SPLITDROP

SPLITDROP is a previously undocumented 32-bit .NET dropper used in a January 2026 phishing campaign targeting Iraqi government officials. The activity was attributed with medium-to-high confidence by Zscaler ThreatLabz to Dust Specter, a suspected Iran-nexus threat actor, which impersonated Iraq’s Ministry of Foreign Affairs in social-engineering lures. SPLITDROP was delivered in a password-protected RAR archive, including mofa-Network-code.rar, and masqueraded as a WinRAR application. When executed, it decrypted an embedded payload using AES-256-CBC with PKCS7 padding and a PBKDF2-derived 256-bit key, then wrote and extracted a ZIP archive to C:\ProgramData\PolGuid. It displayed a fake error message ('The download did not complete successfully') while continuing execution. Its primary role was to deploy two additional modules, TWINTASK and TWINTALK, by launching legitimate software for DLL sideloading: VLC.exe sideloaded the malicious libvlc.dll (TWINTASK), and WingetUI.exe sideloaded the malicious hostfxr.dll (TWINTALK). Through this chain, the malware established persistence via HKCU\Software\Microsoft\Windows\CurrentVersion\Run values for VLC and WingetUI. TWINTASK polled C:\ProgramData\PolGuid\in.txt every 15 seconds for Base64-encoded PowerShell commands and wrote results to out.txt, while TWINTALK acted as the command-and-control orchestrator, using randomized beacon delays, custom URI paths, and JWT-based communications to support script execution and file transfer. High-confidence associated artifacts include the paths C:\ProgramData\PolGuid.zip, C:\ProgramData\PolGuid, C:\ProgramData\PolGuid\in.txt, and C:\ProgramData\PolGuid\out.txt; the dropped modules TWINTASK and TWINTALK; and the related C2 domain meetingapp[.]site observed in Dust Specter activity.