Iran-Linked Dust Specter Targets Iraqi Officials with New SPLITDROP and GHOSTFORM Malware Campaign
scsecMarch 13, 20263 Mins read 
A suspected Iran-linked threat group has been tied to a cyber-espionage campaign targeting government officials in Iraq by impersonating the country’s Ministry of Foreign Affairs and distributing previously unknown malware.
Researchers from Zscaler ThreatLabz discovered the activity in January 2026 and are tracking the threat cluster under the name Dust Specter. The campaign uses two different infection chains that ultimately deploy several malware components, including SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM.
According to security researcher Sudeep Singh, the attackers used randomly generated URI paths for command-and-control (C2) communications, with checksum values appended to verify that requests originated from an infected system. The C2 infrastructure also applied geofencing and User-Agent verification to restrict access and avoid detection.
One notable feature of the operation is the use of compromised Iraqi government infrastructure to host malicious payloads. The attackers also used various evasion techniques, including delayed execution, to avoid being detected by security systems.
First Infection Chain
The first attack begins with a password-protected RAR archive that contains a .NET-based dropper called SPLITDROP. This dropper installs two additional components: TWINTASK, which functions as a worker module, and TWINTALK, which acts as a command-and-control orchestrator.
TWINTASK is a malicious DLL disguised as libvlc.dll that is sideloaded through the legitimate vlc.exe binary. Once executed, it checks a file located at C:\ProgramData\PolGuid\in.txt every 15 seconds for commands. These commands are executed through PowerShell and can include instructions to establish persistence by modifying the Windows Registry. The results and errors generated by these commands are saved to C:\ProgramData\PolGuid\out.txt.
During its initial execution, TWINTASK launches another legitimate program bundled in the archive, WingetUI.exe, which sideloads the TWINTALK DLL named hostfxr.dll. TWINTALK then connects to the command-and-control server to retrieve instructions, coordinate tasks with TWINTASK, and send collected data back to the attackers. It can also download and upload files and write commands received from the C2 server into the in.txt file.
The malware uses a file-based polling mechanism in which TWINTASK repeatedly checks for instructions, while TWINTALK maintains communication with the command server and periodically sends beacon signals after random delays.
Second Infection Chain
The second infection chain represents a more advanced version of the first. In this version, the attackers deploy a single malware binary called GHOSTFORM, which merges the functionality of both TWINTASK and TWINTALK.
GHOSTFORM retrieves commands from the C2 server and executes them directly using in-memory PowerShell scripts. This method eliminates the need to write command artifacts to disk, making the malware harder to detect.
Some GHOSTFORM samples contain a hard-coded Google Forms link that automatically opens in the victim’s default browser after the malware runs. The form, written in Arabic, pretends to be an official survey from Iraq’s Ministry of Foreign Affairs in an attempt to maintain the illusion of legitimacy.
Researchers analyzing the source code of TWINTALK and GHOSTFORM also discovered placeholder values, emojis, and Unicode text within the code. These elements suggest that generative AI tools may have been used to assist in the malware’s development.
Infrastructure and Previous Activity
Investigators found that the command-and-control domain meetingapp[.]site had previously been used by the same threat actors in a July 2025 campaign. In that earlier attack, the domain hosted a fake Cisco Webex meeting page that tricked users into copying and running a malicious PowerShell script to join a meeting.
The script created a directory on the compromised system, downloaded an additional payload from the same domain, and saved it as an executable. It also set up a scheduled task to run the malicious program every two hours.
Researchers believe the Dust Specter group may be connected to Iranian cyber-espionage activity. Iranian threat groups have a history of developing lightweight custom .NET backdoors. The use of compromised Iraqi government infrastructure has also been observed in previous campaigns linked to groups such as OilRig, also known as APT34.
Security analysts say the campaign likely targeted Iraqi government officials using convincing social-engineering tactics that impersonated official communications from the Ministry of Foreign Affairs. The operation also reflects broader cybersecurity trends, including the growing use of ClickFix-style social engineering attacks and the increasing role of generative AI in malware development.
1 Comment
Leave a Reply to scsec Cancel reply
Related Articles
Iran-Linked Handala Hackers Claim Massive Cyberattack on Stryker While Verifone Denies Breach
An Iran-linked hacking group known as Handala Hack Team has claimed responsibility...
Iran-Linked MuddyWater Hackers Target U.S. Networks with New Dindoor Backdoor Amid Rising Tensions
Security researchers have uncovered a new cyber campaign by an Iran-linked threat...
FBI Seizes LeakBase Cybercrime Forum in Global Crackdown, Securing Data of 142,000 Users
The Federal Bureau of Investigation (FBI) has taken down the cybercrime forum...
AI Agents Are the Enterprise’s Fastest-Growing Identity Risk
AI Agents and the Rise of Identity Dark Matter in the Enterprise...
This campaign highlights how advanced threat groups continue to evolve their tactics by combining social engineering with sophisticated malware. The use of impersonation, compromised infrastructure, and fileless techniques like in-memory PowerShell execution shows a clear focus on stealth and persistence. It also raises concerns about the growing role of AI-assisted development in modern malware, which could make future cyber-espionage campaigns even more complex and harder