In early 2026, a sophisticated cyberattack unfolded against Iraqi government officials, orchestrated by a group known as Dust Specter. This threat actor cleverly impersonated Iraq’s Ministry of Foreign Affairs, luring key targets into downloading harmful software.
New Malware Tools Unveiled
The campaign introduced four innovative malware tools: SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. These tools highlight the precision and expertise of a state-linked entity. Experts attribute this operation to an Iran-associated threat group, drawing from tool similarities and target selections that align with known Iranian APT groups.
Dust Specter’s initial attack involved a password-protected RAR archive, mofa-Network-code.rar, masquerading as an official ministry document. Upon opening, a .NET binary posing as WinRAR—SPLITDROP—decrypted and deployed malicious files using AES-256 encryption, all while displaying a misleading error message.
AI’s Role in Malware Development
The second attack chain utilized GHOSTFORM, which presented a counterfeit Arabic Google Form survey while running malware undetected. Research by Zscaler ThreatLabz uncovered AI-generated code patterns in TWINTALK and GHOSTFORM, such as emojis and unicode characters, indicating a shift towards AI in malware development.
In a related attack from mid-2025, the same group executed a ClickFix-style attack, impersonating a Cisco Webex Government meeting invitation to trick victims into executing a PowerShell command.
Technical Insights and Defensive Measures
Attack Chain 1 blended into system activities by extracting payloads into a local directory and exploiting DLL sideloading techniques. SPLITDROP launched VLC Media Player, which in turn sideloaded a malicious DLL, TWINTASK, executing PowerShell commands every 15 seconds.
TWINTASK and TWINTALK engaged in complex C2 communications, using dynamic URI paths and geofencing to ensure legitimate infections. Persistence was maintained through Windows Registry Run keys, ensuring malware relaunches post-reboot.
Security teams are advised to implement strict application allowlisting and block suspicious archives. Monitoring PowerShell script logging and Windows Registry changes are crucial defensive strategies. Network traffic with unusual URI patterns should be flagged as potential threats.
For ongoing updates, follow us on Google News, LinkedIn, and X. Set CSN as a preferred source in Google for more instant alerts.
