Google Drive for payload delivery.
- Inspect Telegram traffic. Look for command-and-control indicators.