A new campaign that targets non-governmental organizations and individuals involved in documenting recent human rights abuses is suspected to be the work of a Farsi-speaking threat actor who supports Iranian state interests This article explores backdoor known drokbk. . RedKitten is the code name for the activity that HarfangLab saw in January 2026.

It is said to have coincided with Iran's widespread unrest that started at the end of 2025 in protest of rising food costs, depreciating currency, and skyrocketing inflation. There have been widespread casualties and an internet blackout as a result of the subsequent crackdown. The French cybersecurity firm stated, "The malware uses Telegram for command-and-control, and relies on GitHub and Google Drive for configuration and modular payload retrieval."

A campaign by a sub-cluster of the Iranian nation-state group Nemesis Kitten that used GitHub as a conduit to distribute a backdoor known as Drokbk was described by Secureworks (now a part of Sophos) in late 2022. The increasing use of artificial intelligence (AI) tools by adversaries further complicates matters by making it more difficult for defenders to differentiate between different actors. "The threat actor's reliance on commoditized infrastructure (GitHub, Google Drive, and Telegram) hinders traditional infrastructure-based tracking but paradoxically exposes useful metadata and poses other operational security challenges to the threat actor," according to HarfangLab.

The event occurs a few weeks after Iranian activist and independent cyberespionage investigator based in the United Kingdom Nariman Gharib disclosed information about a phishing link ("whatsapp-meeting.duckdns[. ]org") that spreads via WhatsApp and uses a phony WhatsApp Web login page to obtain victims' credentials. "The page polls the attacker's server every second via /api/p/{victim_id}/," Gharib clarified.