Threat Intelligence, AI/ML

AI tapped by Iranian hackers in protest-aimed cyberattacks

Iran Flag Digital Binary Code Cyberpunk Technology Concept

Iran-linked threat actors have leveraged large language models to underpin cyberattacks aimed at individuals and non-governmental organizations reporting human rights abuses during nationwide protests as part of the RedKitten campaign, according to The Hacker News.

Intrusions commenced with the delivery of a 7-ZIP archive with a Farsi filename containing Microsoft Excel files purporting to include protester death details with an illicit VBA macro, a report from French cybersecurity firm HarfangLab showed. Activating the macro, which is suspected to be AI-based due to its format, enables AppDomainManager injection of the C-based SloppyMIO implant that leverages GitHub as a dead drop resolver. Aside from retrieving and caching various modules and executing arbitrary commands, SloppyMIO also allows file exfiltration and further malware distribution.

"The threat actor's reliance on commoditized infrastructure (GitHub, Google Drive, and Telegram) hinders traditional infrastructure-based tracking but paradoxically exposes useful metadata and poses other operational security challenges to the threat actor," said HarfangLab.

Such a development follows a phishing campaign against UK-based Iranian activist Nariman Gharib, as well as the sweeping data leak impacting Iranian state-backed hacking group Charming Kitten.

An In-Depth Guide to AI

Get essential knowledge and practical strategies to use AI to better your security program.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds