DuneQuixote’s new cyber espionage campaign targets government entities around the world

Targeting the Middle East, APAC, Europe and North America, malware fragments incorporate pieces of Spanish poems to improve persistence and evade detection

Kaspersky researchers have discovered an ongoing malicious campaign that initially targeted a government entity in the Middle East. Additional research revealed more than 30 dropper samples of the malware actively employed in this campaign, allegedly expanding victimology to APAC, Europe and North America. Dubbed DuneQuixote, the malware fragments incorporate pieces taken from poems in Spanish to improve persistence and evade detection, with the ultimate goal of performing cyberespionage actions.

In February 2024, as part of the ongoing monitoring of malicious activity, Kaspersky experts discovered a previously unknown cyber-espionage campaign targeting a government entity in the Middle East. The attacker secretly spied on the target and collected sensitive data using a series of sophisticated tools designed for stealth and persistence.

The initial droppers of the malware are disguised as manipulated installation files of a legitimate tool called Total Commander. Within these droppers, fragments of Spanish poems are embedded, with different fragments from one example to another. This variation aims to alter the signature of each sample, making detection using traditional methodologies more challenging.

Embedded within the dropper is a malicious code designed to download additional payloads in the form of a backdoor called CR4T. These backdoors, developed in C/C++ and GoLang, aim to grant attackers access to the victim’s machine. Importantly, the GoLang variant uses the Telegram API for C2 communications, implementing public GoLang Telegram API links.

“Malware variations show the adaptability and ingenuity of the threat actors behind this campaign. At the moment, we have discovered two such implants, but we strongly suspect the existence of more,” says Sergey Lozhkin, senior security researcher at Kaspersky’s Global Research and Analysis Team. 

Kaspersky’s telemetry identified a victim in the Middle East as early as February 2024. In addition, there were several uploads of the same malware to a semi-public malware scanning service in late 2023, with more than 30 submissions. Other sources that could be VPN exit nodes are suspected to be in South Korea, Luxembourg, Japan, Canada, the Netherlands and the United States.

To avoid falling victim to an attack directed by a known or unknown threat actor, Kaspersky researchers recommend the following measures:

  • Provide your SOC team with access to the latest threat intelligence (IT). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s IT, providing data and information on cyberattacks collected by Kaspersky for over 20 years.
  • Train your cybersecurity team to face the latest threats addressed with Kaspersky Online Training developed by GReAT experts.
  • For the timely detection, investigation and remediation of incidents at the endpoint level, implement EDR solutions such as Kaspersky Endpoint Detection and Response.
  • In addition to adopting essential endpoint protection, implement a corporate security solution that detects advanced network-level threats at an early stage, such as the Kaspersky Anti Targeted Attack Platform.
  • Since many targeted attacks start with phishing or other social engineering techniques, introduce security awareness training and teach practical skills to your team, for example, through the Kaspersky Automated Security Awareness Platform.