Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM multi-stage malware deployment

Malware Activity
First reported
Last updated
Happening score
H score 14
1 unique sources, 1 articles

Summary

Hide ▲

A Windows malware set composed of SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM was deployed across two infection chains, expanding the operation’s command, execution, and persistence capabilities. The first chain began with a password-protected RAR archive that delivered SPLITDROP as a loader. That chain used TWINTASK and TWINTALK for command polling, C2 coordination, and file transfer. The second chain consolidated those functions into GHOSTFORM and added in-memory PowerShell execution to reduce on-disk artifacts.

Related Happenings

ModeloRAT malicious PowerShell and Dropbox delivery activity

Malware Activity
First: 14.05.2026 15:12 Last: 14.05.2026 15:12 Sources 1

About this happening: The **ModeloRAT** activity now uses a **malicious PowerShell command** and a **Dropbox ZIP payload** to gain persistent footholds, enabling **system reconnaissance**, **screenshot...

Open Happening

LeakNet ransomware gang ClickFix and Deno in-memory loader activity

Malware Activity
First: 17.03.2026 14:09 Last: 17.03.2026 14:09 Sources 1

About this happening: The **LeakNet ransomware gang** has adopted **ClickFix** initial access and a **Deno-based loader** that executes malicious code in memory, making intrusions harder to detect and...

Open Happening

Dust Specter Iraq Foreign Affairs AI impersonation campaign

Campaign
First: 03.03.2026 12:30 Last: 03.03.2026 12:30 Sources 1

How related: A suspected Iran-nexus threat actor has been attributed to a campaign targeting government officials in Iraq by impersonating the country's Ministry of Foreign Affairs to deliver a set of never-before-seen malware.

About this happening: **Dust Specter** targeted **Iraqi government officials** in a **January 2026** campaign that used **impersonation**, **AI tools**, and compromised infrastructure to deliver malici...

Open Happening

RESTLEAF malware stack using Zoho WorkDrive C2 and removable media

Malware Activity
First: 27.02.2026 14:43 Last: 27.02.2026 14:43 Sources 1

About this happening: A **ScarCruft** malware stack built around **RESTLEAF** uses **Zoho WorkDrive** for C2 and **removable media** to reach **air-gapped systems**, expanding surveillance and exfiltra...

Latest development: 27.02.2026 21:21

APT37's Ruby Jumper campaign uses a malicious Windows shortcut file (LNK) and PowerShell to load RESTLEAF, then adds a Ruby-based loader, SNAKEDROPPER, plus THUMBSBD, VIRUSTASK, FOOTWINE, and BLUELIGHT to move data between internet-connected and air-gapped systems. The tooling relies on Zoho WorkDrive C2, installs a disguised Ruby 3.3.0 runtime as usbspeed.exe, modifies RubyGems operating_system.rb, and weaponizes removable drives to relay commands, stage files, exfiltrate data, and spread to new air-gapped machines.

Open Happening

ScarCruft Ruby Jumper campaign

Campaign
First: 27.02.2026 14:43 Last: 27.02.2026 14:43 Sources 1

About this happening: The **ScarCruft**-linked **Ruby Jumper** operation is using a **malicious LNK** infection chain and multi-stage payload delivery to support **surveillance** and attempts to breach...

Open Happening

Timeline

  1. 05.03.2026 14:01 2 articles · 2mo ago

    Zscaler ThreatLabz discloses Dust Specter campaign targeting Iraqi officials

    Initial Disclosure

    Zscaler ThreatLabz disclosed a suspected Iran-nexus Dust Specter campaign targeting Iraqi government officials by impersonating Iraq's Ministry of Foreign Affairs and delivering SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM; the activity was observed in January 2026 and described as medium-to-high confidence.

    Show sources
    Open in new tab