A suspected Iranian-linked actor is believed to have been involved in a campaign targeting Iraqi government officials by impersonating the Iraqi Ministry of Foreign Affairs and delivering a series of never-before-seen malware.
Zscaler ThreatLabz, which observed this activity in January 2026, is tracking this cluster under the name Dust Specter. This attack manifests itself in two distinct infection chains, culminating in the deployment of malware called SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM.
“Dust Specter used randomly generated URI paths for command-and-control (C2) communications, and a checksum value was appended to the URI path to ensure that these requests originated from real, infected systems,” said security researcher Sudeep Singh. “The C2 server also utilized geofencing technology and user agent verification.”
A notable aspect of this campaign is the compromise of Iraqi government-related infrastructure in order to stage malicious payloads, not to mention the use of techniques to delay execution, fly under the radar, and evade.
The first attack sequence begins with a password-protected RAR archive. Inside this archive is a .NET dropper named SPLITDROP that acts as a conduit between the worker module TWINTASK and the C2 orchestrator TWINTALK.
TWINTASK is a malicious DLL (‘libvlc.dll’) that is sideloaded by the legitimate ‘vlc.exe’ binary and periodically polls a file (‘C:\ProgramData\PolGuid\in.txt’) every 15 seconds for new commands and executes them using PowerShell. This also includes commands to establish persistence on the host through Windows registry changes. Script output and errors are captured in a separate text file (‘C:\ProgramData\PolGuid\out.txt’).
Upon first launch, TWINTASK is designed to run another legitimate binary present in the extracted archive (‘WingetUI.exe’) and sideload the TWINTALK DLL (‘hostfxr.dll’). Its main purpose is to access the C2 server to obtain new commands, coordinate tasks with TWINTASK, and extract the results back to the server. Supports the ability to write the command body from the C2 response to “in.txt”, as well as file downloads and uploads.
“The C2 orchestrator runs in parallel with the worker modules mentioned above and implements the file-based polling mechanism used to execute the code,” said Singh. “When executed, TWINTALK enters a beacon loop and delays execution for a random interval before polling the C2 server for new commands.”
The second attack chain represents an evolution of the first attack chain and combines all the functionality of TWINTASK and TWINTALK into a single binary called GHOSTFORM. It leverages in-memory PowerShell script execution to execute commands retrieved from the C2 server, eliminating the need to write artifacts to disk.
This is not the only factor that distinguishes the two attack chains. Some GHOSTFORM binaries have been found to contain a hard-coded Google Forms URL that is automatically launched in the system’s default web browser once the malware starts running. The form features content written in Arabic and purports to be an official investigation from the Iraqi Ministry of Foreign Affairs.
Zscaler’s analysis of the TWINTALK and GHOSTFORM source code also revealed the presence of placeholder values, emojis, and Unicode text, suggesting that generative artificial intelligence (AI) tools may have been used to aid in the development of the malware.
Additionally, the C2 domain “meetingapp” associated with TWINTALK[.]site” was allegedly used by Dust Specter attackers in a July 2025 campaign to host a fake Cisco Webex meeting invite page that instructs users to copy, paste, and run a PowerShell script to join a meeting. This instruction reflects a tactic commonly seen in ClickFix-style social engineering attacks.
The PowerShell script creates a directory on the host and attempts to retrieve an unspecified payload from the same domain and save it as an executable file within the newly created directory. It also creates a scheduled task that runs the malicious binary every two hours.
Dust Specter’s connection to Iran is based on the fact that Iranian hacker groups have been developing custom lightweight .NET backdoors to achieve their goals. The use of compromised Iraqi government infrastructure has been observed in past campaigns associated with threat actors such as OilRig (also known as APT34).
“This campaign is attributed to Dust Specter with medium to high confidence and likely targeted government officials using convincing social engineering lures impersonating the Iraqi Ministry of Foreign Affairs,” Zuscaler said. “This activity also reflects broader trends, such as the increasing use of ClickFix-style techniques and generative AI in malware development.”
Source link
