A suspected Iran-linked threat actor named Dust Specter targeted Iraqi government officials by impersonating the Ministry of Foreign Affairs, deploying new malware like SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. The campaign used compromised government infrastructure and sophisticated evasion techniques, including geofencing and file-based polling for command execution. The malware employed sideloading and in-memory execution to avoid detection, with one variant using a fake Arabic-language survey hosted on Google Forms. Evidence suggests the attackers may have used generative AI tools in the malware's development.
A suspected Iran-nexus threat actor has been attributed to a campaign targeting government officials in Iraq by impersonating the country's Ministry of Foreign Affairs to deliver a set of never-before-seen malware.
Zscaler ThreatLabz, which observed the activity in January 2026, is tracking the cluster under the name Dust Specter. The attacks, which manifest in the form of two different infection chains, culminate in the deployment of malware dubbed SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM.
"Dust Specter used randomly generated URI paths for command-and-control (C2) communication with checksum values appended to the URI paths to ensure that these requests originated from an actual infected system," security researcher Sudeep Singh said. "The C2 server also utilized geofencing techniques and User-Agent verification."
A notable aspect of the campaign is the compromise of the Iraqi government-related infrastructure to stage malicious payloads, not to mention the use of evasion techniques to delay execution and fly under the radar.
The first attack sequence begins with a password-protected RAR archive, within which there exists a .NET dropper named SPLITDROP, which acts as a conduit for TWINTASK, a worker module, and TWINTALK, a C2 orchestrator.
TWINTASK, for its part, is a malicious DLL ("libvlc.dll") that's sideloaded by the legitimate "vlc.exe" binary to periodically poll a file ("C:\ProgramData\PolGuid\in.txt") every 15 seconds for new commands and run them using PowerShell. This also includes commands to establish persistence on the host via Windows Registry changes. The script output and errors are captured in a separate text file ("C:\ProgramData\PolGuid\out.txt").
TWINTASK, upon first launch, is designed to execute another legitimate binary present in the extracted archive ("WingetUI.exe"), causing it to sideload the TWINTALK DLL ("hostfxr.dll"). Its primary goal is to reach out to the C2 server for new commands, coordinate tasks with TWINTASK, and exfiltrate the results back to the server. It supports the ability to write the command body from the C2 response to "in.txt," as well as download and upload files.
"The C2 orchestrator works in parallel with the previously described worker module to implement a file-based polling mechanism used for code execution," Singh said. "Upon execution, TWINTALK enters a beaconing loop and delays execution by a random interval before polling the C2 server for new commands."
The second attack chain represents an evolution of the first, consolidating all the functionality of TWINTASK and TWINTALK into a single binary dubbed GHOSTFORM. It makes use of in-memory PowerShell script execution to run commands retrieved from the C2 server, thereby eliminating the need for writing artifacts to disk.
That's not the only differentiating factor between the two attack chains. Some GHOSTFORM binaries have been found to embed a hard-coded Google Forms URL that's automatically launched on the system's default web browser once the malware begins execution. The form features content written in Arabic and masquerades as an official survey from Iraq's Ministry of Foreign Affairs.
Zscaler's analysis of the TWINTALK and GHOSTFORM source code has also uncovered the presence of placeholder values, emojis, and Unicode text, suggesting that generative artificial intelligence (AI) tools may have been used to assist with the malware's development.
What's more, the C2 domain associated with TWINTALK, "meetingapp[.]site," is said to have been used by the Dust Specter actors in a July 2025 campaign to host a fake Cisco Webex meeting invitation page that instructs users to copy, paste, and run a PowerShell script to join the meeting. The instructions mirror a tactic widely seen in ClickFix-style social engineering attacks.
The PowerShell script, for its part, creates a directory on the host, and attempts to fetch an unspecified payload from the same domain and save it as an executable within the newly created directory. It also creates a scheduled task to run the malicious binary every two hours.
Dust Specter's connections to Iran are based on the fact that Iranian hacking groups have a history of developing custom lightweight .NET backdoors to achieve their goals. The use of compromised Iraqi government infrastructure has been observed in past campaigns linked to threat actors like OilRig (aka APT34).
"This campaign, attributed with medium-to-high confidence to Dust Specter, likely targeted government officials using convincing social engineering lures impersonating Iraq's Ministry of Foreign Affairs," Zscaler said. "The activity also reflects broader trends, including ClickFix-style techniques and the growing use of generative AI for malware development."
Meridiano
