tldr - powered by Generative AI

• Fortinet reports that Iranian threat actors have been using a newly identified Windows kernel driver called Wintapix in attacks against Middle East targets since 2020.
• The driver uses the Donut, a position-independent code that enables in-memory loading of payloads through shellcode, using process hollowing or thread hijacking.
• Wintapix appears to have been active since at least mid-2020, likely developed by an Iranian threat actor and primarily used in attacks against entities in Saudi Arabia, but also against targets in Jordan, Qatar, and the United Arab Emirates.
• The driver was likely used in some major campaigns in August and September 2022 and in February and March 2023, albeit it remained under the radar to date.
• The threat actors likely use a legitimate but vulnerable driver to load Wintapix in the kernel.
• The .NET payload that the shellcode loads is a piece of malware specifically designed to target Microsoft Internet Information Services (IIS) servers, and which functions as a backdoor and as a proxy.