Introduction In February 2024, we discovered a new malware campaign targeting government entities in the Middle East. We dubbed it "DuneQuixote"; and our investigation uncovered over 30 DuneQuixote dropper samples actively employed in the campaign. These droppers, which exist in two versions – regular droppers and tampered installer files for a legitimate tool named "Total Commander", carried malicious code to download an additional payload in the form of a backdoor we call "CR4T". While we identified only two CR4T implants at the time of discovery, we strongly suspect the existence of others, which may be completely different malware. The group behind the campaign took steps to prevent collection and analysis of its implants and implemented practical and well-designed evasion methods both in network communications and in the malware code. Initial dropper The initial dropper is a Windows x64 executable file, although there are also DLL versions of the malware sharing the same functionality. The malware is developed in C/C++ without utilizing the Standard Template Library (STL), and certain segments are coded in pure Assembler. All samples contain digital signatures, which are, however, invalid. Upon execution, the malware initiates a series of decoy API calls that serve no practical purpose. These calls primarily involve string comparison functions, executed without any conditional jumps based on the comparison results. Useless function calls The strings specified in these…Read More