“Red Kitten” is an advanced persistent threat group affiliated with the Islamic Revolutionary Guard Corps (IRGC), which started its activities in January 2026, during the country-wide protests. It appears that the group has conducted a campaign targeting NGOs and human rights activists who participated in these protests. Although the main target of the campaign was NGOs, other governmental officials and activists have also been targeted.

According to a recent report by Lab Harfang, a French cybersecurity company, the group uses a type of malware that relies on GitHub and Google Drive for configuration and delivery, and Telegram for command and control. The attack involves sending a seven-zip archive with Persian file names containing corrupt Excel documents. It is important to note that the attack used large language models and artificial intelligence. The corrupt documents reportedly contained personal information about protesters who were killed in Tehran between December 22, 2025 and January 20, 2026. It is likely that the purpose of the attack was to target individuals searching for information about their friends and family members who were killed during the protests.

The infectious chain of the Red Kitten attack shows similiarities to the threat group “Yellow Liderc” or “Imperial Kitten” which is also under the command of the IRGC. TechCrunch has reported that the aim of the attack was to steal credentials, and that around 50 people were affected by this campaign.