A cyber threat group, suspected to be linked to Iran, is currently targeting Iraqi government officials through a sophisticated malware campaign. This operation, identified by Zscaler ThreatLabz in January 2026, employs deceptive tactics by impersonating Iraq’s Ministry of Foreign Affairs to distribute previously unknown malware variants.
Named Dust Specter, the campaign uses two distinct infection chains, culminating in the deployment of malware such as SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. These sophisticated attacks exploit specialized techniques to ensure communication with the command-and-control (C2) servers, including the use of randomly generated URI paths and geofencing methods to evade detection.
Advanced Malware Techniques Uncovered
The first infection chain involves a password-protected RAR archive containing a .NET-based dropper known as SPLITDROP. This dropper facilitates the execution of TWINTASK, a malicious DLL sideloaded by a legitimate VLC executable, which periodically checks for and executes new commands via PowerShell. This sequence establishes persistence by modifying Windows Registry entries, with all command results logged in separate files.
TWINTASK also triggers the execution of TWINTALK by sideloading its DLL. Acting as a C2 orchestrator, TWINTALK coordinates with TWINTASK to execute commands and uploads results to the C2 server. Its operations include reading command bodies from C2 responses and managing file transfers.
The Evolution of Threat Tactics
The second attack sequence merges the functionalities of TWINTASK and TWINTALK into a single entity, GHOSTFORM, which executes commands in memory without leaving traces on disk. Notably, GHOSTFORM sometimes embeds a Google Forms URL, masquerading as an official survey, to further deceive victims.
Zscaler’s research reveals the potential use of generative AI tools in the malware’s development, indicated by placeholder values and Unicode text within the source code. These findings suggest a growing trend in the use of AI to aid in crafting sophisticated malware.
Historic Connections and Implications
This campaign, believed to be linked to Iranian hacking groups known for creating lightweight .NET backdoors, also draws on compromised Iraqi infrastructure. Similar tactics have been observed in past operations by groups like OilRig (APT34), which have targeted Iraq using various social engineering techniques.
The Dust Specter campaign reflects a pattern of exploiting compromised infrastructure and social engineering methods to infiltrate systems. As cyber threats evolve, understanding these methods is crucial for strengthening defenses and mitigating risks.
Security experts emphasize the importance of remaining vigilant against such sophisticated cyber threats, as the use of generative AI and social engineering continues to rise in the realm of cyber warfare.
