Technical Analysis & Remediation
MITRE ATT&CK Mapping
Initial Access
T1566.001 (Spearphishing Attachment) – 7-Zip archives with malicious XLSM files.
Execution
T1204.002 (User Execution: Malicious File), T1059.005 (Visual Basic) – AI-generated VBA macros.
Persistence
T1546.015 (Component Object Model Hijacking) – AppDomainManager injection.
Command & Control
T1102 (Web Service) – Uses Telegram Bot API, GitHub, and Google Drive.
Defense Evasion
T1027.003 (Steganography) – Configuration data hidden in images on Google Drive.
CVE Profile
NVD/CISA Status
No specific CVE is exploited; this campaign relies on abuse of legitimate features (VBA Macros) and misconfiguration/design features (AppDomainManager) rather than software vulnerabilities.
Forensic Artifacts (The "Anchor")
Malware Implant AppVStreamingUX_Multi_User.dll (C# implant dropped via macro).
Backdoor Name
SloppyMIO.
Network Indicator
whatsapp-meeting.duckdns[.]org (Phishing link for credential harvesting).
Technique
AppDomainManager injection.
Lure Context
"Tehran Forensic Medical Files" or lists of protesters deceased between Dec 22, 2025 – Jan 20, 2026.
Remediation - THE ENTERPRISE TRACK (SANS PICERL)
Identification & Containment
Network Block
Immediately block traffic to api.telegram[.]org and unapproved duckdns[.]org subdomains at the perimeter firewalls/web gateways.
Hunt
Query EDR for file writes to %LOCALAPPDATA%\Microsoft\CLR_v4.0_32\NativeImages\ matching the AppVStreamingUX_Multi_User.dll naming convention.
Registry Check
Audit .NET configuration for suspicious AppDomainManager registrations in the registry.
Eradication
Process Termination
Terminate any process spawning cmd[.]exe from unexpected parent processes (indicative of the cm module).
File Removal
Delete the malicious 7-Zip archives and the dropped DLLs. Remove the associated Scheduled Tasks used for persistence.
Recovery
Credential Reset
Force password resets for all accounts (especially Google and WhatsApp) on affected machines, as the campaign actively harvests credentials and 2FA codes.
Re-image
Due to the nature of the backdoor (System-level persistence), reimaging is recommended for compromised hosts.
Lessons Learned
Macro Policy
Enforce Group Policy to block macros from internet-originating files (Mark-of-the-Web).
Cloud C2 Detection
Implement SSL/TLS inspection to detect anomalous data exfiltration volumes to legitimate services like Google Drive.
Remediation - THE HOME USER TRACK
Priority 1: Safety (Disconnect & Scan)
Disconnect the infected device from the internet immediately to sever the Telegram C2 link.
Do not open any Excel files claiming to contain "protest details" or "forensic files".
Priority 2: Identity (Secure Accounts)
From a clean device, immediately change your Google and WhatsApp passwords.
Revoke any active "Linked Devices" in your WhatsApp settings, as the whatsapp-meeting[.]duckdns[.]org kit may have hijacked your session.
Priority 3: Persistence (Cleanup)
Check your "Task Scheduler" (search in Start Menu) for tasks running every two hours or tasks you do not recognize.
Run a full scan with a reputable non-signature-based antivirus solution (e.g., behavior-based detection).
Hardening & References
Baseline
CIS Benchmark for Microsoft Office (Disable VBA for internet files).
Framework
NIST SP 800-61r2 (Incident Handling Guide).
Tactical
Review HarfangLab's full report on SloppyMIO for YARA rules (referenced in).
Behavioral
Be skeptical of "Urgent" files regarding human rights or missing persons during times of civil unrest; verify the source via a secondary channel (Signal/Phone).
Sources
The Hacker News (Source Article)
HarfangLab (Technical Origin)
Contextual Intelligence & Geopolitics
Nariman Gharib Blog
U.S. Dept of Treasury
Amnesty International
Cloudflare
thehackernews.com
(as in the message like button)
