Veaty and Spearal Malware Used in Targeted Iraqi Government Attacks
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Backdoor,Malware,RAT
- Attack Complexity: High
- Threat Risk: High Impact/Low Probability
Threat Overview
Check Point Research has discovered new malware, Veaty and Spearal, used in Iran-linked cyber attacks against Iraqi government infrastructure. The malware uses techniques such as passive IIS backdoors, DNS tunneling, and compromised email accounts for C2 communications. The attackers also used social engineering tactics and double-extension files to trigger infections. Spearal communicates via DNS queries, while Veaty uses compromised email accounts within the gov-iq.net domain. The campaign targets Iraqi government agencies with ties to the APT34 group, demonstrating a sophisticated and persistent threat to Iraqi infrastructure.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | Government Agencies and Services | Verified |
| Region | Iraq | Verified |
Extracted IOCs
- asiacall[.]net
- iqwebservice[.]com
- mofaiq[.]com
- spacenet[.]fun
- 0f9d0b03254830714654c2ceb11a7f5d
- 1f1aaaf32be03ae7beb9d49f02de7669
- 2badde184d78ed901b4b2282b285717c
- 4f4a06f63d34881d88cd70552e909748
- 58e67cdc9ef57805f45ba554bdccb3b1
- 66126dc088be2699fd55ae7eff5e6e15
- 70ff5d4fc9957abff4c5577e22b3da27
- 79cc8730d748a884cc666b95ee9fed36
- 7b62b055285b1c08e11ac98b3d3954bc
- 85f025474271fbcc43af1e2203d10b66
- 8afdfd6d035b3c616dc37894a15206b4
- a70a7cfae52304a36fe1547b5a441d7a
- a79e4424116dc0a76a179507ac914578
- b1c93c7f5d89996d64a7f933f138e8b0
- b5de3c4c582db7c2d2ce31c67cba0510
- b817309621e43004b9f32c96d52dc2a0
- d542b320b10d443a454c305e9818f5f6
- d56b5fd6b8976c91d2537d155926afff
- fb164cdf119b0d4427bdcb51b45075b1
- 151[.]236.17.231
- 185[.]76.78.177
- 194[.]68.32.114
- 206[.]206.123.176
- 37[.]1.213.152
- 91[.]132.95.117
Tip: 29 related IOCs (6 IP, 4 domain, 0 URL, 0 email, 19 file hash) to this threat have been found.