Dust Specter Targets Iraqi Officials with New SPLITDROP and GHOSTFORM Malware
Source: The Hacker News
Overview
A suspected Iran‑nexus threat actor has been attributed to a campaign targeting government officials in Iraq by impersonating the country’s Ministry of Foreign Affairs to deliver a set of never‑before‑seen malware.
Zscaler ThreatLabz, which observed the activity in January 2026, is tracking the cluster under the name Dust Specter. The attacks manifest in two different infection chains and culminate in the deployment of malware dubbed SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM.
“Dust Specter used randomly generated URI paths for command‑and‑control (C2) communication with checksum values appended to the URI paths to ensure that these requests originated from an actual infected system,” security researcher Sudeep Singh said. “The C2 server also utilized geofencing techniques and User‑Agent verification.”
—Zscaler blog
A notable aspect of the campaign is the compromise of Iraqi government‑related infrastructure to stage malicious payloads, as well as the use of evasion techniques to delay execution and fly under the radar.
First Attack Chain
The first attack sequence begins with a password‑protected RAR archive that contains a .NET dropper named SPLITDROP. SPLITDROP acts as a conduit for:
- TWINTASK – a worker module (malicious DLL
libvlc.dll) that is sideloaded by the legitimatevlc.exe. - TWINTALK – a C2 orchestrator (DLL
hostfxr.dll).
TWINTASK periodically polls a file (C:\ProgramData\PolGuid\in.txt) every 15 seconds for new commands and runs them using PowerShell. It also writes script output and errors to C:\ProgramData\PolGuid\out.txt. Persistence is achieved via Windows Registry modifications.
On first launch, TWINTASK executes another legitimate binary in the extracted archive (WingetUI.exe), causing it to sideload the TWINTALK DLL. TWINTALK then:
- Contacts the C2 server for new commands.
- Coordinates tasks with TWINTASK.
- Exfiltrates results back to the server.
- Can write command bodies from C2 responses to
in.txt, as well as download and upload files.
“The C2 orchestrator works in parallel with the previously described worker module to implement a file‑based polling mechanism used for code execution,” Singh explained. “Upon execution, TWINTALK enters a beaconing loop and delays execution by a random interval before polling the C2 server for new commands.”
Second Attack Chain
The second chain is an evolution of the first, consolidating all functionality of TWINTASK and TWINTALK into a single binary named GHOSTFORM. GHOSTFORM:
- Executes PowerShell scripts in‑memory, eliminating the need to write artifacts to disk.
- Embeds a hard‑coded Google Forms URL that automatically opens in the default browser when the malware runs. The form is written in Arabic and masquerades as an official survey from Iraq’s Ministry of Foreign Affairs.
Zscaler’s analysis of the TWINTALK and GHOSTFORM source code uncovered placeholder values, emojis, and Unicode text, suggesting that generative AI tools may have assisted in the malware’s development.
Additional Observations
- The C2 domain associated with TWINTALK,
meetingapp[.]site, was also used by Dust Specter in a July 2025 campaign to host a fake Cisco Webex meeting invitation. The page instructed users to copy, paste, and run a PowerShell script to “join” the meeting—an approach reminiscent of ClickFix‑style social‑engineering attacks. - The PowerShell script creates a directory on the host, fetches an unspecified payload from the same domain, saves it as an executable, and creates a scheduled task to run the malicious binary every two hours.
Dust Specter’s connections to Iran are inferred from the fact that Iranian hacking groups have a history of developing custom lightweight .NET backdoors. The use of compromised Iraqi government infrastructure mirrors past campaigns linked to threat actors such as OilRig (aka APT34).
“This campaign, attributed with medium‑to‑high confidence to Dust Specter, likely targeted government officials in Iraq for espionage and influence operations.”
Images
 | |
 | |
 |
All URLs and references are retained from the original source.
Original Text (cleaned up)
“Officials using convincing social‑engineering lures impersonating Iraq’s Ministry of Foreign Affairs,” Zscaler said. “The activity also reflects broader trends, including ClickFix‑style techniques and the growing use of generative AI for malware development.”
Stay Informed
Found this article interesting? Follow us for more exclusive content:
- Google News:
- Twitter:
- LinkedIn: