SPLITDROP
SPLITDROP is a previously undocumented 32-bit .NET dropper used in a January 2026 phishing campaign targeting Iraqi government officials. The activity was attributed with medium-to-high confidence by Zscaler ThreatLabz to Dust Specter, a suspected Iran-nexus threat actor, which impersonated Iraq’s Ministry of Foreign Affairs in social-engineering lures. SPLITDROP was delivered in a password-protected RAR archive, including mofa-Network-code.rar, and masqueraded as a WinRAR application. When executed, it decrypted an embedded payload using AES-256-CBC with PKCS7 padding and a PBKDF2-derived 256-bit key, then wrote and extracted a ZIP archive to C:\ProgramData\PolGuid. It displayed a fake error message ('The download did not complete successfully') while continuing execution. Its primary role was to deploy two additional modules, TWINTASK and TWINTALK, by launching legitimate software for DLL sideloading: VLC.exe sideloaded the malicious libvlc.dll (TWINTASK), and WingetUI.exe sideloaded the malicious hostfxr.dll (TWINTALK). Through this chain, the malware established persistence via HKCU\Software\Microsoft\Windows\CurrentVersion\Run values for VLC and WingetUI. TWINTASK polled C:\ProgramData\PolGuid\in.txt every 15 seconds for Base64-encoded PowerShell commands and wrote results to out.txt, while TWINTALK acted as the command-and-control orchestrator, using randomized beacon delays, custom URI paths, and JWT-based communications to support script execution and file transfer. High-confidence associated artifacts include the paths C:\ProgramData\PolGuid.zip, C:\ProgramData\PolGuid, C:\ProgramData\PolGuid\in.txt, and C:\ProgramData\PolGuid\out.txt; the dropped modules TWINTASK and TWINTALK; and the related C2 domain meetingapp[.]site observed in Dust Specter activity.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Analysis confirmed four novel malware families: SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. SPLITDROP is a 32-bit .NET dropper that decrypts an AES-256 CBC embedded payload using PBKDF2 key derivation.
Techniques & procedures
10 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
3 techniques
Execution
"...new malware such as SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM."; "...TernDoor Windows backdoor, and the PeerTime P2P Linux backdoor."; "...Python-based backdoor named AnonDoor."
Persistence
1 technique
Persistence
Attack Chain 1 used SPLITDROP, a .NET dropper delivering TWINTASK and TWINTALK via DLL sideloading into legitimate VLC.exe and WingetUI.exe processes, establishing file-based command polling through in.txt and out.txt with persistence via Windows Run registry keys.
Privilege Escalation
1 technique
Privilege Escalation
Attack Chain 1 used SPLITDROP, a .NET dropper delivering TWINTASK and TWINTALK via DLL sideloading into legitimate VLC.exe and WingetUI.exe processes, establishing file-based command polling through in.txt and out.txt with persistence via Windows Run registry keys.
IOCs tracked for this family
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A 32-bit .NET dropper that decrypts an embedded payload and launches VLC.exe to sideload TWINTASK.
A .NET dropper used in the Dust Specter campaign to deploy follow-on components (TWINTASK, TWINTALK).
A 32-bit .NET dropper delivered via a password-protected RAR archive; decrypts and drops TWINTASK and TWINTALK modules to continue execution and C2 activity.
Malware used in suspected Iranian APT activity targeting Iraqi government officials.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.