Threats Feed|APT34|Last Updated 28/01/2026|AuthorCertfa Radar|Publish Date11/09/2024

Veaty and Spearal Malware Used in Targeted Iraqi Government Attacks

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Backdoor,Malware,RAT
  • Attack Complexity: High
  • Threat Risk: High Impact/Low Probability

Threat Overview

Check Point Research has discovered new malware, Veaty and Spearal, used in Iran-linked cyber attacks against Iraqi government infrastructure. The malware uses techniques such as passive IIS backdoors, DNS tunneling, and compromised email accounts for C2 communications. The attackers also used social engineering tactics and double-extension files to trigger infections. Spearal communicates via DNS queries, while Veaty uses compromised email accounts within the gov-iq.net domain. The campaign targets Iraqi government agencies with ties to the APT34 group, demonstrating a sophisticated and persistent threat to Iraqi infrastructure.

Reference and Credit: Check Point - September 2024

Targeted Iranian Attacks Against Iraqi Government Infrastructure

Detected Targets

TypeDescriptionConfidence
SectorGovernment Agencies and Services
Verified
RegionIraq
Verified

Extracted IOCs

  • asiacall[.]net
  • iqwebservice[.]com
  • mofaiq[.]com
  • spacenet[.]fun
  • 0f9d0b03254830714654c2ceb11a7f5d
  • 1f1aaaf32be03ae7beb9d49f02de7669
  • 2badde184d78ed901b4b2282b285717c
  • 4f4a06f63d34881d88cd70552e909748
  • 58e67cdc9ef57805f45ba554bdccb3b1
  • 66126dc088be2699fd55ae7eff5e6e15
  • 70ff5d4fc9957abff4c5577e22b3da27
  • 79cc8730d748a884cc666b95ee9fed36
  • 7b62b055285b1c08e11ac98b3d3954bc
  • 85f025474271fbcc43af1e2203d10b66
  • 8afdfd6d035b3c616dc37894a15206b4
  • a70a7cfae52304a36fe1547b5a441d7a
  • a79e4424116dc0a76a179507ac914578
  • b1c93c7f5d89996d64a7f933f138e8b0
  • b5de3c4c582db7c2d2ce31c67cba0510
  • b817309621e43004b9f32c96d52dc2a0
  • d542b320b10d443a454c305e9818f5f6
  • d56b5fd6b8976c91d2537d155926afff
  • fb164cdf119b0d4427bdcb51b45075b1
  • 151[.]236.17.231
  • 185[.]76.78.177
  • 194[.]68.32.114
  • 206[.]206.123.176
  • 37[.]1.213.152
  • 91[.]132.95.117
download

Tip: 29 related IOCs (6 IP, 4 domain, 0 URL, 0 email, 19 file hash) to this threat have been found.

Overlaps

BladedFelineBladedFeline Targets Iraq and Kurdistan Governments with Custom Malware Arsenal

Source: Eset - June 2025

Detection (one case): 185[.]76.78.177

APT34APT34 Targets Iraqi Government with Dual-Channel C2 and Obfuscated Backdoors

Source: ThreatBook - March 2025

Detection (five cases): 151[.]236.17.231, 185[.]76.78.177, 91[.]132.95.117, asiacall[.]net, iqwebservice[.]com

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
APT34
View APT34's Insights