RedKitten Is Prowling The Pasture And Your Lambs Are Handing Out Free Grain

Oh good. Another Tuesday. Another coyote in the field. I haven't slept since what I believe was last Thursday and my fourth coffee is cold and somehow there is STILL a new campaign to write about.

Let me tell you about RedKitten.

Iran-linked threat actors, operating under this adorable little name, have been running a targeted campaign against human rights NGOs and activists. Adorable name. Genuinely horrifying operation. The coyote has a bow on its collar and it will still eat your flock whole.

Here is how it works. They send malicious Excel files. Excel. The spreadsheet software that the lambs treat like a toy and management treats like a business intelligence platform. The files contain macros, and here is the part that made me put my head on my desk: the macros were reportedly generated using AI tools.

The coyotes are using AI now. The lambs are still clicking "Enable Content" like it says "Free Grain Inside." I need everyone to sit with that for a moment.

Once the macros execute, the parasites get in. We are talking remote access, data exfiltration, persistent infection. The whole bad day. And to keep their operation quiet and hard to trace, RedKitten routes a lot of this activity through the Sky Pasture. Cloud services. Legitimate-looking infrastructure. The electric fence sees a trusted hostname and just waves it right through.

The targets are not random. This is deliberate. Human rights organizations. Activists. People doing genuinely important work who are now dealing with a sophisticated nation-state coyote because one lamb opened a spreadsheet that had absolutely no business being opened.

The Shepherds, naturally, are probably in a meeting about Q3 budget alignment right now.

This campaign is a textbook example of spear-luring. It is not a spray-and-pray operation. RedKitten did research. They crafted convincing fake grain. They picked specific members of the flock and sent them something that looked real enough to click. That is the part that should scare you more than any of the technical details.

Sophistication is not always about the exploit. Sometimes it is just about knowing which lamb is tired and distracted enough to click.

Remediation

Fine. Here. I wrote it. You owe me a nap.

Disable macros. All of them. By default. Right now. If a Shepherd says "but my workflow," you look them in the eye and you disable the macros anyway.

Macro execution should require explicit Group Policy approval. Not a popup. Not a yellow bar. Policy. Enforced. Centrally. Done.

Train the flock on spear-luring specifically. Not the generic "don't click weird links" training they click through in four minutes. Real training. With fake grain exercises. With consequences.

Block or heavily scrutinize Sky Pasture traffic from endpoints that have no reason to be talking to it. Your volunteer coordinator does not need to be making API calls to file hosting services at 2am.

Patch your Office suite. Shear it regularly. I know nobody wants to hear it. Do it anyway.

If you are an NGO or activist organization, assume you are a target. Not a maybe. A yes. Threat model accordingly and please for the love of all things woolly, get someone technical to look at your environment before the coyote already has.

I am going to go lie down on the server room floor now. Do not ticket me.

NeglectedSheep out.

Original Report: https://thehackernews.com/2026/01/iran-linked-redkitten-cyber-campaign.html