惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Google DeepMind News
Google DeepMind News
S
Security Affairs
阮一峰的网络日志
阮一峰的网络日志
L
LangChain Blog
Microsoft Azure Blog
Microsoft Azure Blog
雷峰网
雷峰网
Recent Announcements
Recent Announcements
WordPress大学
WordPress大学
The GitHub Blog
The GitHub Blog
博客园_首页
The Cloudflare Blog
M
MIT News - Artificial intelligence
博客园 - 【当耐特】
MyScale Blog
MyScale Blog
S
SegmentFault 最新的问题
P
Proofpoint News Feed
Y
Y Combinator Blog
Jina AI
Jina AI
博客园 - 聂微东
A
About on SuperTechFans
Blog — PlanetScale
Blog — PlanetScale
博客园 - 司徒正美
G
Google Developers Blog
云风的 BLOG
云风的 BLOG
F
Full Disclosure
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Microsoft Security Blog
Microsoft Security Blog
爱范儿
爱范儿
T
Tailwind CSS Blog
J
Java Code Geeks
Vercel News
Vercel News
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Stack Overflow Blog
Stack Overflow Blog
罗磊的独立博客
小众软件
小众软件
酷 壳 – CoolShell
酷 壳 – CoolShell
T
The Blog of Author Tim Ferriss
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
博客园 - 三生石上(FineUI控件)
W
WeLiveSecurity
PCI Perspectives
PCI Perspectives
Attack and Defense Labs
Attack and Defense Labs
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
宝玉的分享
宝玉的分享
IT之家
IT之家
Hacker News: Ask HN
Hacker News: Ask HN
The Register - Security
The Register - Security
T
The Exploit Database - CXSecurity.com
T
Threat Research - Cisco Blogs

Security Research | Blog

ClaudeFix: Shared Claude Chats Meet ClickFix | Zscaler Why Do F1 Teams Need Cybersecurity, and What Is AI’s Role? Indirect Prompt Injection Targets AI Agents | ThreatLabz Splunk Enterprise RCE (CVE-2026-20253) | ThreatLabz Edgecution: Malicious Edge Extension Backdoor | ThreatLabz SmartApeSG Supply Chain Attack Targets Okendo | ThreatLabz AI Generated ClickFix Attack Delivers SmartRAT | ThreatLabz What the ThreatLabz 2026 Phishing and Initial Access Report Means for the Public Sector | Zscaler Shai-Hulud: Miasma, Hades, & AI Scanner Evasion | ThreatLabz Zscaler ThreatLabz 2026 Phishing and Initial Access Report Technical Analysis of MLTBackdoor | ThreatLabz When the Scanner Starts Thinking: Learnings from Mythos & GPT 5.5 Cyber in Security Testing | Zscaler OpenClaw Skill Distributes Remcos & GhostLoader | ThreatLabz Tropic Trooper: AdaptixC2 + Custom Beacon | ThreatLabz Do not delete blog (testing) | Zscaler Payouts King Takes Aim at the Ransomware Throne | ThreatLabz The Alibaba Incident and Why Zero Trust Matters More Than Ever In-Memory Loader Drops ScreenConnect | ThreatLabz Supply Chain Attacks Surge in March 2026 | ThreatLabz Claude Code Leak: Critical AI Security Threat 2026 Latest Xloader Obfuscation Code & C2 Protocol | ThreatLabz CVE-2026-20131: Analysis of FMC RCE | ThreatLabz Technical Analysis of SnappyClient | ThreatLabz China-nexus Group Targets Arabian Gulf Region | ThreatLabz Middle East Conflict Fuels Cyber Attacks | ThreatLabz APT37 Adds New Tools For Air-Gapped Networks | ThreatLabz GuLoader Malware Obfuscation Techniques Analyzed GuLoader Obfuscation Analysis | ThreatLabz Technical Analysis of Marco Stealer | ThreatLabz Latest Public Sector AI Adoption Trends: What Government, Healthcare, and Education Security Teams Need to Know | Zscaler Operation Neusploit: APT28 Uses CVE-2026-21509 | ThreatLabz 7 Predictions for 2026 | Zscaler SHEETCREEP, FIREPOWER, and MAILCREEP Analysis | ThreatLabz AI is Now Default Enterprise Accelerator: Takeaways from ThreatLabz 2026 AI Security Report | Zscaler GOGITTER, GITSHELLPAD, and GOSHELL Analysis | ThreatLabz Malicious NPM Packages Deliver NodeCordRAT | ThreatLabz What’s Powering Enterprise AI in 2025: ThreatLabz Report Sneak Peek | Zscaler BlindEagle Deploys Caminho and DCRAT | ThreatLabz Technical Analysis of the BlackForce Phishing Kit | ThreatLabz React2Shell RCE Vulnerability (CVE-2025-55182) | ThreatLabz Shai-Hulud V2 Poses Risk to NPM Supply Chain | ThreatLabz Technical Analysis of Matanbuchus 3.0 | ThreatLabz In-Depth Analysis: Water Gamayun APT Multi-Stage Attack Uncovered CVE-2025-50165: Windows Graphics Component Flaw | ThreatLabz Mobile, IoT, and OT Risks Converge in the Public Sector | Zscaler Industry Attacks Surge, Mobile Malware Spreads: The ThreatLabz 2025 Mobile, IoT & OT Report | Zscaler Zscaler Discovers Vulnerability in Keras Models Allowing Arbitrary File Access and SSRF (CVE-2025-12058) | Zscaler F5 Security Incident Advisory | Zscaler Under the Radar: How Non-Web Protocols Are Redefining the Attack Surface | Zscaler SEO Poisoning Targets Ivanti VPN: Credential Theft Alert Cisco Firewall and VPN Zero Day Attacks | ThreatLabz COLDRIVER Adds BAITSWITCH and SIMPLEFIX | ThreatLabz YiBackdoor: Linked to IcedID and Latrodectus | ThreatLabz Technical Analysis of Zloader Updates | ThreatLabz Mitigating Risks from the Shai-Hulud NPM Worm | ThreatLabz Malicious PyPI Packages Deliver SilentSync RAT | ThreatLabz Technical Analysis of SmokeLoader Version 2025 | ThreatLabz Technical Analysis of kkRAT | ThreatLabz APT37: Rust Backdoor & Python Loader | ThreatLabz Anatsa’s Latest Updates | ThreatLabz Termncolor and Colorinal Explained | ThreatLabz GenAI Used to Impersonate Brazil’s Govt Websites | ThreatLabz Tracking Updates to Raspberry Robin | ThreatLabz Ransomware Surges, Extortion Escalates: ThreatLabz 2025 Ransomware Report | Zscaler China-nexus APT Targets the Tibetan Community | ThreatLabz CVE-2025-53770 | ThreatLabz Black Hat SEO Poisoning Search Engine Results For AI | ThreatLabz
Dust Specter APT Targets Gov’t Officials in Iraq | ThreatLabz
Sudeep Singh · 2026-03-02 · via Security Research | Blog

Technical Analysis

The following sections cover Attack Chain 1 and Attack Chain 2, which ThreatLabz observed in-the-wild during this campaign. Attack Chain 1 uses a split architecture with two components, a worker module (TWINTASK) and a C2 orchestrator (TWINTALK), that coordinate through a file-based polling mechanism. Attack Chain 2 consolidates the same functionality into a single binary (GHOSTFORM).

Attack Chain 1

Attack Chain 1 is delivered in a password-protected RAR archive named mofa-Network-code.rar. The password for this archive is: 92,110-135_118-128. A 32-bit .NET binary, disguised as a WinRAR application, is present inside this archive and starts the attack chain on the endpoint. This binary functions as a dropper and ThreatLabz named it SPLITDROP because it drops two modules that we named TWINTASK and TWINTALK. 

SPLITDROP

Upon being launched, SPLITDROP displays a dialog box prompting the victim to enter a password to extract an archive file. SPLITDROP checks for the presence of C:\ProgramData\PolGuid.zip; if the file already exists, SPLITDROP does not continue execution. If the file does not exist and the correct password is entered in the password form, SPLITDROP proceeds to decrypt an embedded resource named CheckFopil.PolGuid.zip. Before decrypting the resource, SPLITDROP displays a message box stating, “The download did not complete successfully,” to distract the victim while it operates in the background.

Because the embedded resource is encrypted using AES-256 in CBC mode with PKCS7 padding, SPLITDROP derives the salt, initialization vector (IV), and ciphertext as follows: 

  • the first 16 bytes of the embedded resource are used as the salt,
  • the next 16 bytes are used as the IV,
  • and the remaining bytes are the ciphertext.

A key derivation function (KDF) is then used to derive the encryption key from the password entered by the victim in the password form. The KDF uses PBKDF2 with HMAC-SHA1 as the pseudorandom function, 10,000 iterations, and a 256-bit key size. The decrypted resource is written to the archive file at C:\programData\PolGuid.zip, and the contents of the ZIP archive are extracted to C:\programData\PolGuid\.

The figure below shows the directory structure after extraction.

Figure 1: Contents of C:\programData\PolGuid\ after extraction.

Figure 1: Contents of C:\programData\PolGuid\ after extraction.

Finally, a legitimate VLC.exe (the popular open source media player) binary is executed from C:\programData\PolGuid\VLC\VLC.exe to continue to the next stage of the attack chain.

TWINTASK

Upon being launched, VLC.exe sideloads the malicious DLL libvlc.dll which was extracted alongside VLC.exe in the same directory by SPLITDROP. ThreatLabz named this malicious component TWINTASK

TWINTASK functions as a worker module, and its main purpose is to poll a file for new commands available for execution and run them using PowerShell. TWINTASK enters an infinite loop and performs the following actions every 15 seconds: 

  • It polls C:\ProgramData\PolGuid\in.txt to determine whether the file is empty.
  • If the file is empty, TWINTASK continues monitoring the contents every 15 seconds until data is present.
  • If the file is not empty, TWINTASK reads the file contents and Base64-decodes them while skipping the first character of the text (which appears to have no significance other than to break naive Base64-decoding attempts), then instantiates PowerShell to execute the decoded script asynchronously with a 600-second timeout. 

TWINTASK captures the script output and any errors in C:\ProgramData\PolGuid\out.txt.

Persistence and C2 orchestrator launch

When TWINTASK is launched, in.txt comes prepopulated with commands that are used to establish persistence on the machine and initiate the next stage of the attack chain. Below are the initial decoded contents of in.txt.

"C:\ProgramData\PolGuid\WingetUI\WingetUI.exe";New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -Name 'VLC' -Value 'C:\ProgramData\PolGuid\VLC\vlc.exe' -PropertyType String;New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -Name 'WingetUI' -Value 'C:\ProgramData\PolGuid\WingetUI\WingetUI.exe' -PropertyType String;

Below are the key functions of the PowerShell script that TWINTASK runs on first launch:

  • Executes the binary WingetUI.exe from C:\ProgramData\PolGuid\WingetUI\WingetUI.exe.
  • Creates the Windows registry name VLC under the key HKCU:\Software\Microsoft\Windows\CurrentVersion\Run for persistence and sets the value to C:\ProgramData\PolGuid\VLC\vlc.exe to ensure vlc.exe is launched upon system restart and thereby sideloads the malicious DLL, libvlc.dll, to start TWINTASK.
  • Creates the Windows registry name WingetUI under the key HKCU:\Software\Microsoft\Windows\CurrentVersion\Run and sets the value to C:\ProgramData\PolGuid\WingetUI\WingetUI.exe to ensure that the binary WingetUI.exe is launched upon system restart.

TWINTALK

Once WingetUI.exe (a legitimate graphical interface application for package managers) is launched by the worker module, it sideloads the malicious DLL hostfxr.dll that is present alongside WingetUI.exe in the same directory. ThreatLabz named this malicious component TWINTALK.

TWINTALK is a 32-bit .NET DLL and functions as a C2 orchestrator whose main purpose is to poll the C2 server for new commands, coordinate with the worker module, and exfiltrate the results of command execution to the C2 server. The C2 orchestrator works in parallel with the previously described worker module to implement a file-based polling mechanism used for code execution.

Upon execution, TWINTALK enters a beaconing loop and delays execution by a random interval before polling the C2 server for new commands. It uses a preconfigured base delay of 120 seconds with jitter that randomizes the delay by generating a random number between -10% and +50% of the base delay (108 seconds to 180 seconds). To implement the delay, TWINTALK creates a nonsignaled unnamed event object using CreateEvent and calls WaitForSingleObject with the randomized delay value calculated above. If the event object cannot be created, TWINTALK falls back to Thread.Sleep() to create the delay. TWINTALK then sends a GET request to the C2 server with the parameters listed in the table below.

Parameter

Description

URI path

For each request, TWINTALK constructs a unique URI path at runtime to evade pattern-based detections. It generates a random 10-character hex string ([0-9a-f]), computes a 6-character checksum (of the 10-character hex string) using a custom algorithm seeded with 0xABCDEF, and concatenates them. The checksum allows the C2 to verify the request is from a valid bot rather than a URL analysis engine.

  User-Agent

TWINTALK uses a hardcoded User-Agent string: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 Edg/135.0.0.0 to mimic legitimate browser traffic.

 Authentication token

TWINTALK generates a JSON Web Token (JWT) at runtime and sends it in the Authorization: Bearer header; the JWT iat (issued at) field stores the bot ID and bot version, as shown in the code example below.

Table 1: Description of HTTP request headers and URI format used by TWINTALK.

{"iat": ,"version": }

TWINTALK generates a bot ID by checking for the presence of programTemp.log in its execution directory. If the file exists, TWINTALK reads its contents and uses that value to populate the JWT iat field. If the file does not exist, TWINTALK generates a unique random 10-digit ID at runtime, writes it to programTemp.log, and sends it in the JWT iat field. Note that in the TWINTALK samples analyzed by ThreatLabz, the bot version has been set to 0.0.0.0.

Notably, the iat field in a standard JWT represents a Unix epoch timestamp. By storing a 10-digit, randomly generated bot ID in the iat field, the malware can make the request appear more legitimate. The JWT is signed using the HS256 algorithm with a very weak secret (an "_" character).

Network communication

TWINTALK deserializes a cleartext JSON object returned by the server to extract C2 commands. Notably, it parses fields by position rather than by JSON key name. During analysis, the server was observed randomizing JSON key names on each response, an evasion method intended to evade pattern-matching–based detection used by network security products. The table below summarizes how TWINTALK maps positional fields.

Position

Name

Description

0

Transaction ID

An ID generated server-side used to synchronize the request and response.

1

Command type

The type of C2 command.

2

Command body

The command body, based on the type of C2 command.

3

Sleep timer

The duration for which the bot should sleep.

Table 2: Mapping between JSON key positions and their functionality for TWINTALK.

TWINTALK supports the following command types.

  • Command execution (type 0): TWINTALK writes the command body from the C2 response to in.txt. The TWINTASK process polls in.txt every 15 seconds, reads and decodes the contents, and executes the resulting PowerShell script. The in.txt file is then truncated. TWINTALK checks in.txt every 20 seconds; an empty in.txt indicates the task was processed. The stager then reads out.txt and sends the results back to the C2.
  • File download (type 1): TWINTALK decodes the command body to obtain the destination file path. It then uses the transaction ID to build the download URL: 

    {c2_server}/{10-hex-chars+checksum}/{transaction_id}

    TWINTALK downloads the file from this URL, decodes it, and writes it to the specified path.

  • File upload (type 2): TWINTALK parses and decodes the command body to extract a local file path, then constructs an upload URL that is identical to type 1. It reads the local file, Base64-encodes it, prepends one randomly generated character, and sends the data in a POST request to the constructed URL.

Attack Chain 2 (GHOSTFORM)

Attack Chain 2 consolidates all the functionality of Attack Chain 1 into a single binary. It uses in-memory PowerShell script execution to execute the commands received from the C2 server, reducing the filesystem footprint. Unlike Attack Chain 1, a split architecture with DLL sideloading is not used. ThreatLabz named the second attack chain GHOSTFORM based on its usage of an invisible Windows form for delayed execution and its use of Google Forms as a social engineering lure.

Below are the key differences between Attack Chain 1 and Attack Chain 2.  

  • Decoy file: Two GHOSTFORM binaries had a hardcoded Google Form URL. Upon launch, the binaries opened the URL with the default browser configured on the victim’s system. The Google Form shown in the figure below is written in Arabic and masquerades as an official survey from Iraq’s Ministry of Foreign Affairs, purportedly intended for government officials.

Figure 2: Google Form displayed by GHOSTFORM to the victim as a social engineering lure.

Figure 2: Google Form displayed by GHOSTFORM to the victim as a social engineering lure.

  • Delayed execution: Similar to TWINTALK, GHOSTFORM also enters a C2 beaconing loop that uses a randomized delay function. However, GHOSTFORM uses a more creative delayed execution technique without relying on Windows APIs:
    • Uses a pre-configured base delay of 121 seconds.
    • Jitter randomizes the delay to +35% and -35% of the base delay.
    • Launches an invisible Windows form application.
    • Sets the opacity of the form to 0.001 with a size of 10x15 and sets the ShowInTaskBar property to false so the form does not appear in the Windows task bar.
    • Sets both the form's background color and the label's text color to white.
    • Starts a timer and sets the interval to the delay calculated previously. Once the timer interval elapses, GHOSTFORM closes the form and control is returned to the main malware loop to continue the execution.
  • Mutex: Creates a mutex with the name Global\_ to ensure that only one instance of GHOSTFORM runs at any given time.
  • Bot ID generation: Unlike Attack Chain 1, the bot ID in GHOSTFORM is not generated randomly. Instead, GHOSTFORM converts the .NET assembly’s creation timestamp to a Unix epoch timestamp and uses that as the bot ID.
  • Bot version: Below are a few bot versions observed across samples of GHOSTFORM. Unlike TWINTALK, the bot versions are not set to 0.0.0.0
    • 5.62.147.912_1
    • 3.3.28.962_1

NOTE: The nature of the bot version numbers seems to indicate that they were generated randomly and a meaningful versioning scheme was not used.