TWINTALK
TWINTALK is a 32-bit .NET DLL used as a command-and-control orchestrator in a January 2026 campaign targeting Iraqi government officials. Zscaler ThreatLabz associated the activity with the suspected Iran-nexus threat actor Dust Specter, which impersonated Iraq’s Ministry of Foreign Affairs and delivered previously unseen malware families including SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. In the observed infection chain, a password-protected RAR archive delivered the .NET dropper SPLITDROP, which decrypted and deployed TWINTASK and TWINTALK, then abused DLL sideloading through legitimate software including VLC and WingetUI. TWINTASK acted as a worker component, while TWINTALK coordinated with it through file-based polling, writing command bodies to local files for execution and exfiltrating results back to the C2 server.
TWINTALK’s primary role is to poll the C2 server for new commands, coordinate tasking with TWINTASK, and support upload and download of files. It beaconed over HTTPS at randomized intervals between 108 and 180 seconds to evade pattern-based detection, used custom or dynamically generated URI paths, and authenticated communications with JWT bearer tokens. Reported C2 evasion and validation features included randomized delays, checksum-appended URI paths, geofencing, and User-Agent verification. Persistence in the broader chain was established through Windows Registry Run keys that relaunched the sideloading binaries after reboot. Reported artifacts and paths associated with the TWINTALK/TWINTASK chain include C:\ProgramData\PolGuid, C:\ProgramData\PolGuid\in.txt, C:\ProgramData\PolGuid\out.txt, malicious DLLs hostfxr.dll and libvlc.dll, and the C2 domain meetingapp[.]site. ThreatLabz also reported code artifacts in TWINTALK suggesting possible generative-AI-assisted development, including emojis, Unicode text, and a placeholder seed value 0xABCDEF.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Simultaneously, VLC.exe launches WingetUI.exe, which sideloads hostfxr.dll as TWINTALK, a C2 orchestrator that beacons via JWT-authenticated HTTPS with randomized delays (108–180 seconds).
Techniques & procedures
19 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
6 techniques
Execution
The TWINTALK C2 domain meetingapp[.]site was also used in a July 2025 ClickFix attack delivering a fake Webex for Government meeting invitation with a PowerShell payload creating a scheduled task named winWebex executing every two hours.
"...new malware such as SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM."; "...TernDoor Windows backdoor, and the PeerTime P2P Linux backdoor."; "...Python-based backdoor named AnonDoor."
“…use of command and scripting interpreters (T1059) like PowerShell (T1059.001).” / “PowerShell and Cmd serve as the universal backbone for execution across nearly all groups …”
Persistence
3 techniques
Persistence
The TWINTALK C2 domain meetingapp[.]site was also used in a July 2025 ClickFix attack delivering a fake Webex for Government meeting invitation with a PowerShell payload creating a scheduled task named winWebex executing every two hours.
Attack Chain 1 used SPLITDROP, a .NET dropper delivering TWINTASK and TWINTALK via DLL sideloading into legitimate VLC.exe and WingetUI.exe processes, establishing file-based command polling through in.txt and out.txt with persistence via Windows Run registry keys.
Privilege Escalation
3 techniques
Privilege Escalation
The TWINTALK C2 domain meetingapp[.]site was also used in a July 2025 ClickFix attack delivering a fake Webex for Government meeting invitation with a PowerShell payload creating a scheduled task named winWebex executing every two hours.
Attack Chain 1 used SPLITDROP, a .NET dropper delivering TWINTASK and TWINTALK via DLL sideloading into legitimate VLC.exe and WingetUI.exe processes, establishing file-based command polling through in.txt and out.txt with persistence via Windows Run registry keys.
Stealth
6 techniques
Stealth
"...custom URI paths, and JWT tokens to evade detection."
“Defense evasion … masquerading (T1036)” and examples include “C# malware masquerading as PDF documents,” “fake 404 error pages,” and impersonation of collaboration platforms.
“applied geofencing to restrict responses to traffic from specific geographic regions only.”
Discovery
2 techniques
Discovery
Command and Control
4 techniques
Command and Control
Finally, for command and control and exfiltration, Iranian-linked groups most commonly rely on application layer protocols (T1071), such as HTTP
TWINTALK, a C2 orchestrator that beacons via JWT-authenticated HTTPS with randomized delays (108–180 seconds).
IOCs tracked for this family
5 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A C2 orchestrator/backdoor delivered via DLL sideloading that communicates over JWT-authenticated HTTPS with randomized timing.
A follow-on payload dropped by SPLITDROP in the Dust Specter attack chain (functionality not described in the provided content).
C2 orchestrator that uses randomized beacon delays, custom URI paths, and JWT tokens; supports commands to execute scripts, upload files, and download additional payloads.
Malware used in suspected Iranian APT activity targeting Iraqi government officials.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.