A technical analysis by HarfangLab linked a Farsi-speaking actor aligned with Iranian state interests to a January 2026 campaign that used macro-laced Excel files to deliver a C# backdoor named SloppyMIO and to retrieve configuration via GitHub and Google Drive.
KEY FACTS
- Incident January 2026 campaign targeting NGOs and individuals documenting protests
- Malware SloppyMIO C# backdoor using GitHub and Google Drive for configuration
- Delivery Macro-laced Microsoft Excel documents inside a 7-Zip archive
- Command and control Telegram Bot API used to receive commands and exfiltrate files
The lures were XLSM spreadsheets with Farsi filenames that claimed to list protesters who died in Tehran between December 22, 2025 and January 20, 2026. Analysis shows the spreadsheet data contains mismatches that suggest fabrication.
Each spreadsheet contained a VBA macro that acts as a dropper. The macro loads a C# implant named AppVStreamingUX_Multi_User.dll using AppDomainManager injection to establish execution on the host.
The backdoor retrieves configuration by resolving GitHub resources that point to Google Drive images. Configuration is steganographically embedded in the images and includes a Telegram bot token, chat ID and links to modules.
SloppyMIO supports multiple modules, including cm to run commands, do to collect and archive files for Telegram limits, up to write files into a LocalAppData NativeImages path, pr to create scheduled tasks for persistence, and ra to start processes. The implant can beacon to a configured Telegram chat and accept commands such as download, cmd and runapp to fetch modules and exfiltrate results.
WHY IT MATTERS
The campaign exploits people seeking information about missing persons and relies on common platforms that make infrastructure tracking harder while exposing operational metadata. The use of AI-style code generation and commodity services may speed attacker operations and complicate response.