DuneQuixote: A Stealthy Malware Campaign Targeting the Middle East

Earlier this month, Securelist’s researchers uncovered a sophisticated malware campaign, dubbed DuneQuixote, targeting government entities in the Middle East. The campaign employs over 30 dropper variants, including tampered installers of Total Commander, to deliver a backdoor named CR4T. The malware employs advanced evasion techniques, such as invalid digital signatures, anti-analysis checks, and encrypted C2 communications.

The CR4T backdoor exists in both C/C++ and Golang versions, allowing attackers to execute commands, exfiltrate data, and maintain persistence using scheduled tasks and COM object hijacking. Notably, the Golang variant utilizes the Telegram API for C2 communications.

Infrastructure analysis suggests the threat actors operate from US-based hosting services, with victim telemetry pointing primarily to the Middle East. The campaign showcases advanced stealth capabilities, underlining the adaptability and sophistication of the attackers.