A new cyber campaign attributed to Iranian state actors is sending shockwaves across the global landscape of human rights defenders and activists. The RedKitten campaign has been brought to life by the enthusiasm of Ravin Academy. This cybersecurity school, opened in 2019, was founded by Seyed Mojtaba Mostafavi and Farzin Karimi, both of whom are operatives of Iran’s Ministry of Intelligence and Security (MOIS). Unfortunately, this dangerous new reality reflects some of the continued risks that state-sponsored cyber threats, namely those originating in Russia, continue to pose to our homeland.
Only 20 days later, in early October 2025, one of the largest breaches ever occurred. A publicly available database with detailed, descriptive information on 1,051 adults enrolled in training programs at Ravin Academy. Most importantly, this leak showed the Iranian government’s complicity in the tragic deaths of Tehran’s protesters. This would be during a really bad time—from December 22, 2025 to January 20, 2026.
The leaked database contained XLSM spreadsheets that were embedded with the same bad VBA macro. This macro was designed to intelligently deploy a C#-based implant using a technique known as AppDomainManager injection. These kinds of tactics go beyond demo showmanship, instead raising dangerous precedent concerns regarding the security of people’s personal information and the potential for widespread surveillance.
Background on Ravin Academy
Founded in 2019, Ravin Academy has emerged as one of the standard-driving faculties on Iran’s cybersecurity ecosystem. The academy was co-founded by Mostafavi and Karimi. It has raised concerns of acting as a recruitment and training facility for hacktivists sympathetic to the Iranian regime.
Gharib, a leading authority on state-sponsored cyber goings-on, emphasized the strategic importance of the academy’s dual-purpose paradigm. He stated, “The model allows MOIS to outsource initial recruitment and vetting while maintaining operational control through the founders’ direct relationship with the intelligence service.” This framework enhances development of human capital for cyber operations. It also protects the government from individual accountability, too.
The academy is still open. More recently, it has come under fire for its part in increasing the agency’s influence of those pursuing both defensive and offensive cyber initiatives. The impact of its operations goes beyond its own borders, with a further chilling effect on civil society organizations and activists who fight for human rights.
The RedKitten Campaign
The RedKitten attack involves a 7-Zip archive. This archive has an unusual Farsi filename and is filled with Microsoft Excel files MBA, rife with macros. These documents address vulnerabilities in users’ systems. They enable malicious actors to steal sensitive data.
The campaign’s reach has affected approximately 50 individuals from diverse backgrounds, including members of the Kurdish community, academics, government officials, and business leaders. This wide-ranging targeting reflects the campaign’s apparent goal to surveil, accumulate dirt on, and intimidate anyone who opposes their status quo.
“This dual-purpose structure enables MOIS to develop human capital for cyber operations while maintaining a layer of separation from direct government attribution.” – Gharib
Additionally, threat actors have used phishing methods to steal victims’ credentials. The phishing link “whatsapp-meeting.duckdns[.]org” circulated widely and rapidly across WhatsApp. It subsequently redirected users to a phishing WhatsApp Web login page designed to harvest their credentials.
Surveillance and Data Management
It follows the recent leaks coming from the Qatar-based NSO Group’s rival firm, the advanced surveillance platform Kashef / Discoverer / Revealer. This geolocation-published platform is openly used to track the movement of Iranian citizens as well as foreign nationals. This platform combines data from numerous Iranian government departments connected to the Islamic Revolutionary Guard Corps (IRGC). This enhances the government’s power to monitor dissenters’ movements very closely.
Surveillance is more than hoovering up data. Second, it knowingly and intentionally tries to curtail freedom of expression and quash dissenting opinion. A Farsi-speaking Iranian state aligned threat actor has appeared. This atmosphere increases the risks for those working to advance human rights.
HarfangLab insisted on the limitations of attackers’ dependence on a funnelled infrastructure like GitHub, Google Drive, and Telegram. This approach renders more complex the tracking mechanisms market monitors have long used, while revealing operational security weaknesses that investigators are able to capitalize on.
“The threat actor’s reliance on commoditized infrastructure hinders traditional infrastructure-based tracking but paradoxically exposes useful metadata and poses other operational security challenges to the threat actor.” – HarfangLab
